DNS Query Message Format

Introduction

This section will deal with the analysis of the DNS packets. This will allow us to see the way DNS messages are formatted and the options and variables they contain. To understand a protocol, you must understand the information the protocol carries from one host to another.

Because the DNS message format can vary, depending on the query and the answer, I've broken this analysis into two parts. Part 1 analyses the DNS format of a query, in other words, it shows how the packet looks when we ask a DNS server to resolve a domain. Part 2 analyses the DNS format of an answer, where the DNS server is responding to our query.

I find this method more informative and easy to understand rather than combining the analysis of queries and answers.

DNS Analysis - Host Query

As mentioned in the previous sections of the DNS Protocol, a DNS query is generated when the client needs to resolve a domain name into an IP Address. This could be the result of entering "www.firewall.cx" in the url field of your web browser, or simply by launching a program that uses the Internet and therefore generates DNS queries in order to successfully communicate with the host or server it needs.

Now, I've also included a live example (using my packet analyser), so you can compare theory with practice for a better understanding. After this we will have a look at the meaning of each field in the packet, so let's check out what a packet containing a DNS query would look like on our network:

This is the captured packet we are going to deal with. To generate this packet, I typed "ping www.firewall.cx" from my linux prompt. The command generated this packet, which was put on my network with the destination being a name server in Australia. Notice the Port Destination which is set to 53, on which the port DNS works, and the protocol used for the DNS Query, which is UDP.

 

 

Ethernet II (Check Ethernet Frames for more info.) is the most common type of frame found on LANs, in fact it probably is the only type you will find on 85% of all networks if you're only running TCP/IP and Windows or Unix-like machines. This particular one contains a DNS section, which could be either a Query or Response. We are assuming a Query, so it can fit nicely in our example.

We are going to take the DNS Section above and analyse its contents, which are already shown in the picture above (Right hand side, labeled "Capture") taken from my packet analyser.

Here they are again in a cool 3D diagram:

From this whole packet, the DNS Query Section is the part we're interested in (analysed shortly), the rest is more or less overhead and information to let the server know a bit more information about our query.

The analysis of each 3D block (field) is shown in the left picture below so you can understand the function of each field and the DNS Query Section captured by my wonderful packet sniffer on the right:

 

All fields in the DNS Query section except the DNS Name field (underlined in red in the picture above), have set lengths. The DNS Name field has no set length because it varies depending on the domain name length as we are going to see soon.

 

For example, a query for www.cisco.com will require DNS Name field to be smaller than a query for support.novell.com simply because the second domain is longer.

The DNS Name Field

To prove this I captured a few packets that show different lengths for the domain names I just mentioned but, because the DNS section in a packet provides no length field, we need to look one level above, which is the UDP header, in order to calculate the DNS section length. By subtracting the UDP header length (always 8 bytes - check UDP page for more information) from the bytes in the Length field, we are left with the length of the DNS section:

The two examples clearly show that the Length Field in the UDP header varies depending on the domain we are trying to resolve. The UDP header is 8 bytes in both examples and all fields in the DNS Section, except for the DNS Name field, are always 2 bytes.

The Flags/Parameters Field

The Parameter Field (labeled Flags) is one of the most important fields in DNS because it is responsible for letting the server or client know a lot of important information about the DNS packet. For example, it contains information as to whether the DNS packet is a query or response and, in the case of a query, if it should be a recursive or non-recursive type. This is most important because as we've already seen, it determines how the query is handled by the server.

Let's have a closer look at the flags and explain the meaning of each one. I've marked the bit numbers with black on the left hand side of each flag parameter so you can see which ones are used during a response. The picture on the right hand side explains the various bits. You won't see all 16 bits used in a query as the rest are used during a response or might be reserved:

 

As you can see, only bits 1, 2-5, 7, 8 and 12 are used in this query. The rest will be a combination of reserved bits and bits that are used only in responses. When you read the DNS response message format page, you will find a similar packet captured which is a reponse to the above query and the rest of the bits used are analysed.

And that just about does it for the DNS Query message format page. Next up is the DNS Response message format page which I'm sure you will find just as interesting!

 

 

 

Back

Top

Next - The DNS Response Message Format