DNS Message — How to Read Query and Response Message
DNS message is relatively simple: the browser queries a domain name and gets an IP address.
If a DNS server doesn’t recognize the domain name, it will pass the query along to the following DNS server. Later, when receiving a response, it carries the response to the browser.
Interesting in how DNS resolution works? Hope this post could help.
Here is the query’s message structure.
- Transaction ID: for matching response to queries
- Flags: specifies the requested operation and a response code
- Questions: count of entries in the queries section
- Answer RRs: count of entries in the answers section (RR stands for “resource record”)
- Authority RRs: count of entries in the authority section
- Additional RRs: count of entries in the additional section
- Queries: queries data
Among them, what needs attention are Questions, Answer RRs, and Queries.
Here is an example of the query message for
Questions: 1means this message has one entry in the Queries.
Answer RRs: 0means there are no answers. This is expected as a query message has only questions and no answers.
Next, let’s dive into the entry structure of queries — merely 3 sections.
- Name: the domain name
- Type: DNS record type (e.g., A, CNAME, and MX)
- Class: allows domain names to be used for arbitrary objects
It is easier to understand the structure by taking a look at the example.
Nameis the requested domain
Type: Ameans it is an A record. A record is the most basic and the most commonly used DNS record type.
Classs: INrefers to "internet." It doesn't matter much in our browser context.
The interesting part is how the message codes the
. as a separator, the example domain can be divided into 3 groups.
In the example marked in blue, the first byte is
05, meaning the following 5 bytes are the 1st group of the domain.
In the screenshot, bytes are presented in ASCII codes. We can easily decode them into characters.
We get the
Following the same rule, we can find the remaining part of the domain —
Finally, at the end of the domain, a
00 marks the end of the section.
That’s it for the query. With all required information provided by the query, the DNS server will send a response message.
A response message shares the same header and
Queries with an additional
Why does a response message include the origin
Queries section? It is for reference. We will get to it soon.
Here is a response example from querying
In the message, we receive 3 entries in the
Answers section. Therefore,
Answer RRs is set to 3.
- In the 1st entry, the DNS server returns a CNAME
images.google.comfor the initial query.
- Then, a new query for
images.google.comis sent, and another CNAME
images.1.google.comis returned in the 2nd entry.
- Finally, by querying
images.1.google.com, the client receives the IP address
126.96.36.199in the last entry.
Besides the same 3 sections found in a query entry, an answer entry has 3 additional pieces.
- Time to Live (TTL): number of seconds this record can live
- Data Length: the length of the data
- Data: the returned data, such as an IP address or CNAME
Let’s take a look at the
Name section, which has merely two bytes:
How a domain coded in two bytes?
It turns out that the bytes are an offset, referring to the coded domain name in the
c0 is a beginning mark, while
0c is the actual offset, which is 12.
We count 12 bytes from the start byte of the message,
17, marked red in the screenshot. In the end, we reach the 13th byte,
05, the beginning of
image.google.com, marked in yellow.
Not complicated, right? Here comes a complex one.
In the 2nd entry of answers, the
Name offset is
2e, 46 bytes.
By counting 46 bytes, we find the encoded
images in the CNAME of the previous entry marked in yellow:
06→ the following 6 bytes are in the same group
At the end of the images, we recognize another offset reference
c0 12. That's 18 bytes.
Again, by counting 18, we reach the referred part marked in green —
google.com in the
Name of preview entry.
The offset idea is an inspiring design. With it, the message saves considerable space.
Finally, we can decode the address in the last answer entry:
- What needs attention in a DNS message are Questions, Answer RRs, Queries, and Answers. The first two are counts, while the other two are actual data.
- By understanding how the Name is coded, you read the message in bytes with ease.
- You can find a complete list of DNS record types here: https://en.wikipedia.org/wiki/List_of_DNS_record_types.