Last Updated on
The Domain Name System (DNS) is one of the most vital protocols used on the internet, it basically holds everything together. DNS links all the web friendly names to IP addresses without DNS you’d need to memorize the IP address of every server or resource you wanted to visit online.
DNS servers hold databases of resource records which contain the mappings that allow devices to resolve IP addresses to DNS names and vice versa. These databases are generally made accessible to any device that requests them or other DNS servers. If you’ve ever had anything to do with DNS you’ll know that although the basic principles of DNS are quite straight forward the overall architecture can be very complicated particularly with regards to the internet.
In this initial article we’re going to cover some of the basics of the DNS packet structure, which is in many ways very different to other protocols used to communicate online.
DNS Packet Structure
- DNS ID – Associates DNS responses with corresponding queries.
- (QR) Query/Response – Simply identifies whether packet is a query or response packet.
- (AA) Authoritative Answers – When this value is set it indicates that the Name server is the ultimate authority for that domain.
- (RD) Recursion Desired – DNS client requires a recursive query if answer not available.
- (RA) Recursion Available – DNS Server supports recursive queries.
- (RC) Response Code – Used to identify any errors
- Questions Section – Variable section which contains all the queries to be resolved
- Answers Section – Variable section which contains responses to queries.
- Authority Section – Variable section which contains records pointing to authoritative name servers if required.
There are more components of the DNS packet but these are the important ones which contain the bulk of the information i.e. the query and answer. This is how a simple DNS query will be performed – a client wishes to know an IP address (or DNS Name) will send the query to a DNS server, the server will send the answer in it’s response.
The simplest DNS transaction will take place in just two packets i.e the query and the response. You can see it quite easily by using a packet capture program like wireshark and in fact DNS exchanges are a very good way to start packet analysis because the majority are relatively straight forward. There are exceptions of course, indeed we are increasingly seeing modified DNS services used to access US media sites like Netflix like this article – http://www.onlineanonymity.org/proxies/the-return-of-us-dns-netflix/ describes.
There are a few things to remember when studying and troubleshooting DNS traffic and one of the most important is that DNS relies on UDP as it’s transport mechanism. This is useful to know because if you do use something like Wireshark to analyse you’ll notice lots of UDP traffic and that it condenses the beginnings of the packet into a single flags section which can be difficult to follow initially.
Remember though the vast majority of DNS traffic is very simple, consisting of a query and a response. There is more information in the packet but essentially it’s a question and an answer – if you need to see all the data and resource record types they are here – DNS Resource Parameters.