DNS Message — How to Read Query and Response Message (2024)

Carson

5 min read

May 4, 2021

Transaction ID: for matching response to queries
Flags: specifies the requested operation and a response code
Questions: count of entries in the queries section
Answer RRs: count of entries in the answers section (RR stands for “resource record”)
Authority RRs: count of entries in the authority section
Additional RRs: count of entries in the additional section
Queries: queries data

Among them, what needs attention are Questions, Answer RRs, and Queries.

DNS Message — How to Read Query and Response Message (4)

Here is an example of the query message for image.google.com.

Questions: 1 means this message has one entry in the Queries.
Answer RRs: 0 means there are no answers. This is expected as a query message has only questions and no answers.

Next, let’s dive into the entry structure of queries — merely 3 sections.

DNS Message — How to Read Query and Response Message (5)

Name: the domain name
Type: DNS record type (e.g., A, CNAME, and MX)
Class: allows domain names to be used for arbitrary objects

It is easier to understand the structure by taking a look at the example.

DNS Message — How to Read Query and Response Message (6)

Name is the requested domain image.google.com.
Type: A means it is an A record. A record is the most basic and the most commonly used DNS record type.
Classs: IN refers to "internet." It doesn't matter much in our browser context.

DNS Message — How to Read Query and Response Message (7)

The interesting part is how the message codes the Name field.

Using . as a separator, the example domain can be divided into 3 groups.

image
google
com

In the example marked in blue, the first byte is 05, meaning the following 5 bytes are the 1st group of the domain.

In the screenshot, bytes are presented in ASCII codes. We can easily decode them into characters.

69 → i
6d → m
61 → a
67 → g
65 → e

We get the image.

Following the same rule, we can find the remaining part of the domain — google and com.

Finally, at the end of the domain, a 00 marks the end of the section.

That’s it for the query. With all required information provided by the query, the DNS server will send a response message.

DNS Message — How to Read Query and Response Message (8)

A response message shares the same header and Queries with an additional Answers section.

Why does a response message include the origin Queries section? It is for reference. We will get to it soon.

Here is a response example from querying image.google.com.

DNS Message — How to Read Query and Response Message (9)

In the message, we receive 3 entries in the Answers section. Therefore, Answer RRs is set to 3.

In the 1st entry, the DNS server returns a CNAME images.google.com for the initial query.
Then, a new query for images.google.com is sent, and another CNAME images.1.google.com is returned in the 2nd entry.
Finally, by querying images.1.google.com, the client receives the IP address 172.217.1.14 in the last entry.

DNS Message — How to Read Query and Response Message (10)

Besides the same 3 sections found in a query entry, an answer entry has 3 additional pieces.

Time to Live (TTL): number of seconds this record can live
Data Length: the length of the data
Data: the returned data, such as an IP address or CNAME

DNS Message — How to Read Query and Response Message (11)

Let’s take a look at the Name section, which has merely two bytes: c0 0c.

How a domain coded in two bytes?

It turns out that the bytes are an offset, referring to the coded domain name in the Queries section.

c0 is a beginning mark, while 0c is the actual offset, which is 12.

We count 12 bytes from the start byte of the message, 17, marked red in the screenshot. In the end, we reach the 13th byte, 05, the beginning of image.google.com, marked in yellow.

Not complicated, right? Here comes a complex one.

DNS Message — How to Read Query and Response Message (12)

In the 2nd entry of answers, the Name offset is 2e, 46 bytes.

By counting 46 bytes, we find the encoded images in the CNAME of the previous entry marked in yellow:

06 → the following 6 bytes are in the same group
69 → i
6d → m
61 → a
67 → g
65 → e
73 → s

At the end of the images, we recognize another offset reference c0 12. That's 18 bytes.

Again, by counting 18, we reach the referred part marked in green — google.com in the Name of preview entry.

The offset idea is an inspiring design. With it, the message saves considerable space.

DNS Message — How to Read Query and Response Message (13)

Finally, we can decode the address in the last answer entry:

ac → 172
d9 → 217
01 → 1
0e → 14

What needs attention in a DNS message are Questions, Answer RRs, Queries, and Answers. The first two are counts, while the other two are actual data.
By understanding how the Name is coded, you read the message in bytes with ease.

Join Medium with my referral link — CarsonAs a Medium member, a portion of your membership fee goes to writers you read, and you get full access to every story…cabulous.medium.com

Purchasing Medium Membership through the above link means I can get income through the referral link. This does not mean you have to buy from the link, nor do I deny or oppose other channels. It is your right to know.

You can find a complete list of DNS record types here: https://en.wikipedia.org/wiki/List_of_DNS_record_types.