mail us  |  mail this page

contact us
training  | 
tech stuff  | 

Chapter 15 DNS Messages

  1. 15.1 Overview Generic Format
  2. 15.2 The Message Header
  3. 15.3 The DNS Question (Question Section)
  4. 15.4 The DNS Answer (Answer Section)
  5. 15.5 Domain Authority (Authority Section)
  6. 15.6 Additional Information (Additional Section)

15.1 Overview

This section details the format of messages that pass between a Resolver and a DNS system. The really smart thing to do is install wireshark and let it do all the analysis for you. However, if you are in de-bug mode then you may need this stuff. This where the Rocket Scientists wannabees hang out. Welcome.

Message formats are defined in RFC 1035.

The good news is that each message has the same generic format with 5 sections. This is the last good news.

Section Meaning/Use
Section 1 Message Header
Section 2 The DNS question being asked (aka Question Section)
Section 3 The Resource Record(s) which answer the question (aka Answer Section)
Section 4 The Resource Record(s) which point to the domain authority (aka Authority Section)
Section 5 The Resource Record(s) which may hold additional information (aka Additional Section)

Notes:

  1. Unused sections are not present - determined by count values in the message header

Up Arrow

Present in all messages. Never empty. Contains various flags and values which control the transaction. If you are not comfortable with bits, bytes and hex values take up origami or read this quick memory jogger. And while you are in this receptive mode you may want remind yourself that bit numbering standards are a real mess.

0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
Message ID
QR OPCODE AA TC RD RA res1 res2 res3 RCODE
QDCOUNT (No. of items in Question Section)
ANCOUNT (No. of items in Answer Section)
NSCOUNT (No. of items in Authority Section)
ARCOUNT (No. of items in Additional Section)

The following table defines the field values above:

Section Meaning/Use
Message ID 16 bit message ID supplied by the requestion (the questioner) and reflected back unchanged by the responder (answerer). Identifies the transaction.
QR Query - Response bit. Set to 0 by the questioner (query) and to 1 in the response (answer).
OPCODE Identifies the request/operation type. Currently assigned values are:
Value Meaning/Use
0 QUERY. standard query.
1 IQUERY. Inverse query. Optional support by DNS
2 STATUS. DNS status request
AA Authoritative Answer. Valid in responses only. Because of aliases multiple owners may exists so the AA bit corresponds to the name which matches the query name, OR the first owner name in the answer section.
TC TrunCation - specifies that this message was truncated due to length greater than that permitted on the transmission channel. Set on all truncated messages except the last one.
RD Recursion Desired - this bit may be set in a query and is copied into the response if recursion supported by this Name Server. If Recursion is rejected by this Name Server, for example it has been configured as Authoritative Only, the response (answer) does not have this bit set. Recursive query support is optional.
RA Recursion Available - this bit is valid in a response (answer) and denotes whether recursive query support is available (1) or not (0) in the name server.
RCODE Identifies the response type to the query. Ignored on a request (question). Currently assigned values:
Value Meaning/Use
0 No error condition.
1 Format error - The name server was unable to interpret the query.
2 Server failure - The name server was unable to process this query due to a problem with the name server.
3 Name Error - Meaningful only for responses from an authoritative name server, this code signifies that the domain name referenced in the query does not exist.
4 Not Implemented - The name server does not support the requested kind of query.
5 Refused - The name server refuses to perform the specified operation for policy reasons. For example, a name server may not wish to provide the information to the particular requester, or a name server may not wish to perform a particular operation (e.g., zone transfer) for particular data.
QDCOUNT Unsigned 16 bit integer specifying the number of entries in the Question Section.
ANCOUNT Unsigned 16 bit integer specifying the number of resource records in the Answer Section. May be 0 in which case no answer record is present in the message.
NSCOUNT Unsigned 16 bit integer specifying the number of name server resource records in the Authority Section. May be 0 in which case no authority record(s) is(are) present in the message.
ARCOUNT Unsigned 16 bit integer specifying the number of resource records in the Additional Section. May be 0 in which case no addtional record(s) is(are) present in the message.

Notes:

Up Arrow

15.3 The DNS Question (Question Section)

While it is normal to have only one question per message, it is permissible to have any number defined by QDCOUNT each question has the same format as defined below:

Field Name Meaning/Use
QNAME The domain name being queried
QTYPE The resource records being requested
QCLASS The Resource Record(s) class being requested, for instance, internet, chaos etc.

Each field has the following format:

Name Meaning/Use
QNAME The name being queried, its content will depend upon the QTYPE (below), for example, a request for an A record will typically require a host part, such as, www.example.com, an MX query will only require a base domain name, such as, example.com. The name being queried is split into labels by removing the separating dots. Each label is represented as a length/data pair as follows:
Value Meaning/Use
no. of chars Single octet defining the number of characters in the label which follows. The top two bits of this number must be 00 (indicates the label format is being used) which gives a maximum domain name length of 63 bytes (octets). A value of zero indicates the end of the name field.
domain name A string containing the characters in the label.
Wow. To illustrate the above we'll use two examples:
// assume an MX query with a name of mydomain.com
// the hex representation is
08 6D 79 64 6F 6D 61 69 6E 03 63 6F 6D 00
// printable
 !  m  y  d  o  m  a  i  n  !  c  o  m  !
// note ! = unprintable

// assume an A query with a name of www.mydomain.com
// the hex representation is
03 77 77 77 08 6D 79 64 6F 6D 61 69 6E 03 63 6F 6D 00
// printable
 !  w  w  w  !   m  y  d  o  m  a  i n  !  c  o  m  !
// note ! = unprintable
QTYPE Unsigned 16 bit value. The resource records being requested. These values are assigned by IANA and a complete list of values may be obtained from them. The following are the most commonly used values:
Value Meaning/Use
x'0001 (1) Requests the A record for the domain name
x'0002 (2) Requests the NS record(s) for the domain name
x'0005 (5) Requests the CNAME record(s) for the domain name
x'0006 (6) Requests the SOA record(s) for the domain name
x'000B (11) Requests the WKS record(s) for the domain name
x'000C (12) Requests the PTR record(s) for the domain name
x'000F (15) Requests the MX record(s) for the domain name
x'0021 (33) Requests the SRV record(s) for the domain name
x'001C (28) Requests the AAAA record(s) for the domain name
x'00FF (255) Requests ANY resource record (typically wants SOA, MX, NS and MX)
QCLASS Unsigned 16 bit value. The CLASS of resource records being requested e.g. Internet, CHAOS etc. These values are assigned by IANA and a complete list of values may be obtained from them. The following are the most commonly used values:
Value Meaning/Use
x'0001 (1) IN or Internet

Up Arrow

15.4 The DNS Answer (Answer Section)

The Answer, Authority and Additional Section all comprise RRs and hence share the same format. The section the record appears in determines its type e.g. an A RR can appear in the Answer or Additional section. So far this stuff has been relatively straightforward if messy - take a deep breath before reading on. The format of these records is:

Field Name Meaning/Use
NAME The name being returned e.g. www or ns1.example.net If the name is in the same domain as the question then typically only the host part (label) is returned, if not then a FQDN is returned.
TYPE The RR type, for example, SOA or AAAA
CLASS The RR class, for instance, Internet, Chaos etc.
TTL The TTL in seconds of the RR, say, 2800
RLENGTH The length of RR specific data in octets, for example, 27
RDATA The RR specific data (see Binary RR Formats below) whose length is defined by RDLENGTH, for instance, 192.168.254.2

The various fields have the following meanings:

Name Meaning/Use
NAME This name reflects the QNAME of the question i.e. any may take one of TWO formats. The first format is the label format defined for QNAME above. The second format is a pointer (in the interests of data compression which to fair to the original authors was far more important then than now). A pointer is an unsigned 16-bit value with the following format (the top two bits of 11 indicate the pointer format):
 
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
1 1 The offset in octets (bytes) from the start of the whole message. Must point to a label format record to derive name length.

 
Note: Pointers, if used, terminate names. The name field may consist of a label (or sequence of labels) terminated with a zero length record OR a single pointer OR a label (or label sequence) terminated with a pointer.
TYPE Unsigned 16 bit value. The resource record types - determines the content of the RDATA field. These values are assigned by IANA and a complete list of values may be obtained from them. The following are the most commonly used values:
 
Value Meaning/Use
x'0001 (1) An A record for the domain name
x'0002 (2) A NS record( for the domain name
x'0005 (5) A CNAME record for the domain name
x'0006 (6) A SOA record for the domain name
x'000B (11) A WKS record(s) for the domain name
x'000C (12) A PTR record(s) for the domain name
x'000F (15) A MX record for the domain name
x'0021 (33) A SRV record(s) for the domain name
x'001C (28) An AAAA record(s) for the domain name
CLASS Unsigned 16 bit value. The CLASS of resource records being requested, for example, Internet, CHAOS etc. These values are assigned by IANA and a complete list of values may be obtained from them. The following are the most commonly used values:
 
Value Meaning/Use
x'0001 (1) IN or Internet
TTL Unsigned 32 bit value. The time in seconds that the record may be cached. A value of 0 indicates the record should not be cached.
RDLENGTH Unsigned 16-bit value that defines the length in bytes (octets) of the RDATA record.
RDATA Each (or rather most) resource record types have a specific RDATA format which reflect their resource record format as defined below:

SOA

Value Meaning/Use
Primary NS Variable length. The name of the Primary Master for the domain. May be a label, pointer or any combination.
Admin MB Variable length. The administrator's mailbox. May be a label, pointer or any combination.
Serial Number Unsigned 32-bit integer.
Refresh interval Unsigned 32-bit integer.
Retry Interval Unsigned 32-bit integer.
Expiration Limit Unsigned 32-bit integer.
Minimum TTL Unsigned 32-bit integer.

MX

Value Meaning/Use
Preference Unsigned 16-bit integer.
Mail Exchanger The name host name that provides the service. May be a label, pointer or any combination.

A

Value Meaning/Use
IP Address Unsigned 32-bit value representing the IP address

AAAA

Value Meaning/Use
IP Address 16 octets representing the IP address

PTR, NS

Value Meaning/Use
Name The host name that represents the supplied IP address (in the case of a PTR) or the NS name for the supplied domain (in the case of NS). May be a label, pointer or any combination.

Up Arrow

15.5 Domain Authority (Authority Section)

Only relevant in query response (the count of additional records will be 0 for queries). You will be delighted to know that authority records have exactly the same format as Answer records it is simply their position in an authority section that determines they are authority records (and that they will be of Resource Record (RR) type NS).

Up Arrow

15.6 Additional Information (Additional Section)

Only relevant in query responses (the count of additional records will be 0 for queries). You will be delighted to know that additional records have exactly the same format as Answer records it is simply their position in an additional section that determines they are additional records.

Theoretically, any Resource Record (RR) type can appear in an additional section if it will help (or be essential) in providing query resolution. In practice this section almost exculsively contains the A or AAAA (IP Address) records of the Name Servers defined in the Authority section.

Up Arrow

Memory jogger - Binary, decimal and hexadecimal

The contents of an 8 bit byte (an octet) may be expressed in decimal (base 10), binary (base 2) or hexadecimal (base 16 - 0-9, A-F) as follows:

Decimal Hexadecimal Binary
0 00 0000 0000
65 41 0100 0001
187 BB 1011 1011
255 FF 1111 1111

To convert a dotted decimal IP e.g. 192.168.0.5 to hexadecimal, take each dotted decimal value and convert it using a hex calculator (standard windows calculator in scientific mode will do the job). This will yield C0.A8.00.05 for our example above.

Up Arrow

Bit numbering

Bit numbering can be very confusing with various standard bodies adopting different conventions. The following are all valid, and used, bit numbering conventions for describing an 8 bit byte (an octet).

Memory contents 0 0 0 0 0 0 0 0
Bit numbering conventions
Left to right base 0 (IETF) 0 1 2 3 4 5 6 7
Left to right base 1 1 2 3 4 5 6 7 8
Right to left base 1 (ITU) 8 7 6 5 4 3 2 1
Power of 2 7 6 5 4 3 2 1 0

Always check what convention is used on any specification. The convention used by the IETF is a LEFT to RIGHT number starting from (base) ZERO. Many (but not all) C compliers allocate bits in a field using this convention.

Up Arrow



Problems, comments, suggestions, corrections (including broken links) or something to add? Please take the time from a busy life to 'mail us' (at top of screen), the webmaster (below) or info-support at zytrax. You will have a warm inner glow for the rest of the day.

Pro DNS and BIND by Ron Aitchison

Contents

tech info
guides home
dns articles
intro
contents
1 objectives
big picture
2 concepts
3 reverse map
4 dns types
quickstart
5 install bind
6 samples
reference
7 named.conf
8 zone records
operations
9 howtos
10 tools
11 trouble
programming
12 bind api's
security
13 dns security
bits & bytes
15 messages
resources
notes & tips
registration FAQ
dns resources
dns rfcs
change log

Creative Commons License
This work is licensed under a Creative Commons License.

If you are happy it's OK - but your browser is giving a less than optimal experience on our site. You could, at no charge, upgrade to a W3C STANDARDS COMPLIANT browser such as Firefox

Search

web zytrax.com

Share

Icons made by Icomoon from www.flaticon.com is licensed by CC 3.0 BY
share page via facebook tweet this page

Page

email us Send to a friend feature print this page Display full width page Decrease font size Increase font size

Resources

Systems

FreeBSD
NetBSD
OpenBSD
DragonFlyBSD
Linux.org
Debian Linux

Software

LibreOffice
OpenOffice
Mozilla
GitHub
GNU-Free SW Foundation
get-dns

Organizations

Open Source Initiative
Creative Commons

Misc.

Ibiblio - Library
Open Book Project
Open Directory
Wikipedia

Site

CSS Technology SPF Record Conformant Domain
Copyright © 1994 - 2017 ZyTrax, Inc.
All rights reserved. Legal and Privacy
site by zytrax
Hosted by super.net.sg
web-master at zytrax
Page modified: July 27 2017.