DNS response answer & authoritative section
https://stackoverflow.com/questions/9865084
-
26-05-2021 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianPregunta
I have been looking at DNS response packets in Wireshark, and am not able to understand hex coding for the answer and authoritative sections.
Considering DNS query for: mail.abcd.com
The answer section contains name field, and the hex coding for this varies among:
0xc00c
0xc012
Both of them lead to the entire name being populated in the field.
The authoritative section also contains the name field, but the hex coding for this is usually:
0xc010
This leads to abcd.com being populated in the field.
Can anyone tell what is the convention followed to populate these fields, as its pretty confusing.
Thanks
Solución
DNS labels use a format of <length><data ...>.
A label may be a maximum of 63 bytes long, hence the <length> field has two bits left over. These are used to encode a label type.
If the top two bits are 0b11 then the remaining six bits are instead combined with the following byte form a compression pointer which is an offset within the DNS payload to a prior instance of another label.
Since the DNS protocol header is 12 bytes long, the shortest legal offset is 12 bytes, giving the value you saw above of 0xc00c.
[technically, one might construct a compression pointer that points into the header, but it's not strictly conformant with the protocol].
I would strongly recommend against trying to reverse engineer the specification from wire packets - you will inevitably miss stuff. Just read RFC 1035 instead - all of the core stuff is in there.
Otros consejos
Read up on name compression in the specification. 0xc, 0x12, and 0x10 are pointers to earlier copies of the names "mail.abcd.com" and "abcd.com" in the packet.
DNS messages use an offset value to say how many bytes after the beginning of the message we can find the domain name already included in the message.
Where the “address of the beginning byte” is counted in bytes from the beginning of the entire message. Start counting with zero as the first byte.
So in our example 0xC00C is 1100 0000 0000 1100 which means 1100 offset which is 12 bytes from the beginning of the entire DNS message.
