This is a static archive of our old Q&A Site. Please post any new questions and answers at

How can you tell if a DNS Response has the Message compressed in Wireshark?


DNS Experts,

How can you tell by looking at the DNS Response, if the response message was compressed?


Showing Response 1 with message compression and Response 2 without Message compression


Thank you PPcap

asked 21 Dec '15, 08:35

ppcap's gravatar image

accept rate: 50%

edited 21 Dec '15, 08:41

One Answer:


When a domain name appears in a DNS packet more than once and DNS compression is in use, the second and subsequent appearances of the domain name can be replaced by a pointer to the earlier occurrence of the name. The name isn't actually compressed, it's removed altogether and replaced by the pointer.

Normal DNS encoding separates the domain name into "labels" (the parts separated by periods) and encodes the name by listing the number of characters in each label, followed by the actual characters, with the whole thing terminated with zero. So "" would be encoded as as "3www6google3com0".

When a pointer is used instead of the literal domain name, the pointer will be only two bytes. The first two bits of the first byte will be "11" which indicates that it is a pointer, not a literal domain name. The remaining bits are the actual value of the pointer, as an offset from the beginning of the DNS portion of the packet, which is normally the transaction ID.

There is no flag in the DNS packet that will tell you that DNS compression was used. Instead, you'll simply have to highlight each domain name in the packet in the Packet Details pane and then look in the Packet Bytes pane to see whethher you see the literal domain name or if you see a two-byte pointer.

See this link for a reasonably concise explanation of how domain names can be represented in a DNS packet. Scroll down to section 5 "DNS Packet Compression."

answered 21 Dec '15, 15:31

Jim%20Aragon's gravatar image

Jim Aragon
accept rate: 24%