DNS answer response and authority section

Question

DNS answer response and authority section

I have looked at DNS response packets in Wireshark and cannot understand the hexadecimal coding for answers and authority sections.

Consider a DNS query for: mail.abcd.com

The response section contains a name field, and the hexadecimal encoding for this varies between:

0xc00c 0xc012

Both of them lead to filling the entire name in the field.

The authority section also contains a name field, but hexadecimal encoding for this is usually:

  0xc010

This causes abcd.com to be filled in the field.

Can anyone say what an agreement is to fill out these fields, as this is rather confusing.

thanks

+4

dns wireshark response web-traffic

Jake Mar 25 '12 at 23:46

source share

2 answers

Read the name compression in the specification. 0xc, 0x12, and 0x10 are pointers to earlier copies of the names "mail.abcd.com" and "abcd.com" in the package.

+3

Celada Mar 26 '12 at 0:58

source share

Alnitak · Accepted Answer · 2012-03-26T09:24:11+0000

DNS labels use the format <length><data ...> .

A label can contain a maximum of 63 bytes, so the <length> field has two bits remaining higher. They are used to encode the type of label.

If the upper two bits are 0b11 , then the other six bits are instead combined with the next byte, forming a compression pointer, which is an offset in the DNS payload, to the previous instance of another label.

Because the DNS protocol header is 12 bytes long, the shortest legal offset is 12 bytes, which gives the value you saw above 0xc00c .

[technically, you can create a compression pointer that points to a header, but does not strictly follow the protocol].

I would highly recommend not trying to reverse engineer the specification from wired packages - you will inevitably miss things. Just read RFC 1035 - all the basic things are there.

DNS answer response and authority section

More articles: