About the author. James Ruthley is a backend developer at Monzo.



In this article, we will examine the domain name Domain Name Service (DNS) message format and write one message manually. This is more than what you need to use DNS, but I thought that for fun and educational purposes, it’s interesting to see what is under the hood.



We will learn how to:

')

• Write DNS queries in binary format
• Send a message in the body of a UDP datagram using Python
• Read the answer from the DNS server

Writing in binary format seems complicated, but in reality I found it to be quite accessible. DNS documentation is well written and understandable, and we will write a small message - only 29 bytes.

DNS overview

DNS is used to translate human-readable domain names (such as example.com ) into machine-readable IP addresses (such as 93.184.216.34). To use DNS, you need to send a request to the DNS server. This request contains the domain name we are looking for. The DNS server is trying to find the IP address of this domain in its internal data storage. If found, then returns it. If it cannot find it, it redirects the request to another DNS server, and the process repeats until an IP address is found. DNS messages are usually sent via the UDP protocol.



The DNS standard is described in RFC 1035 . All diagrams and most of the information for this article are taken in this RFC. I would recommend contacting him if something is not clear.



In this article, we use a hexadecimal format to simplify working with a binary. Below I have added a brief explanation of how they are translated into each other ^[1] .

Request format

All DNS messages have the same format:

  + --------------------- +
 |  Headline |
 + --------------------- +
 |  Question |  Question for name server
 + --------------------- +
 |  Answer |  Resource Records (RR) to answer the question
 + --------------------- +
 |  Authority |  RR records pointing to an authorized server
 + --------------------- +
 |  Advanced |  RR records with additional information
 + --------------------- + 

Question and answer are in different parts of the message. In our request there will be sections "Title" and "Question".

Headline

The header has the following format:

  0 1 2 3 4 5 6 7 8 9 ABCDEF
 + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - +
 |  ID |
 + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - +
 | QR |  Opcode | AA | TC | RD | RA |  Z |  RCODE |
 + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - +
 |  QDCOUNT |
 + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - +
 |  ANCOUNT |
 + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - +
 |  NSCOUNT |
 + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - +
 |  ARCOUNT |
 + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + 

In this diagram, each cell represents a single bit. Each line has 16 columns, which is two bytes of data. The diagram is divided into lines for ease of perception, but the actual message is a continuous series of bytes.



Since requests and responses have the same header format, some fields are irrelevant to the request and will be set to 0. For a complete description of each field, see RFC1035, Section 4.1.1 .



The following fields matter to us:

• ID: An arbitrary 16-bit request identifier. The same ID is used in the response to the request, so that we can establish a correspondence between them. Take AA AA.
• QR: A one-bit flag to indicate whether the message is a query (0) or a response (1). Since we are sending the request, we set 0.
• Opcode: A four-bit field that defines the type of request. We send a standard request, so we specify 0. Other options:
  
  
  • 0: Standard request
  • 1: Inverse query
  • 2: Request server status
  • 3-15: Reserved for future use.
• TC: A one-bit flag indicating a cropped message. We have a short message, it does not need to be cut off, so we specify 0.
• RD: Single bit flag indicating desired recursion. If the DNS server to which we are sending the question does not know the answer to it, it can recursively poll other DNS servers. We want to activate recursion, so we specify 1.
• QDCOUNT: A 16-bit unsigned integer specifying the number of entries in the question section. We send 1 question.

Full headline

By combining all the fields, you can write our header in hexadecimal format:

  AA AA - ID
 01 00 - Request parameters
 00 01 - Number of questions
 00 00 - Number of answers
 00 00 - Number of authorized server entries
 00 00 - Number of additional entries 

To get the request parameters, we combine the values ​​of the fields from QR to RCODE, remembering that the fields not mentioned above are set to 0. This gives the sequence 0000 0001 0000 0000 , which in hexadecimal format corresponds to 01 00 . This is what a standard DNS query looks like.

Question

The question section has the following format:

  0 1 2 3 4 5 6 7 8 9 ABCDEF
 + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - +
 |  |
 / QNAME /
 / /
 + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - +
 |  QTYPE |
 + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - +
 |  QCLASS |
 + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + 

• QNAME: This section contains the URL for which we want to find the IP address. It is encoded as a series of labels. Each inscription corresponds to a URL section. So, in the address example.com two sections: example and com.
  
  
  
  To write labels, you need to encode each section of the URL, getting a number of bytes. The inscription is a series of bytes, preceded by an unsigned integer byte, indicating the number of bytes in a section. To encode our URL, you can simply specify the ASCII code of each character.
  
  
  
  The QNAME section ends with a null byte (00).
• QTYPE: The type of DNS record we are looking for. We will look for records A, whose value is 1.
• QCLASS: The class we are looking for. We use the Internet, IN, which has a class value of 1.

Now you can write the entire section of the question:

  07 65 - for 'example' length 7, e
 78 61 - x, a
 6D 70 - m, p
 6C 65 - l, e
 03 63 - at 'com' length 3, c
 6F 6D - o, m
 00 - zero byte for the end of the field QNAME 
 00 01 - QTYPE
 00 01 - QCLASS 

An odd number of bytes is allowed in the QNAME section, so stuffing bytes is not required before starting the QTYPE section.

Submit request

We send our DNS message in the body of a UDP request. The following Python code will take our hexadecimal DNS query, convert it to binary and send it to the Google DNS server at 8.8.8.8:53.

 import binascii import socket def send_udp_message(message, address, port): """send_udp_message sends a message to UDP server message should be a hexadecimal encoded string """ message = message.replace(" ", "").replace("\n", "") server_address = (address, port) sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) try: sock.sendto(binascii.unhexlify(message), server_address) data, _ = sock.recvfrom(4096) finally: sock.close() return binascii.hexlify(data).decode("utf-8") def format_hex(hex): """format_hex returns a pretty version of a hex string""" octets = [hex[i:i+2] for i in range(0, len(hex), 2)] pairs = [" ".join(octets[i:i+2]) for i in range(0, len(octets), 2)] return "\n".join(pairs) message = "AA AA 01 00 00 01 00 00 00 00 00 00 " \ "07 65 78 61 6d 70 6c 65 03 63 6f 6d 00 00 01 00 01" response = send_udp_message(message, "8.8.8.8", 53) print(format_hex(response)) 

You can run this script by copying the code into the query.py file and running the $ python query.py command in the console. It has no external dependencies, and it should work on Python 2 or 3.

Reading answer

After execution, the script displays the response from the DNS server. We divide it into parts and see what can be figured out.

Headline

The message begins with a header, as well as our request message:

  AA AA - Same ID as before
 81 80 - Other flags, analyze them below.
 00 01 - 1 question
 00 01 - 1 answer
 00 00 - No authorized server records
 00 00 - No additional entries. 

We convert 81 80 to binary format:

  8 1 8 0
 1000 0001 1000 0000 

By converting these bits according to the above scheme, you can see:

• QR = 1: This message is the answer.
• AA = 0: This server is not authorized for the domain name example.com
• RD = 1: Recursion is desirable for this query.
• RA = 1: Recursion is supported on this DNS server.
• RCODE = 0: No errors found.

Question section

The question section is identical to the same section in the query:

  07 65 - for 'example' length 7, e
 78 61 - x, a
 6D 70 - m, p
 6C 65 - l, e
 03 63 - at 'com' length 3, c
 6F 6D - o, m
 00 - zero byte for the end of the field QNAME 
 00 01 - QTYPE
 00 01 - QCLASS 

Answer Section

The response section has a resource record format:

  0 1 2 3 4 5 6 7 8 9 ABCDEF
 + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - +
 |  |
 / /
 / NAME /
 |  |
 + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - +
 |  TYPE |
 + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - +
 |  CLASS |
 + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - +
 |  TTL |
 |  |
 + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - +
 |  RDLENGTH |
 + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - |
 / Rdata /
 / /
 + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + 

  C0 0C - NAME
 00 01 - TYPE
 00 01 - CLASS
 00 00 
 18 4C - TTL
 00 04 - RDLENGTH = 4 bytes
 5D B8 
 D8 22 - RDDATA 

• NAME : This URL whose IP address is contained in this response. It is listed in a compressed format:
  
  
  
  

    0 1 2 3 4 5 6 7 8 9 ABCDEF
   + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - +
   |  1 1 |  OFFSET |
   + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + 

  
  
  The first two bits are set to 1, and the next 14 contain an unsigned integer that corresponds to the byte offset from the beginning of the message to the first mention of that name.
  
  
  
  In this case, the offset is c0 0c or binary format:
  
  
  
  

    1100 0000 0000 1100 

  
  
  That is, the byte offset is 12. If we count the bytes in the message, we can find that it indicates the value 07 at the beginning of the name example.com.
• TYPE and CLASS : The same name scheme is used here as in the QTYPE and QCLASS above, and the same values.
• TTL : A 32-bit unsigned integer that specifies the lifetime of this packet with an answer, in seconds. Before the expiration of this interval, the result can be cached. After the expiration of it should be rejected.
• RDLENGTH : The length in bytes of the subsequent RDDATA section. In this case, its length is 4.
• RDDATA : The data we were looking for! These four bytes contain four segments of our IP address: 93.184.216.34.

Extensions

We saw how to create a DNS query. Now you can try the following:

• Make a request for an arbitrary domain name
• Request for a different record type
• Send request with recursion disabled
• Send a request with a domain name that is not registered

---

1. Hexadecimal numbers (base 16) are often used as a convenient shortcut for 4 bits of binary data. You can convert data between these formats according to the following table:

Decimal	Hex	Binary	Decimal	Hex	Binary
0	0	0000	eight	eight	1000
one	one	0001	9	9	1001
2	2	0010	ten	A	1010
3	3	0011	eleven	B	1011
four	four	0100	12	C	1100
five	five	0101	13	D	1101
6	6	0110	14	E	1110
7	7	0111	15	F	1111

As you can see, you can represent any byte (8 bits) with two hexadecimal characters. ↑