Summary: DNS message format

DNS message format (shown in a diagram ):

Note: not all DNS messages have the preceding sections. The "12 byte" marked in the figure is the DNS header, which will certainly exist. The content below the header is the body part, and the query problem part will also exist. In addition, the answer, authorization, and additional information are only contained in the DNS response message, and these three parts all use the same format of the resource record, this will be mentioned later. The following analyze DNS packets one by one.

Identifier (2 bytes): the online explanation of this field is a bit unclear: "The Client Program sets and the server returns the result ." After reading the procedures and documents in the lab, this field can be regarded as the ID of the DNS message. This field is the same for the associated request message and Response Message, thus, we can distinguish the response of the request message that the DNS response packet is.

Mark (2 bytes): This part is very important and needs to be analyzed by bit. Borrow another graph:

QR (1 bit): the flag of the query/response. 1 indicates the response, and 0 indicates the query.

Opcode (4 bits): defines the type of query or response (if it is 0, it indicates it is standard, if it is 1, it is reverse, if it is 2, it is a server status request ).

AA (1 bit): indicates the flag of the authorized answer. This bit is valid in the Response Message. 1 indicates that the name server is a permission server (for more information about permission servers)

TC (1 bit): truncates the flag bit. 1 indicates that the response has exceeded 512 bytes and has been truncated (it seems that I remember where to mention this truncation is related to UDP. Remember first)

Rd (1 bit): this bit is 1, indicating that the client wants to obtain a recursive answer (This will be discussed later)

RA (1 bit): You can only set it to 1 in the Response Message to obtain a recursive response.

Zero (3 bits): If you do not know whether it is zero, the fields are retained.

RCODE (4 bits): return code, indicating the error status of the response, usually 0 (no error) and 3 (name error)

When the flag is finished, the following fields are two bytes: number of problems, number of resource records, number of authorized resource records, and number of additional resource records, the number of query questions, answers, authorizations, and additional information. Generally, the number of problems is 1. In the DNS query message, the number of resource records, the number of authorized resource records, and the number of additional resource records are both 0.

It should be the text part. The format of the query question section is as follows:

The length of the query name is not fixed. It is generally the domain name to be queried (when there is an IP address, that is, reverse query ). This part is composed of one or more series of identifiers. Each identifier is expressed by the Count value of the number of first-word segments. Each name ends with 0. The Count bytes must be 0 ~ Between 63. This field does not need to be filled in bytes. The following is an example to illustrate how to query the name gemini.tuc.noao.edu:

Query type (2 bytes): Generally, the query type is A (the IP address obtained by the name) or PTR (the domain name corresponding to the IP address obtained). The type list is as follows:

 

Type	Mnemonic	Description
1	A	IPv4 address.
2	NS	Name Server.
5	Cname	Canonical name. Defines the alias of the host's official name.
6	SOA	Start authorization. Mark the start of a zone.
11	Wks	Familiar with services. Defines the network services provided by the host.
12	PTR	Pointer. Converts an IP address to a domain name.
13	HINFO	Host information. This section describes the hardware and operating system used by the host.
15	MX	Email Exchange. Send the changed email route to the email server.
28	Aaaa	IPv6 address.
252	Axfr	Send requests to the entire zone.
255	Any	Requests to all records.

Query Class (2 bytes): usually 1, indicating Internet data.

As mentioned above, the answer field, authorization field, and additional information field all adopt the same format of resource record RR (resource record. The format is as follows:

Domain Name field (not long or 2 bytes): The name corresponding to the resource data in the record. Its format is the same as that of the query name segment. However, there are still analysis programs in the reader instance. I found that many DNS response messages use a 2-byte pointer to point to the domain name in the query issue because this field is the same as the domain name in the query issue section. For details about how to calculate pointers, I can't write this book because it was just taken back by my senior brother yesterday.

Type (2 bytes) and Class (2 bytes): the meaning is the same as the type and class of the query question section.

Survival time (4 bytes): this field indicates the resource record lifecycle (in seconds ), it is generally used when the address resolution program extracts the resource record and determines the time to save and use the cached data.

Resource Data Length (2 bytes): indicates the length of resource data (in bytes, if the resource data is IP, It is 0004)

Resource Data: this field is a variable length field, indicating the data of the relevant resource records returned according to the query segment requirements.

This is basically the analysis of the DNS message format. Paste packets to the instance and use Wireshark to capture:

Corresponding message:

We will not analyze it any more. We should be able to find various fields in Wireshark analysis.