DNS Response Message Format

Introduction

The previous page delt with the DNS Query message formats. We analysed them in great detail and showed how various options are selected by the host using the Flags/Parameters field.

On this page we will see and analyse the responses we get from the generated queries. These responses, in the case of a recursive query, come directly from the DNS server to which we sent the query and, in the case of a non-recursive query, will come from the last DNS server the client contacts in order to get the required information.

Lastly, keep in mind that this page is the continuation of the previous page, so it's important to understand the previous material ! If you have any doubts, read the previous section again.

Now that we have all that out of the way ....let's grab a few DNS responses and get our hands dirty :)

DNS Analysis - Server Response

Here is the response (highlighted) to the previous DNS query sent to an Australian DNS server (139.130.4.4), where I asked for the resolution of www.firewall.cx:

Something worth paying attention to is the time this query took to come back to my Linux file server. The time taken, from the moment the packet was sent from the Linux file server, until it received the answer, was only 0.991 seconds !

During this short period of time the packet travelled from Greece to Australia, reached the DNS server, which sent its queries to other DNS servers until it found the answer and then generated a DNS response that was sent back to Greece where my home network is !

There are a lot of factors that contribute to this fairly fast reponse. The transport protocol UDP, which does not require any 3-way handshake, the load of the DNS server to which I sent the query, the load of DNS servers it then had to ask, the speed at which all these servers and myself are connected to the Internet and the general load between the routers that my packet had to travel in order to get to its various destinations !

As you can clearly see, there is a lot happening for just one DNS query and response. Try to consider what happenes when you have 20,000,000 DNS queries happening at once on the Internet and you have a good idea on how well this protocol and the underlying technology have been designed !

Following is the Ethernet II packet that runs on the local network. The structure is the same, but varies in size, regardless of whether it's a DNS Query or Response:

Now, to make the analysis of the DNS Section easier I have also included the DNS Query (left hand side) and DNS Response (right hand side). This allows you to compare what we sent and what we received :

........

By comparing the two packets, you can see that there are fields in the DNS Response packet (marked with green arrows) that didn't exist in the Query. Let's see again what each field means and anaylse them again as we did in the previous page.

The DNS Section in a response packet is considerably larger and more complex than that of a query. For this reason we are going to analyse it in parts rather than all together. The query had only one section that required in-depth analysis whereas the response has three since the first one is the original query sent.

Here is the DNS Section of a DNS response in 3D:

You can clearly see that everything after the light green 3D block labeled "DNS Query Section" is new. We are going to focus on these 3 new blocks, which are part of the DNS Response Section, as the rest has been covered in the previous page.

DNS Response Section

The analysis of this section won't be too difficult because the format that is followed in each 3D block of our DNS Response Section is identical. For this reason, I have not analysed all 3 3D blocks, but only a few to help you get the idea.

The diagram below shows you the contents of the 3 3D blocks (sections) we are looking at: Answers Section, Authoritative Name Servers Section and the Additional Records Sections:

What we need to need understand is that each one of these three sections have identical fields. Even though the information they contain might seem a bit different, the fields are exactly the same and we will see this shortly.

In the picture above, I have only expanded the first part of the Answer section which is underlined in green so you can compare the fields with the ones contained in the left hand picture.

This next picture shows you the expanded version from the first part of the Answers and Authoritative sections. I have already marked and labeled the fields to prove to you that they are all identical and vary only in the information they contain:

If you look carefully you will notice that the Resource Data field is presented first, where according to the analysis of the sections in the picture above (left side), you would expect it last.

The truth is that it is last, but it's presented first just because my packet sniffer likes to make the data more readable and less confusing.

This is also the reason the first line of each part in each section is used to give you a quick summary of the information captured.

For example, looking at line 1, part 1 in the Answers Section (underlined in green), you get a summary of what's to follow: www.firewall.cx, type INET, cname firewall.

This proves that all fields in all of these 3 sections contained in the DNS Response Section are identical, but contain different values/data.

You also might wonder why there are 2 parts in each section ?

Could there be more or less parts, depending on the domain name or is there always 2 parts in each section ?

The answer is simple and logical, there are as many parts as needed, depending always on the domain setup. For example, if I had more than two name servers for the Firewall.cx domain, you would see more than two parts in the Authoritative nameserver section and the other sections.

Our example has only 2 parts per section whereas the one we see below has a lot more :

This DNS Response Section is based on a query generated for the IBM.COM domain:

As you can see, our query for IBM.COM gave us a response which has 4 parts per section !

Again, each part in every section has identical fields, but different data/values.

You might have noticed a pattern here as well. In every DNS Response you will find the same number of parts per section.

For example, the picture on the left shows us 4 parts for the Answers, Authoritative and Additional records sections and this is no coincidence.

The reason this is no coincidence - between the 3 sections (Answers, Authoritative and Additional records) is the Type field and I will explain why.

The Type Field

The Type field determines the type or part of information we require about a domain. To give you the simplest example, when we have a Type=A , we are given the IP Address of the domain or host (look at Answers section above), whereas a Type=NS means we are given the Authoritative Name Servers that are responsible for the domain (look at Authoritative Name Servers section above).

Looking at the picture below, which is from our first example (query for firewall.cx) we can see exactly how the Type field is responsible for the data we receive about a domain:

As you can see, the Type field in the first part of the Authoritative Name Servers section is set to NS, which means this part contains information about the Authoritative name servers of the queried domain.

Going to the first part of the Additional records, we can see that the Type field here is set to A, which means the data contained in this part is an IP Address for a particular host.

So where is the logic to all this ?

Well, if I told you which servers are authoritative for a domain (Authoritative Name Server Section), it would be useless if I answered you without giving you their IP Addresses (Additional Records Section).

This is the reason in this example we have been told about the Name Servers for the firewall.cx domain (Authoritative Name Server Section), but also given their IP Address (Additional Records Section).

The same rule and logic explains why there are 2 parts for all three sections of this example.

Let's have a look at the different values the Type field can have, this will also give you an insight into the information we can request and receive about any domain:

Type	Meaning	Contents
A	Host Address	32-Bit IP Address of host or domain
CNAME	Canonical Name (Alias)	Canonical domain name for and alias e.g www
HINFO	CPU & OS	Name of CPU and Operating System
MINFO	Mailbox	Info about a mailbox or mail list
MX	Mail Exchange	16-bit preference and name of the host that acts as a mail exchange server for a domain e.g mail.firewall.cx
NS	Name Server	Authoritative name server for the domain
PTR	Pointer	Symbolic link for a domain. e.g net.firewall.cx points to www.firewall.cx
SOA	Start Of Authority	Multiple fields that specify which parts of the naming hiererchy a server implements
TXT	Arbitrary Text	Uninterpreted string of ASCII text

The above values the Type field can take are contained within the DNS database, which is covered next.

Our discussion on the DNS Response message format is now complete !

Back

Top

Next - DNS Server Setup (Unix)