This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Help understanding DNS packet data

0

Hello all,

I am going through my DNS data and I keep seeing some odd Hex values within the query. I'm new to all of this so I am hoping someone can help me figure out what it means, what it's used for and that purpose it has within the DNS packet data.

When I run a dump on port 53 I am seeing a bunch of queries with values within brackets [ ] for example:

[C00C](3)www(6)google(3)com(0)

Here is another example with part of the payload - see the [C00C] shows up again below in the ANSWER section. I'm also seeing a few other Hex values within the brackets [ ] but not sure what they are for or how they are used. Any help understanding would be greatly appreciated.

ANSWER SECTION:
Offset = 0x0030, RR count = 0
Name      "[C00C](14)5-01-2cd3-001f(3)lex(6)google(3)com(0)"
  TYPE   CNAME  (5)
  CLASS  1
  TTL    14
  DLEN   30
  DATA

asked 10 Mar '16, 12:52

mike_vu's gravatar image

mike_vu
6113
accept rate: 0%


One Answer:

2

What tool are you using to view the packet data? That doesn't look like a Wireshark display. Nevertheless:

Domain names in a DNS packet are encoded. "www.google.com" for example, is actually stored in the packet as "3www6novell3com0". It's the number of characters followed by the characters and the whole thing terminated by zero.

The domain name that is in the query portion of the packet is repeated in the answer portion. However, instead of repeating the whole domain name, only a pointer to the first occurrence of the name is stored in the packet. C00C is the hex value of the pointer. The first two bits are 1's, which indicates that it is a pointer, and the remaining bits are the actual value of the pointer.

C00C in binary is 11000000 00001100. The first two bits indicate that it is a pointer. The remaining bits (000000 00001100) are the actual value of the pointer. The equivalent decimal value is 12. Start at the very first field in the DNS portion of the packet, which is the transaction ID, and count down 12 bytes. That will take you right to the first occurrence of the name, the one that is in the query portion of the packet.

answered 10 Mar '16, 14:06

Jim%20Aragon's gravatar image

Jim Aragon
7.2k733118
accept rate: 24%

If you're curious about the gory details, see sections 3.1 "Name space definitions" and 4.1.4 "Message compression" of RFC 1035, "DOMAIN NAMES - IMPLEMENTATION AND SPECIFICATION".

(10 Mar '16, 17:06) Guy Harris ♦♦

Thanks, that was a great explanation.

(21 Mar '16, 08:43) mike_vu

If an answer has solved your issue, please accept the answer for the benefit of other users by clicking the checkmark icon next to the answer. Please read the FAQ for more information.

(21 Mar '16, 09:52) grahamb ♦