DNS message is relatively simple: the browser queries a domain name and gets an IP address. If a DNS server doesn’t recognize the domain name, it will pass the query along to the following DNS server. Later, when receiving a response, it carries the response to the browser. Interesting in how DNS resolution works? Hope this post could help. Here is the query’s message structure. Among them, what needs attention are Questions, Answer RRs, and Queries. Here is an example of the query message for image.google.com. Next, let’s dive into the entry structure of queries — merely 3 sections. It is easier to understand the structure by taking a look at the example. The interesting part is how the message codes the Name field. Using . as a separator, the example domain can be divided into 3 groups. In the example marked in blue, the first byte is 05, meaning the following 5 bytes are the 1st group of the domain. In the screenshot, bytes are presented in ASCII codes. We can easily decode them into characters. We get the image. Following the same rule, we can find the remaining part of the domain — google and com. Finally, at the end of the domain, a 00 marks the end of the section. That’s it for the query. With all required information provided by the query, the DNS server will send a response message. Response MessageA response message shares the same header and Queries with an additional Answers section. Why does a response message include the origin Queries section? It is for reference. We will get to it soon. Here is a response example from querying image.google.com. In the message, we receive 3 entries in the Answers section. Therefore, Answer RRs is set to 3.
Besides the same 3 sections found in a query entry, an answer entry has 3 additional pieces.
Let’s take a look at the Name section, which has merely two bytes: c0 0c. How a domain coded in two bytes? It turns out that the bytes are an offset, referring to the coded domain name in the Queries section. c0 is a beginning mark, while 0c is the actual offset, which is 12. We count 12 bytes from the start byte of the message, 17, marked red in the screenshot. In the end, we reach the 13th byte, 05, the beginning of image.google.com, marked in yellow. Not complicated, right? Here comes a complex one. In the 2nd entry of answers, the Name offset is 2e, 46 bytes. By counting 46 bytes, we find the encoded images in the CNAME of the previous entry marked in yellow:
At the end of the images, we recognize another offset reference c0 12. That's 18 bytes. Again, by counting 18, we reach the referred part marked in green — google.com in the Name of preview entry. The offset idea is an inspiring design. With it, the message saves considerable space. Finally, we can decode the address in the last answer entry:
Takeaways
Purchasing Medium Membership through the above link means I can get income through the referral link. This does not mean you have to buy from the link, nor do I deny or oppose other channels. It is your right to know. Further Reading |