Question

I was reading a Windows DNS server debug log file, in particular the packet captures, and am trying to understand how to parse the host names in order to use them in scripts.

The following is an example from an ANSWER section:

Offset = 0x007f, RR count = 2
Name      "[C06A](5)e6033(1)g(10)akamaiedge[C059](3)net(0)"
  TYPE   A  (1)
  CLASS  1
  TTL    20
  DLEN   4
  DATA   23.62.18.101

So, looking at the string "[C06A](5)e6033(1)g(10)akamaiedge[C059](3)net(0)" I realized that the numbers in parenthesis are a count of the number of characters that follow. Replacing all of them with dots (except the first and last, which should just be removed) works like a charm.

The stuff in square brackets, though, remains a mystery to me. If I simply remove it all after handling the parenthesis and quotes, the above string becomes e6033.g.akamaiedge.net. That is a valid host name.

So my question is: what does that content in square brackets actually mean? What is the correct way to turn that string into a proper host name I could feed to nslookup and other tools?

Was it helpful?

Solution

It appears it's the 2nd possible form of the NAME field as documented here:

http://www.zytrax.com/books/dns/ch15/#name

NAME This name reflects the QNAME of the question i.e. any may take one of TWO formats. The first format is the label format defined for QNAME above. The second format is a pointer (in the interests of data compression which to fair to the original authors was far more important then than now). A pointer is an unsigned 16-bit value with the following format (the top two bits of 11 indicate the pointer format):

0   1   2   3   4   5   6   7   8   9   10  11  12  13  14  15 
1   1

The offset in octets (bytes) from the start of the whole message. Must point to a label format record to derive name length.

Note: Pointers, if used, terminate names. The name field may consist of a label (or sequence of labels) terminated with a zero length record OR a single pointer OR a label (or label sequence) terminated with a pointer.

where the response is using pointers to refer to data elsewhere in the message.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top