Back
DNS Header Structure 1.2

DNS Header Data Structure

The basic data structure for a DNS_HEADER type is unusually complex, given the non-byte boundries that most of the structure components live on.

In bigendin machines, the structure looks like:

typedef struct {
unsigned id :16;
unsigned qr: 1;
unsigned opcode: 4;
unsigned aa: 1;
unsigned tc: 1;
unsigned rd: 1;
/* byte boundry */
unsigned ra: 1;
unsigned unused :1;
unsigned ad: 1;
unsigned cd: 1;
unsigned rcode :4;
/* byte boundry */
unsigned qdcount :16;
unsigned ancount :16;
unsigned nscount :16;
unsigned arcount :16;
} DNS_HEADER; 		/* */
/* query identification number */
/* response flag */
/* purpose of message */
/* authoritive answer */
/* truncated message */
/* recursion desired */
/* fields in fourth byte */
/* recursion available */
/* unused bits (MBZ as of 4.9.3a3) */
/* authentic data from named */
/* checking disabled by resolver */
/* response code */
/* remaining bytes */
/* number of question entries */
/* number of answer entries */
/* number of authority entries */
/* number of resource entries */
/* end */
An example of using the data structure can be found in the initial packetClean function:
q_count = ntohs(dnsheader->qdcount); /* number of question records */
Here we extract the number of question records contained within the record we are looking at. In the next rev of the spp, I hope to abstract out the header structure and provide a means to tune the 'good' vs. 'bad' packet defn via some other way than the actual spp code. This may take some doing ...

DNS Header Data Abstraction

The Domain Name Service (DNS) protocol searches for resources using a database distributed among different name servers.

The DNS message header structure is shown in the following illustration:

16

21




28
32 bits
ID
Q
Query
A
T
R
V
B
Rcode
Question count
Answer count
Authority count
Additional count

DNS message header structure

ID
16-bit field used to correlate queries and responses.

Q
1-bit field that identifies the message as a query or response.

Query
4-bit field that describes the type of message:

0 Standard query (name to address).
1 Inverse query (address to name).
2 Server status request.

A
Authoritative Answer. 1-bit field. When set to 1, identifies the response as one made by an authoritative name server.

T
Truncation. 1-bit field. When set to 1, indicates the message has been truncated.

R
1-bit field. Set to 1 by the resolve to request recursive service by the name server.

V
1-bit field. Signals the availability of recursive service by the name server.

B
3-bit field. Reserved for future use. Must be set to 0.

RCode
Response Code. 4-bit field that is set by the name server to identify the status of the query:

0 No error condition.
1 Unable to interpret query due to format error.
2 Unable to process due to server failure.
3 Name in query does not exist.
4 Type of query not supported.
5 Query refused.

Question count
16-bit field that defines the number of entries in the question section.

Answer count
16-bit field that defines the number of resource records in the answer section.

Authority count
16-bit field that defines the number of name server resource records in the authority section.

Additional count
16-bit field that defines the number of resource records in the additional records section.

Back
1