Understanding the DNS Protocol (Part 2)

If you missed the previous parts in this series please go read:

DNS, Resource Records and RCODE’s

We are now familiar with the domain name service at a high level. What we now need to do is become familiar with some specifics. To that end we will take a look at about a half dozen or so resource records, and explain what they mean. This will be done with example packets so that we can visualize them, vice simply read about them. The resource records we will cover below are in no specific order. On that note let’s get on with it!

Seen in the packets below are various non-routable IP’s, namely and, which I put in place to substitute the real IP addresses that were in the packets. Lastly, I have included a selection of both RCODE’s and Resource Records for us to take a look at. With that said let’s take a look at our first packet, which contains an RCODE.

There is no such domain!

During your everyday surfing of the web it may happen that a link you click on fails to load the requested page. Well, just like in the real world of business, sometimes web sites will disappear for a variety of reasons. Bearing this in mind DNS needs a way of communicating this back to the client that originally made the request. This is done via a DNS RCODE ie: response code known as NX or non-existent domain. It means literally just that, there is no such domain to be found. Please note that I have snipped the below noted packet for brevity, and that in reality the length of the packet should have been 143 bytes as reflected in the “len 143” field highlighted below.

So with that said we can see that the DNS server located at is telling (who originally must have asked for DNS resolution on a domain) that the domain it wanted resolution on does not exist. The number that we see below  ie: 17165 is the DNS transaction number, and allows the client requesting DNS resolution to keep track of what answer goes with what DNS request. After all, your computer is likely making quite a few DNS resolution requests, and having this number allows it to keep track of what belongs with what.

11:00:06.289070 >  17165 NXDomain 0/1/0 (115) (ttl 58, id 43899, len 143)
0x0000   4500 008f ab7b 0000 3a11 26d7 c0a8 01c8        E….{..:.&…e.
0x0010   c0a8 0164 0035 009b 007b 3410 430d 8183        …..5…{4.C…
0x0020   0001 0000 0001 0000 xxxx xxxx xxxx xxxx        ………xxxxxxx
0x0030   xxxx xxxx xxxx xxxx xxxx  6e2d 6164 6472        .xxxxx.in-addr
0x0040   0461 7270 6100 000c 0001 c014 0006 0001        .arpa………..

I want answers!

What we see below is an Answer resource record as evidenced by the underlined part seen below. Specifically the “A” corresponds to the “A” resource record. The A record is used to define an IP address. In our case below it is the IP address for the banner.paypopup.com domain. From the below we can deduce once again that issued an “A?” request for the IP address of the banner.paypopup domain. This resource record is very common, and you would indeed see a lot of these were you sniffing your connection while you were surfing. Once again for brevities sake I have snipped part of the packet.

11:00:09.511821 >  17170 1/5/5 banner.paypopup.com. A (242) (ttl 58, id 47434, len 270)
0x0000   4500 010e b94a 0000 3a11 1889 c0a8 01c8        E….J..:…..e.
0x0010   c0a8 0164 0035 009b 00fa 4ae2 4312 8180        …..5….J.C…
0x0020   0001 0001 0005 0005 0662 616e 6e65 7208        ………banner.
0x0030   7061 7970 6f70 7570 0363 6f6d 0000 0100        paypopup.com….
0x0040   01c0 0c00 0100 0100 000d 7200 0442 304e        ……….r..B0N

CNAME record

CNAME stands for canonical name, and is also a DNS resource record, much like the A resource record seen above. The CNAME resource record is used to indicate the true host name of a computer. There can however be more then one domain name that is associated with an IP address. In essence a computer can have a whole lot of aliases, which resolve to the one IP address, and that is why the CNAME record is there. The CNAME record must be in the DNS database for each alias.

11:00:11.484898 >  17189 3/7/7 fpdownload.macromedia.com. CNAME fpdownload.macromedia.speedera.net., fpdownload.macromedia.speedera.net. A 216
.200.249.204, [|domain] (ttl 58, id 49656, len 375)
0x0000   4500 0177 c1f8 0000 3a11 0f72 c0a8 01c8        E..w….:..r..e.
0x0010   c0a8 0164 0035 009b 0163 16bb 4325 8180        …..5…c..C%..
0x0020   0001 0003 0007 0007 0a66 7064 6f77 6e6c        ………fpdownl
0x0030   6f61 640a 6d61 6372 6f6d 6564 6961 0363        oad.macromedia.c

ServFail RCODE

Another cryptic packet you may encounter is the “ServFail” which is an RCODE just like the NXDomain is. What the ServFail tells you is that there was possibly an error experienced by the DNS server itself, or a timeout occurred during forwarding. This in reality is telling you that it could not honor your DNS request due to a server side issue in all likelihood.

01:04:37.291738 > [udp sum ok]  60301 ServFail 0/0/0 (33) (ttl 58, id 25184, len 61)
0x0000   4500 003d 6260 0000 3a11 7043 c0a8 01c8        E..=b`..:.pC..e.
0x0010   c0a8 0164 0035 0289 0029 1266 eb8d 8182        …..5…).f….
0x0020   0001 0000 0000 0000 0b6d 7966 756e 6e79        ………myfunny
0x0030   6d61 696c 0363 6f6d 0000 1c00 01                       mail.com…..

What does a DNS query look like?

Well so far we have looked at quite a few DNS responses, and have yet to actually look at a DNS query. Without further ado let’s take a look at what a query looks like. From the underlined portion below we can see the “A?” which means that is asking for an Answer record from In essence he is asking for an IP address for the domain listed after the “A?”.

We can see that we have an overall packet length of 61 as evidenced by the “len 61” which is also underlined below. Also we can see that we have thirty three data bytes in the packet as noted in the “(33)” also underlined below. Why is there a disparity between the two numbers you ask? Good question. Well we have an overall packet size of sixty one, and a data payload of thirty three. That makes for a difference of twenty eighty bytes. Where those twenty eight bytes are is twenty bytes for the IP header, and eight bytes for the UDP header. Once we add those in we are able to account for the overall packet size of sixty one.

09/06/2005 21:00:38.294185 > [udp sum ok]  56810 A? amextipe.opt.mr. (33) (DF) (ttl 254, id 27836, len 61)
0x0000   4500 003d 6cbc 4000 fe11 e2d4 c0a8 01c8          [email protected]………
0x0010   c0a8 0164 8000 0035 0029 64c8 ddea 0000        R.Z….5.)d…..
0x0020   0001 0000 0000 0000 0861 6d65 7874 6970        ………amextip
0x0030   6503 6f70 7402 6d72 0000 0100 01                      e.opt.mr…..

So we have covered so far several resource records and RCODE’s. This will wrap up part two of the DNS series. In part three we will wrap our coverage of DNS and till then, keep learning!

If you missed the previous parts in this series please go read:

Leave a Comment

Your email address will not be published.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top