How can you tell by looking at the DNS Response, if the response message was compressed?
Showing Response 1 with message compression and Response 2 without Message compression
Thank you PPcap
asked 21 Dec '15, 08:35
edited 21 Dec '15, 08:41
When a domain name appears in a DNS packet more than once and DNS compression is in use, the second and subsequent appearances of the domain name can be replaced by a pointer to the earlier occurrence of the name. The name isn't actually compressed, it's removed altogether and replaced by the pointer.
Normal DNS encoding separates the domain name into "labels" (the parts separated by periods) and encodes the name by listing the number of characters in each label, followed by the actual characters, with the whole thing terminated with zero. So "www.google.com" would be encoded as as "3www6google3com0".
When a pointer is used instead of the literal domain name, the pointer will be only two bytes. The first two bits of the first byte will be "11" which indicates that it is a pointer, not a literal domain name. The remaining bits are the actual value of the pointer, as an offset from the beginning of the DNS portion of the packet, which is normally the transaction ID.
There is no flag in the DNS packet that will tell you that DNS compression was used. Instead, you'll simply have to highlight each domain name in the packet in the Packet Details pane and then look in the Packet Bytes pane to see whethher you see the literal domain name or if you see a two-byte pointer.
See this link for a reasonably concise explanation of how domain names can be represented in a DNS packet. Scroll down to section 5 "DNS Packet Compression."
answered 21 Dec '15, 15:31