Protocol and Format
DNS Messages
The DNS protocol uses a common message format for all exchanges between
client and server or between servers. The DNS messages are encapsulated over
UDP or TCP using the "well-known port number" 53. DNS uses UDP for
message smaller than 512 bytes (common requests and responses).
DNS uses TCP for bigger exchange (i.e. zone transfer).
DNS Message
| Identification | Control |
| Question count | Answer count |
| Authority count | Additional count |
|
| Question |
| ... |
|
| Answer |
| ... |
|
| Authority |
| ... |
|
| Additional |
| ... |
The first 6 fields are 16-bits long, other fields are variable length.
Maximum size for a DNS label is 64 Bytes, for a DNS name 255 bytes, for a DNS
RDATA value 65535 bytes
- Identification field is used to match up replies and requests.
- Control field contains :
| QR | OpCode | AA | TC | RD | RA | Z | AD | CD | RCODE |
- QR : 1 bit, request (0) or response (1)
- OpCode : 4 bits, request type
- QUERY Standard request
- IQUERY Inverse request (obsoleted by RFC3425)
- STATUS Server status query
- NOTIFY Database update notification (RFC1996)
- UPDATE Dynamic database update (RFC2136)
- AA Authoritative Answer : 1 bit, reply from authoritative (1) or from cache (0)
- TC Truncated : 1 bit, response too large for UDP (1).
- RD Recursion Desired: 1bit, ask for recursive (1) or iterative (0) response
- RA Recursion Available : 1bit, server manages recursive (1) or not (0)
- 1 bit Zeros, reserved for extensions
- 1 bit AD Authenticated data, used by DNSSEC
- 1 bit CD Checking Disabled, used by DNSSEC
- 4 bits Rcode, Error Codes : NOERROR, SERVFAIL, NXDOMAIN
(no such domain), REFUSED...
- ... count fields give the number of entry in each following
sections:
- the Question section contains incomplete RR
{DNSname, TYPE, CLASS}.
- sections Response, Authority
Additional contain complete RR
{DNSname, TYPE, CLASS, TTL, (RDATA_LENGTH), RDATA}
TYPE, CLASS and RDATA_LENGTH are 2-bytes long, TTL is 4-bytes long, DNSname
follows some specific coding rules with compression (not described here)
Depending of the request, the 4 sections contain various RR, some required, some optional...
- Question count equals to 1 in general, but
could be 0 or >1 in very special cases
- Response section contains the matching RRset w.r.t the question
- Authority section contains NS record for Authoritative zone servers. Sometime it also contains the SOA record.
- Additional contains any additional useful information. For instance
Address Records (A, AAAA) for host names used in previous sections
(Glue,...)
For an iterative response (RD=0 or RA=0),
- Response section is empty in general,
- Authority section contains NS records describing
"a better zone server" for next iteration. (Worst case is root zone)
- Additional section contains if known addresses for servers described in
authority section.
For a positive recursive response (RD=RA=1, Rcode=NOERROR, Response-Count>0),
- Response contains the searched RRset
- Authority contains the authoritative zone name for the response
and the zone servers.
For a negative recursive response (RD=RA=1, NXDOMAIN or NO DATA),
- Response section is empty.
- Authority section contains an
SOA record with the Negative Cache TTL as parameter
(cf chapter DNS traces using dig for examples)