DNS Packet Format

A DNS packet consists of a fixed-length header followed by variable-length sections for questions, answers, authoritative records, and additional information. Each section contains one or more DNS records, which are structured similarly.

1. DNS Header

The DNS header is 12 bytes long and contains the following fields:

1. Identification (16 bits):

   • A unique identifier for the DNS query/response pair, used to match responses with queries.

2. Flags (16 bits):

   • QR (1 bit): Query (0) or Response (1).
   • Opcode (4 bits): Type of query (e.g., standard query, inverse query, or status request). The most common is 0 (Standard Query).
   • AA (1 bit): Authoritative Answer – set if the server is authoritative for the response.
   • TC (1 bit): Truncated – set if the message was truncated.
   • RD (1 bit): Recursion Desired – set if the client desires recursive query support.
   • RA (1 bit): Recursion Available – set if the server supports recursion.
   • Z (3 bits): Reserved for future use; must be zero.
   • RCODE (4 bits): Response code – indicates the result of the query (e.g., No Error, Format Error, Server Failure).

3. QDCOUNT (16 bits):

   • Number of questions in the question section.

4. ANCOUNT (16 bits):

   • Number of resource records in the answer section.

5. NSCOUNT (16 bits):

   • Number of name server resource records in the authority section.

6. ARCOUNT (16 bits):

   • Number of resource records in the additional information section.

2. DNS Question Section

The question section contains one or more questions that are being asked of the DNS server. Each question consists of:

1. QName (variable length):

   • The domain name being queried, encoded in a series of length-prefixed labels (e.g., www.example.com is encoded as 3www7example3com0).

2. QType (16 bits):

   • The type of DNS record being requested. Common types include:
     • 1 (A record – address)
     • 2 (NS record – name server)
     • 5 (CNAME record – canonical name)
     • 15 (MX record – mail exchange)

3. QClass (16 bits):

   • The class of the query, typically 1 for IN (Internet).

3. DNS Answer Section

The answer section contains resource records (RRs) that answer the question(s) posed in the question section. Each resource record consists of:

1. Name (variable length):

   • The domain name to which the record pertains, encoded similarly to the QName in the question section.

2. Type (16 bits):

   • The type of the resource record (e.g., A, NS, CNAME).

3. Class (16 bits):

   • The class of the resource record, usually 1 for IN (Internet).

4. TTL (32 bits):

   • Time to Live – the time (in seconds) that the record can be cached before it should be discarded.

5. RDLENGTH (16 bits):

   • Length of the RDATA field in bytes.

6. RDATA (variable length):

   • The data associated with the resource record. The format of this data depends on the record type:
     • A Record: IPv4 address (4 bytes).
     • NS Record: Domain name of the name server.
     • CNAME Record: Canonical domain name.
     • MX Record: Preference value and domain name of the mail exchange server.

4. DNS Authority Section

The authority section provides information about the authoritative name servers for the domain in question. Each record in this section is formatted similarly to the answer section.

5. DNS Additional Section

The additional information section includes supplementary data that may be useful to the resolver. This section often contains information that helps resolve the query more efficiently, such as IP addresses of the authoritative servers listed in the authority section.