DNS message is relatively simple: the browser queries a domain name and gets an IP address.
If a DNS server doesn’t recognize the domain name, it will pass the query along to the following DNS server. Later, when receiving a response, it carries the response to the browser.
Interesting in how DNS resolution works? Hope this post could help.
Query Message
Here is the query’s message structure.
- Transaction ID: for matching response to queries
- Flags: specifies the requested operation and a response code
- Questions: count of entries in the queries section
- Answer RRs: count of entries in the answers section (RR stands for “resource record”)
- Authority RRs: count of entries in the authority section
- Additional RRs: count of entries in the additional section
- Queries: queries data
Among them, what needs attention are Questions, Answer RRs, and Queries.
Here is an example of the query message for image.google.com
.
Questions: 1
means this message has one entry in the Queries.Answer RRs: 0
means there are no answers. This is expected as a query message has only questions and no answers.
Next, let’s dive into the entry structure of queries — merely 3 sections.
- Name: the domain name
- Type: DNS record type (e.g., A, CNAME, and MX)
- Class: allows domain names to be used for arbitrary objects
It is easier to understand the structure by taking a look at the example.
Name
is the requested domainimage.google.com
.Type: A
means it is an A record. A record is the most basic and the most commonly used DNS record type.Classs: IN
refers to "internet." It doesn't matter much in our browser context.
The interesting part is how the message codes the Name
field.
Using .
as a separator, the example domain can be divided into 3 groups.
image
google
com
In the example marked in blue, the first byte is 05
, meaning the following 5 bytes are the 1st group of the domain.
In the screenshot, bytes are presented in ASCII codes. We can easily decode them into characters.
69
→ i6d
→ m61
→ a67
→ g65
→ e
We get the image
.
Following the same rule, we can find the remaining part of the domain — google
and com
.
Finally, at the end of the domain, a 00
marks the end of the section.
That’s it for the query. With all required information provided by the query, the DNS server will send a response message.
Response Message
A response message shares the same header and Queries
with an additional Answers
section.
Why does a response message include the origin Queries
section? It is for reference. We will get to it soon.
Here is a response example from querying image.google.com
.
In the message, we receive 3 entries in the Answers
section. Therefore, Answer RRs
is set to 3.
- In the 1st entry, the DNS server returns a CNAME
images.google.com
for the initial query. - Then, a new query for
images.google.com
is sent, and another CNAMEimages.1.google.com
is returned in the 2nd entry. - Finally, by querying
images.1.google.com
, the client receives the IP address172.217.1.14
in the last entry.
Besides the same 3 sections found in a query entry, an answer entry has 3 additional pieces.
- Time to Live (TTL): number of seconds this record can live
- Data Length: the length of the data
- Data: the returned data, such as an IP address or CNAME
Let’s take a look at the Name
section, which has merely two bytes: c0 0c
.
How a domain coded in two bytes?
It turns out that the bytes are an offset, referring to the coded domain name in the Queries
section.
c0
is a beginning mark, while 0c
is the actual offset, which is 12.
We count 12 bytes from the start byte of the message, 17
, marked red in the screenshot. In the end, we reach the 13th byte, 05
, the beginning of image.google.com
, marked in yellow.
Not complicated, right? Here comes a complex one.
In the 2nd entry of answers, the Name
offset is 2e
, 46 bytes.
By counting 46 bytes, we find the encoded images
in the CNAME of the previous entry marked in yellow:
06
→ the following 6 bytes are in the same group69
→ i6d
→ m61
→ a67
→ g65
→ e73
→ s
At the end of the images, we recognize another offset reference c0 12
. That's 18 bytes.
Again, by counting 18, we reach the referred part marked in green — google.com
in the Name
of preview entry.
The offset idea is an inspiring design. With it, the message saves considerable space.
Finally, we can decode the address in the last answer entry:
ac
→ 172d9
→ 21701
→ 10e
→ 14
Takeaways
- What needs attention in a DNS message are Questions, Answer RRs, Queries, and Answers. The first two are counts, while the other two are actual data.
- By understanding how the Name is coded, you read the message in bytes with ease.
Join Medium
Purchasing Medium Membership through the above link means I can get income through the referral link. This does not mean you have to buy from the link, nor do I deny or oppose other channels. It is your right to know.
Further Reading
- You can find a complete list of DNS record types here: https://en.wikipedia.org/wiki/List_of_DNS_record_types.