DNS Message — How to Read Query and Response Message

Carson
5 min readMay 4, 2021

--

DNS message is relatively simple: the browser queries a domain name and gets an IP address.

If a DNS server doesn’t recognize the domain name, it will pass the query along to the following DNS server. Later, when receiving a response, it carries the response to the browser.

Interesting in how DNS resolution works? Hope this post could help.

Query Message

Here is the query’s message structure.

  • Transaction ID: for matching response to queries
  • Flags: specifies the requested operation and a response code
  • Questions: count of entries in the queries section
  • Answer RRs: count of entries in the answers section (RR stands for “resource record”)
  • Authority RRs: count of entries in the authority section
  • Additional RRs: count of entries in the additional section
  • Queries: queries data

Among them, what needs attention are Questions, Answer RRs, and Queries.

Here is an example of the query message for image.google.com.

  • Questions: 1 means this message has one entry in the Queries.
  • Answer RRs: 0 means there are no answers. This is expected as a query message has only questions and no answers.

Next, let’s dive into the entry structure of queries — merely 3 sections.

  • Name: the domain name
  • Type: DNS record type (e.g., A, CNAME, and MX)
  • Class: allows domain names to be used for arbitrary objects

It is easier to understand the structure by taking a look at the example.

  • Name is the requested domain image.google.com.
  • Type: A means it is an A record. A record is the most basic and the most commonly used DNS record type.
  • Classs: IN refers to "internet." It doesn't matter much in our browser context.

The interesting part is how the message codes the Name field.

Using . as a separator, the example domain can be divided into 3 groups.

  • image
  • google
  • com

In the example marked in blue, the first byte is 05, meaning the following 5 bytes are the 1st group of the domain.

In the screenshot, bytes are presented in ASCII codes. We can easily decode them into characters.

  • 69 → i
  • 6d → m
  • 61 → a
  • 67 → g
  • 65 → e

We get the image.

Following the same rule, we can find the remaining part of the domain — google and com.

Finally, at the end of the domain, a 00 marks the end of the section.

That’s it for the query. With all required information provided by the query, the DNS server will send a response message.

Response Message

A response message shares the same header and Queries with an additional Answers section.

Why does a response message include the origin Queries section? It is for reference. We will get to it soon.

Here is a response example from querying image.google.com.

In the message, we receive 3 entries in the Answers section. Therefore, Answer RRs is set to 3.

  1. In the 1st entry, the DNS server returns a CNAME images.google.com for the initial query.
  2. Then, a new query for images.google.com is sent, and another CNAME images.1.google.com is returned in the 2nd entry.
  3. Finally, by querying images.1.google.com, the client receives the IP address 172.217.1.14 in the last entry.

Besides the same 3 sections found in a query entry, an answer entry has 3 additional pieces.

  • Time to Live (TTL): number of seconds this record can live
  • Data Length: the length of the data
  • Data: the returned data, such as an IP address or CNAME

Let’s take a look at the Name section, which has merely two bytes: c0 0c.

How a domain coded in two bytes?

It turns out that the bytes are an offset, referring to the coded domain name in the Queries section.

c0 is a beginning mark, while 0c is the actual offset, which is 12.

We count 12 bytes from the start byte of the message, 17, marked red in the screenshot. In the end, we reach the 13th byte, 05, the beginning of image.google.com, marked in yellow.

Not complicated, right? Here comes a complex one.

In the 2nd entry of answers, the Name offset is 2e, 46 bytes.

By counting 46 bytes, we find the encoded images in the CNAME of the previous entry marked in yellow:

  • 06 → the following 6 bytes are in the same group
  • 69 → i
  • 6d → m
  • 61 → a
  • 67 → g
  • 65 → e
  • 73 → s

At the end of the images, we recognize another offset reference c0 12. That's 18 bytes.

Again, by counting 18, we reach the referred part marked in green — google.com in the Name of preview entry.

The offset idea is an inspiring design. With it, the message saves considerable space.

Finally, we can decode the address in the last answer entry:

  • ac → 172
  • d9 → 217
  • 01 → 1
  • 0e → 14

Takeaways

  • What needs attention in a DNS message are Questions, Answer RRs, Queries, and Answers. The first two are counts, while the other two are actual data.
  • By understanding how the Name is coded, you read the message in bytes with ease.

Join Medium

Purchasing Medium Membership through the above link means I can get income through the referral link. This does not mean you have to buy from the link, nor do I deny or oppose other channels. It is your right to know.

Further Reading

--

--