Dump DNS header / Query / Response ******************************************************************************** RFC 1035 : DOMAIN NAMES - IMPLEMENTATION AND SPECIFICATION 4. MESSAGES 4.1. Format All communications inside of the domain protocol are carried in a single format called a message. The top level format of message is divided into 5 sections (some of which are empty in certain cases) shown below: +---------------------+ | Header | +---------------------+ | Question | the question for the name server +---------------------+ | Answer | RRs answering the question +---------------------+ | Authority | RRs pointing toward an authority +---------------------+ | Additional | RRs holding additional information +---------------------+ The header section is always present. The header includes fields that specify which of the remaining sections are present, and also specify whether the message is a query or a response, a standard query or some other opcode, etc. The names of the sections after the header are derived from their use in standard queries. The question section contains fields that describe a question to a name server. These fields are a query type (QTYPE), a query class (QCLASS), and a query domain name (QNAME). The last three sections have the same format: a possibly empty list of concatenated resource records (RRs). The answer section contains RRs that answer the question; the authority section contains RRs that point toward an authoritative name server; the additional records section contains RRs which relate to the query, but are not strictly answers for the question. 4.1.1. Header section format The header contains the following fields: 1 1 1 1 1 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ | ID | +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ |QR| Opcode |AA|TC|RD|RA| Z | RCODE | +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ | QDCOUNT | +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ | ANCOUNT | +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ | NSCOUNT | +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ | ARCOUNT | +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ ID A 16 bit identifier assigned by the program that generates any kind of query. This identifier is copied the corresponding reply and can be used by the requester to match up replies to outstanding queries. QR A one bit field that specifies whether this message is a query (0), or a response (1). OPCODE A four bit field that specifies kind of query in this message. This value is set by the originator of a query and copied into the response. The values are: 0 a standard query (QUERY) 1 an inverse query (IQUERY) 2 a server status request (STATUS) 3-15 reserved for future use AA Authoritative Answer - this bit is valid in responses, and specifies that the responding name server is an authority for the domain name in question section. Note that the contents of the answer section may have multiple owner names because of aliases. The AA bit corresponds to the name which matches the query name, or the first owner name in the answer section. TC TrunCation - specifies that this message was truncated due to length greater than that permitted on the transmission channel. RD Recursion Desired - this bit may be set in a query and is copied into the response. If RD is set, it directs the name server to pursue the query recursively. Recursive query support is optional. RA Recursion Available - this be is set or cleared in a response, and denotes whether recursive query support is available in the name server. Z Reserved for future use. Must be zero in all queries and responses. RCODE Response code - this 4 bit field is set as part of responses. The values have the following interpretation: 0 No error condition 1 Format error - The name server was unable to interpret the query. 2 Server failure - The name server was unable to process this query due to a problem with the name server. 3 Name Error - Meaningful only for responses from an authoritative name server, this code signifies that the domain name referenced in the query does not exist. 4 Not Implemented - The name server does not support the requested kind of query. 5 Refused - The name server refuses to perform the specified operation for policy reasons. For example, a name server may not wish to provide the information to the particular requester, or a name server may not wish to perform a particular operation (e.g., zone transfer) for particular data. 6-15 Reserved for future use. QDCOUNT an unsigned 16 bit integer specifying the number of entries in the question section. ANCOUNT an unsigned 16 bit integer specifying the number of resource records in the answer section. NSCOUNT an unsigned 16 bit integer specifying the number of name server resource records in the authority records section. ARCOUNT an unsigned 16 bit integer specifying the number of resource records in the additional records section. 4.1.2. Question section format The question section is used to carry the "question" in most queries, i.e., the parameters that define what is being asked. The section contains QDCOUNT (usually 1) entries, each of the following format: 1 1 1 1 1 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ | | / QNAME / / / +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ | QTYPE | +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ | QCLASS | +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ where: QNAME a domain name represented as a sequence of labels, where each label consists of a length octet followed by that number of octets. The domain name terminates with the zero length octet for the null label of the root. Note that this field may be an odd number of octets; no padding is used. QTYPE a two octet code which specifies the type of the query. The values for this field include all codes valid for a TYPE field, together with some more general codes which can match more than one type of RR. QCLASS a two octet code that specifies the class of the query. For example, the QCLASS field is IN for the Internet. 4.1.3. Resource record format The answer, authority, and additional sections all share the same format: a variable number of resource records, where the number of records is specified in the corresponding count field in the header. Each resource record has the following format: 1 1 1 1 1 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ | | / / / NAME / | | +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ | TYPE | +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ | CLASS | +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ | TTL | | | +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ | RDLENGTH | +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--| / RDATA / / / +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ where: NAME a domain name to which this resource record pertains. TYPE two octets containing one of the RR type codes. This field specifies the meaning of the data in the RDATA field. CLASS two octets which specify the class of the data in the RDATA field. TTL a 32 bit unsigned integer that specifies the time interval (in seconds) that the resource record may be cached before it should be discarded. Zero values are interpreted to mean that the RR can only be used for the transaction in progress, and should not be cached. RDLENGTH an unsigned 16 bit integer that specifies the length in octets of the RDATA field. RDATA a variable length string of octets that describes the resource. The format of this information varies according to the TYPE and CLASS of the resource record. For example, the if the TYPE is A and the CLASS is IN, the RDATA field is a 4 octet ARPA Internet address. 4.1.4. Message compression In order to reduce the size of messages, the domain system utilizes a compression scheme which eliminates the repetition of domain names in a message. In this scheme, an entire domain name or a list of labels at the end of a domain name is replaced with a pointer to a prior occurance of the same name. The pointer takes the form of a two octet sequence: +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ | 1 1| OFFSET | +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ The first two bits are ones. This allows a pointer to be distinguished from a label, since the label must begin with two zero bits because labels are restricted to 63 octets or less. (The 10 and 01 combinations are reserved for future use.) The OFFSET field specifies an offset from the start of the message (i.e., the first octet of the ID field in the domain header). A zero offset specifies the first byte of the ID field, etc. The compression scheme allows a domain name in a message to be represented as either: - a sequence of labels ending in a zero octet - a pointer - a sequence of labels ending with a pointer Pointers can only be used for occurances of a domain name where the format is not class specific. If this were not the case, a name server or resolver would be required to know the format of all RRs it handled. As yet, there are no such cases, but they may occur in future RDATA formats. If a domain name is contained in a part of the message subject to a length field (such as the RDATA section of an RR), and compression is used, the length of the compressed name is used in the length calculation, rather than the length of the expanded name. Programs are free to avoid using pointers in messages they generate, although this will reduce datagram capacity, and may cause truncation. However all programs are required to understand arriving messages that contain pointers. For example, a datagram might need to use the domain names F.ISI.ARPA, FOO.F.ISI.ARPA, ARPA, and the root. Ignoring the other fields of the message, these domain names might be represented as: +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ 20 | 1 | F | +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ 22 | 3 | I | +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ 24 | S | I | +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ 26 | 4 | A | +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ 28 | R | P | +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ 30 | A | 0 | +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ 40 | 3 | F | +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ 42 | O | O | +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ 44 | 1 1| 20 | +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ 64 | 1 1| 26 | +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ 92 | 0 | | +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ The domain name for F.ISI.ARPA is shown at offset 20. The domain name FOO.F.ISI.ARPA is shown at offset 40; this definition uses a pointer to concatenate a label for FOO to the previously defined F.ISI.ARPA. The domain name ARPA is defined at offset 64 using a pointer to the ARPA component of the name F.ISI.ARPA at 20; note that this pointer relies on ARPA being the last label in the string at 20. The root domain name is defined by a single octet of zeros at 92; the root domain name has no labels. ******************************************************************************** Dump DNS packets with ID 14745 = 0x3999 $ tcpdump -r dns.dump -nn -NN -s0 -xx -XX 'udp[8]==0x39' and 'udp[9]==0x99' reading from file dns.dump, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 Warning: interface names might be incorrect 12:27:48.778480 ? Out IP 192.168.36.26.54177 > 85.15.1.188.53: 14745+ [1au] TXT? _certum.printer.rasana.ir. (66) 0x0000: 0800 0000 0000 0004 0200 0400 0000 0000 ................ 0x0010: 0000 0000 4500 005e 8c20 0000 4011 b2e1 ....E..^....@... 0x0020: c0a8 241a 550f 01bc d3a1 0035 004a dca0 ..$.U......5.J.. 0x0030: 3999 0120 0001 0000 0000 0001 075f 6365 9............_ce 0x0040: 7274 756d 0770 7269 6e74 6572 0672 6173 rtum.printer.ras 0x0050: 616e 6102 6972 0000 1000 0100 0029 04d0 ana.ir.......).. 0x0060: 0000 0000 000c 000a 0008 f91d 65f8 2df0 ............e.-. 0x0070: 014d .M 12:27:48.780138 ? In IP 85.15.1.188.53 > 192.168.36.26.54177: 14745*- 1/0/1 TXT "7e12af8281e82b3d104a0c011fcfc7caf0ec3aceb7bd07bf3c2c20b74979cae" (158) 0x0000: 0800 0000 0000 0004 0200 0000 0000 0000 ................ 0x0010: 0000 0000 4500 00ba 3945 0000 3e11 0761 ....E...9E..>..a 0x0020: 550f 01bc c0a8 241a 0035 d3a1 00a6 e780 U.....$..5...... 0x0030: 3999 8500 0001 0001 0000 0001 075f 6365 9............_ce 0x0040: 7274 756d 0770 7269 6e74 6572 0672 6173 rtum.printer.ras 0x0050: 616e 6102 6972 0000 1000 01c0 0c00 1000 ana.ir.......... 0x0060: 0100 0000 1e00 403f 3765 3132 6166 3832 ......@?7e12af82 0x0070: 3831 6538 3262 3364 3130 3461 3063 3031 81e82b3d104a0c01 0x0080: 3166 6366 6337 6361 6630 6563 3361 6365 1fcfc7caf0ec3ace 0x0090: 6237 6264 3037 6266 3363 3263 3230 6237 b7bd07bf3c2c20b7 0x00a0: 3439 3739 6361 6500 0029 04d0 0000 0000 4979cae..)...... 0x00b0: 001c 000a 0018 f91d 65f8 2df0 014d 0100 ........e.-..M.. 0x00c0: 0000 696f 437e e1c0 1e1c 1b67 1cb4 ..ioC~.....g.. Dump DNS Queries $ tcpdump -r dns.dump -nn -NN -s0 -xx -XX 'udp[10] & 128 == 0' reading from file dns.dump, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 Warning: interface names might be incorrect 12:27:48.778480 ? Out IP 192.168.36.26.54177 > 85.15.1.188.53: 14745+ [1au] TXT? _certum.printer.rasana.ir. (66) 0x0000: 0800 0000 0000 0004 0200 0400 0000 0000 ................ 0x0010: 0000 0000 4500 005e 8c20 0000 4011 b2e1 ....E..^....@... 0x0020: c0a8 241a 550f 01bc d3a1 0035 004a dca0 ..$.U......5.J.. 0x0030: 3999 0120 0001 0000 0000 0001 075f 6365 9............_ce 0x0040: 7274 756d 0770 7269 6e74 6572 0672 6173 rtum.printer.ras 0x0050: 616e 6102 6972 0000 1000 0100 0029 04d0 ana.ir.......).. 0x0060: 0000 0000 000c 000a 0008 f91d 65f8 2df0 ............e.-. 0x0070: 014d .M 12:27:58.353938 ? Out IP 192.168.36.26.47037 > 85.15.1.188.53: 63597+ [1au] A? _certum.printer.rasana.ir. (66) 0x0000: 0800 0000 0000 0004 0200 0400 0000 0000 ................ 0x0010: 0000 0000 4500 005e ce6d 0000 4011 7094 ....E..^.m..@.p. 0x0020: c0a8 241a 550f 01bc b7bd 0035 004a 0f1c ..$.U......5.J.. 0x0030: f86d 0120 0001 0000 0000 0001 075f 6365 .m..........._ce 0x0040: 7274 756d 0770 7269 6e74 6572 0672 6173 rtum.printer.ras 0x0050: 616e 6102 6972 0000 0100 0100 0029 04d0 ana.ir.......).. 0x0060: 0000 0000 000c 000a 0008 b58d 2200 892d ............"..- 0x0070: 672c g, Dump DNS Responses $ tcpdump -r dns.dump -nn -NN -s0 -xx -XX 'udp[10] & 128 == 128' reading from file dns.dump, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 Warning: interface names might be incorrect 12:27:48.780138 ? In IP 85.15.1.188.53 > 192.168.36.26.54177: 14745*- 1/0/1 TXT "7e12af8281e82b3d104a0c011fcfc7caf0ec3aceb7bd07bf3c2c20b74979cae" (158) 0x0000: 0800 0000 0000 0004 0200 0000 0000 0000 ................ 0x0010: 0000 0000 4500 00ba 3945 0000 3e11 0761 ....E...9E..>..a 0x0020: 550f 01bc c0a8 241a 0035 d3a1 00a6 e780 U.....$..5...... 0x0030: 3999 8500 0001 0001 0000 0001 075f 6365 9............_ce 0x0040: 7274 756d 0770 7269 6e74 6572 0672 6173 rtum.printer.ras 0x0050: 616e 6102 6972 0000 1000 01c0 0c00 1000 ana.ir.......... 0x0060: 0100 0000 1e00 403f 3765 3132 6166 3832 ......@?7e12af82 0x0070: 3831 6538 3262 3364 3130 3461 3063 3031 81e82b3d104a0c01 0x0080: 3166 6366 6337 6361 6630 6563 3361 6365 1fcfc7caf0ec3ace 0x0090: 6237 6264 3037 6266 3363 3263 3230 6237 b7bd07bf3c2c20b7 0x00a0: 3439 3739 6361 6500 0029 04d0 0000 0000 4979cae..)...... 0x00b0: 001c 000a 0018 f91d 65f8 2df0 014d 0100 ........e.-..M.. 0x00c0: 0000 696f 437e e1c0 1e1c 1b67 1cb4 ..ioC~.....g.. 12:27:58.355799 ? In IP 85.15.1.188.53 > 192.168.36.26.47037: 63597*- 0/1/1 (136) 0x0000: 0800 0000 0000 0004 0200 0000 0000 0000 ................ 0x0010: 0000 0000 4500 00a4 3aed 0000 3e11 05cf ....E...:...>... 0x0020: 550f 01bc c0a8 241a 0035 b7bd 0090 0cee U.....$..5...... 0x0030: f86d 8500 0001 0000 0001 0001 075f 6365 .m..........._ce 0x0040: 7274 756d 0770 7269 6e74 6572 0672 6173 rtum.printer.ras 0x0050: 616e 6102 6972 0000 0100 0106 7261 7361 ana.ir......rasa 0x0060: 6e61 0269 7200 0006 0001 0000 04b0 0021 na.ir..........! 0x0070: 036e 7331 c02b 0469 6e66 6fc0 2b78 c27a .ns1.+.info.+x.z 0x0080: 4900 001c 2000 0000 3c00 1275 0000 002a I.......<..u...* 0x0090: 3000 0029 04d0 0000 0000 001c 000a 0018 0..)............ 0x00a0: b58d 2200 892d 672c 0100 0000 696f 4388 .."..-g,....ioC. 0x00b0: 3351 eb6e 6401 9071 3Q.nd..q