The DNS Query - Vox Technologies
advertisement
DNS Evasion Techniques and
Beyond
Prepared by:
Judy Novak
Senior SecurityAnalyst
On Behalf of Enterasys Networks
February 22, 2001
.
.
.
.
.
.
.
.
.
Table of Contents
SIDESTEP DNS OVERVIEW .......................................................................................1
THE DNS QUERY .........................................................................................................2
Forming a DNS Query.................................................................................................................................................. 2
A Normal DNS Query .................................................................................................................................................. 2
Sidestep’s Evasive Query ............................................................................................................................................. 4
UDP Worst Case Scenario ........................................................................................................................................... 5
TCP and DNS ................................................................................................................................................................ 6
TCP Worst Case Scenario ........................................................................................................................................... 7
Sidestep’s False Positive Query ................................................................................................................................... 7
The Bottom Line ............................................................................................................................................................ 8
RFC 1035 – DOMAIN NAMES – IMPLEMENATION AND SPECIFICATION ..........9
2
1
Sidestep DNS Overview
This paper begins by examining the techniques used in Robert Graham’s sidestep tool to evade
detection of DNS queries by conventional intrusion detection search methods. Sidestep is a tool that
can send SNMP, RPC, DNS, HTTP, FTP, and Back Orifice traffic that is normal, evasive, and likely to
generate a false positive from some intrusion detection systems. More information about sidestep can
be found at www.robertgraham.com/tmp/sidestep.html. The examination of sidestep provided the
catalyst to consider how detrimental these and other DNS evasive tactics could be. The insight gained
from this study will be discussed in this paper too.
If you’ve ever monitored a mailing list associated with intrusion detection for any length of time, you’ve
no doubt some across the derisive term “network grep” in reference to an IDS string search
mechanism. This derogatory reference suggests that the IDS in question will look for an occurrence of
a string in the packet much as the Unix grep searches for an occurrence of a string in a file or some
text. The implication is that the IDS has no built-in “smarts” for discerning that the string appears in the
proper context to warrant an alert. The result is that the IDS may often generate false positives
alarming on conditions that are not truly noteworthy or more harmfully; the IDS may miss truly malicious
traffic if it is not intelligent enough to understand the string especially when examined in context of the
application layer. This is what sidestep tries to demonstrate.
The key points of this discussion are:
There is no static signature that can be used to detect sidestep’s evasive DNS techniques; some
type of DNS question decode program must be employed to properly interpret DNS questions.
The security threat that is posed by this evasive technique is low. DNS queries, in and of
themselves, usually do not constitute much of a threat. The most invasive of DNS queries is a
zone transfer request. Well-configured DNS servers can prevent against unauthorized zone
transfers and a packet-filtering device can offer further protection by providing a perimeter
impediment against such queries. Another potentially invasive query is for the version of BIND.
This is the query that sidestep uses to attempt to generate an evasive string that may elude some
intrusion detection signatures.
The denial of service threat posed by this evasive technique is low. While an isolated DNS
question can be crafted that may consume additional time for resolution, the size restriction for the
DNS payload of 512 bytes prevents resource exhaustion. In addition, TCP DNS queries will be
examined; but they too seem to have a limited capacity for denial of service attacks.
2
The DNS Query
Forming a DNS Query
In this initial discussion, traffic to UDP port 53 – the domain or DNS server port will be examined. TCP
destination port 53 carries DNS zone transfer records or a subsequent query for previously truncated
UDP queries with a payload of greater than 512 bytes. TCP port 53 will be discussed later.
When a DNS query is generated, some of the pertinent fields for inspection are the DNS flag bytes, the
DNS question and the DNS type and class. See Appendix A for additional information and relevant
excerpts from RFC 1035 entitled “Domain Names – Implementation and Specification”. The flags field
basically tells whether this is a DNS query or response along with other information. The DNS question
is the actual query for which some type of DNS resolution is sought. Finally, the DNS message type
and class further refine what type of resolution is sought such as IP address, mail exchange (MX), to
name a few.
A Normal DNS Query
Let’s use the traffic that is generated using sidestep’s normal option with DNS to formulate a UDP
query for the version of BIND (Berkeley Internet Name Daemon) to demonstrate how a typical DNS
query is formatted. Much as the name implies a query for the version of BIND returns the DNS server’s
version of BIND, if this type of query is permitted. This is a valuable piece of information for an attacker
to have since she/he can then pair the version of BIND with all known exploits and attempt to attack the
server. Another possible way to generate this query besides sidestep is by using the dig (domain
internet groper) command:
dig@dns.server version.bind txt chaos
where dns.server is the name of the DNS server to be queried.
It would be wise to consider disabling the version of BIND so as not to leak this information. BIND
versions 8.x have an options keyword that can do this. One of the ways that this can be done is by
altering the named.conf file as follows:
options {
version "version unavailable";
};
You can put whatever text you feel is appropriate in the message that is displayed. Some sites
even reply with the wrong version of BIND just to see what ensuing attack may look like after an
unauthorized query for the version of BIND.
2
Let’s examine the output that was generated by tcpdump from the sidestep command. This is
displayed in normal tcpdump output followed by hexadecimal to understand the context of the activity.
12:39:30.027400 10.100.100.201.1128 > DNS.SERVER.domain: 10+ TXT CHAOS)? version.bind.
(30)
4500 003a 052c 0000 8011 c056 0a64 64c9
0a64 6402 0468 0035 0026 6325 <000a 0100
0001 0000 0000 0000 0776 6572 7369 6f6e
0462 696e 6400 0010 0003>
E..:.,.....V.dd.
.....h.5.&c%....
.........version
.bind.....
First you see the standard tcpdump display output of host 10.100.100.201 querying
DNS.SERVER on UDP port 53 (domain) with a DNS identification number of 10 and with
recursion desired (+) for a TXT type record and a CHAOS class record of version.bind.
Now, let’s examine the hexadecimal output of the actual DNS record to become familiar with the
way that questions are formed. The DNS portion of this packet has been delimited with the < > to
easily identify the part of the record we will scrutinize. Here is the breakdown of the DNS fields.
Bytes
Value
Explanation
0-1
000a
Identification number to pair queries and
responses
DNS flags field, signals that this is a query and is recursion
desired
Number of queries
Number of answer resource records (RR’s)
Number of authoritative RR’s
Number of additional RR’s
2-3
0100
4-5
6-7
8-9
10-11
0001
0000
0000
0000
12-25
0776 6572 7369 6f6e 0462 696e 6400
26-27
28-29
0010
0003
Query name*
Query type – above type is TXT
Query class – above class is CHAOS
*Query name format:
DNS questions have a prescribed format. A DNS question has a series of nodes that end in a 00
to form the question. We typically see nodes that are separated by periods when we express a
hostname or IP address. For instance, if an IP address resolution were desired for
www.yahoo.com, the DNS question that would be generated would treat the name as a series of
nodes - www, yahoo, and com. Preceding each node is a byte count that tells how many bytes in
the following node.
The version.bind question that was generated using sidestep’s normal option is:
0776 6572 7369 6f6e 0462 696e 6400
The highlighted bolded bytes represent labels. The first label is 07; this means that there should
be 7 bytes in the first node of the query. In this instance, the hex characters that follow represent
the ASCII representation of the node “version”. Next, you see a label of 04 meaning that there
3
are 4 bytes in the following node, which is the hex representation of the ASCII “bind”. A 0 label
ends the query, which is the final label that is seen.
As mentioned earlier, each question requires a DNS type and class; each of these is a 2-byte
field. The various different types and classes can be found in RFC 1035, but for the purposes of
the BIND version query, these must be a type of TXT represented by a 16 (or hex 0010) and a
class of CHAOS represented as a 3 (or hex 0003).
An accessible DNS server that does not prevent version.bind queries will respond to the above
query with the version of BIND that is running.
Sidestep’s Evasive Query
The traffic that is generated using sidestep’s evade option with DNS formulates a UDP query for the
version of BIND, but uses pointers instead of labels in the query. A pointer is a mechanism used in
responses to reduce redundancies in the query response and shorten the response. This will be
discussed in more detail when we examine the packet. This evasion, as with most the sidestep ones,
is able to elude detection by code that doesn’t do any DNS application decode. If the intrusion
detection software simply inspects the packet for a payload content of a normal version of BIND query 0776 6572 7369 6f6e 0462 696e 64; it will not identify the evasive technique used by sidestep.
Let’s examine the output that was generated by tcpdump displayed in hexadecimal to understand the
evasive activity.
12:39:56.674320 10.100.100.201.1129 > DNS.SERVER.domain:
4500 003c 0577 0000
0a64 6402 0469 0035
0001 0000 0000 0000
c01a 0010 0003 0442
|
|
|
|
V
V
Pointer 26
26 Bytes
bytes into DNS
Payload
8011
0028
0756
494e
c009 0a64 64c9
e445 <002a 0000
6572 7369 6f6e
4400>
42 (32)
E..<.w.......dd.
.....i.5.(.E.*..
.........Version
.......BIND.
Let’s look at the query name (in bold) to see the evasion used. The name starts, as before, with
a label of 07 followed by the first node of the query. We see what had previously been all
lowercase letters in “version” now is “Version”. This would successfully elude any string matching
software that does not do uppercase/lowercase conversions.
But, that is not the entirety of the ruse used here. Look at the next byte – c0. A label has a
maximum value of 63 and a hexadecimal c0 is 192 when converted to decimal. Any time that a
label has the two high-order bits of the byte set to 1, it is considered a pointer. A pointer is the
number of bytes into the DNS message where the next label (or pointer) is to be found. In this
case, we see that the pointer is a hexadecimal 1a or a decimal 26. Therefore, we have to count
26 bytes from the beginning of the DNS message to find the next node. The DNS message is
delimited between the < > on the left side of the output.
Moving 26 bytes into the DNS message directs us to the string beginning with 0442 494e 4400.
The 04 is the label 26 bytes into the DNS message and as expected, it is followed by 4 bytes that
represent the string “bind”. The query then ends when a label of 00 is encountered. It appears
that resolution of the query resumes at the next byte after the first pointer in the query name.
4
This brings us back to the string “0010 0003” that represents the query type of TXT and a query
class of CHAOS. This query will elicit the version of BIND running on the queried DNS server if
the DNS server does not prevent queries for the version of BIND.
UDP Worst Case Scenario
It appears that this evasive technique is limited and can be detected and contained using some
simple well-devised code to do partial application decode that looks for and handles pointers in
the queries. These queries are UDP-based and queries and responses are restricted to a
maximum of 512 bytes in the payload.
However, understand that a malicious crafter may try to create some unique pointers that the
DNS decode will have to deal with. DNS itself will respond with a format error to any question
that has a pointer loop. For instance, take a look at the following hexadecimal output of DNS
payload alone:
002a 0000 0001 0000 0000 0000 0756 6572 7369 6f6e c01a 0010 0003 c014
0
2
4
6
8
10
12
14
16
18
20
22
24
26 (byte count)
Specifically, let’s examine the question beginning at the bolded text.
0756 6572 7369 6f6e
c01a
A label of 7 followed by Version
A pointer pointing 26 bytes into the payload
26 bytes into the payload, we find c014, that points 20 bytes into the payload. This brings us
back to the c01a pointer that means we have an endless loop. Fortunately, DNS will respond
with a pointer loop format error message to this attempted query.
Because the maximum DNS payload length is 512 bytes, that means that we can only exhaust a
finite number of resources using pointer to pointer crafting before a loop is detected or an actual
question if formatted. Examine the DNS payload below to see a query that results in successfully
soliciting the version of BIND from a server. You will see that the question begins normally with a
label of 07 and a node of the hexadecimal representation of “Version” in ASCII. Following this,
you see an initial pointer that points 26 bytes into the payload where you find another pointer,
c01c. After this is a series of pointers pointing to pointers until close to the maximum 512 byte
payload, there is label of 04 and a node of the hexadecimal representation of ”bind” in ASCII.
The final label is a 00 that ends that question, but resolution is continued after the first pointer to
discover the DNS type and class, in this case the 0010 and 0003 designate type TXT and class
CHAOS.
5
002a
c020
c03e
c05c
c07a
c098
c0b6
c0d4
c0f2
c110
c12e
c14c
c16a
c188
c1a6
c1c4
c1e2
4400
0000
c022
c040
c05e
c07c
c09a
c0b8
c0d6
c0f4
c112
c130
c14e
c16c
c18a
c1a8
c1c6
c1e4
0001
c024
c042
c060
c07e
c09c
c0ba
c0d8
c0f6
c114
c132
c150
c16e
c18c
c1aa
c1c8
c1e6
0000
c026
c044
c062
c080
c09e
c0bc
c0da
c0f8
c116
c134
c152
c170
c18e
c1ac
c1ca
c1e8
0000
c028
c046
c064
c082
c0a0
c0be
c0dc
c0fa
c118
c136
c154
c172
c190
c1ae
c1cc
c1ea
0000
c02a
c048
c066
c084
c0a2
c0c0
c0de
c0fc
c11a
c138
c156
c174
c192
c1b0
c1ce
c1ec
0756
c02c
c04a
c068
c086
c0a4
c0c2
c0e0
c0fe
c11c
c13a
c158
c176
c194
c1b2
c1d0
c1ee
6572
c02e
c04c
c06a
c088
c0a6
c0c4
c0e2
c100
c11e
c13c
c15a
c178
c196
c1b4
c1d2
c1f0
7369
c030
c04e
c06c
c08a
c0a8
c0c6
c0e4
c102
c120
c13e
c15c
c17a
c198
c1b6
c1d4
c1f2
6f6e
c032
c050
c06e
c08c
c0aa
c0c8
c0e6
c104
c122
c140
c15e
c17c
c19a
c1b8
c1d6
c1f4
c01a
c034
c052
c070
c08e
c0ac
c0ca
c0e8
c106
c124
c142
c160
c17e
c19c
c1ba
c1d8
c1f6
0010
c036
c054
c072
c090
c0ae
c0cc
c0ea
c108
c126
c144
c162
c180
c19e
c1bc
c1da
c1f8
0003
c038
c056
c074
c092
c0b0
c0ce
c0ec
c10a
c128
c146
c164
c182
c1a0
c1be
c1dc
c1fa
c01c
c03a
c058
c076
c094
c0b2
c0d0
c0ee
c10c
c12a
c148
c166
c184
c1a2
c1c0
c1de
0442
c01e
c03c
c05a
c078
c096
c0b4
c0d2
c0f0
c10e
c12c
c14a
c168
c186
c1a4
c1c2
c1e0
494e
TCP and DNS
As mentioned earlier, TCP port 53 is used in two different situations. The first is when a UDP DNS
query has a payload of greater than 512 bytes. In this instance, the original query will have to re-issued
using TCP port 53. The second situation where TCP port 53 is used is for zone transfers. Are the
same evasive techniques available using TCP? It turns out that they are. TCP port 53 with a payload
of embedded pointers can be used for querying the version of BIND, for zone transfers and for other
queries that are typically made using UDP port 53.
The only difference in the format of the payload for a TCP query from a UDP query is that a TCP query
will have an additional two initial bytes in the payload. These bytes represent the number of bytes that
follow in the query.
Let’s look at the payload for a zone transfer using TCP port 53.
001e 245a 0100 0001 0000 0000 0000 0870 7265 7373 636f 6d03 6e65 7400 00fc 0001
Rather than rehashing the breakdown of the payload since it is almost that same as UDP, let’s examine
some of the fields that are different.
Value
Explanation
001e
Length of query to follow (30 bytes)
245a 0100 0001 0000 0000 0000 0870 7265 7373 636f 6d03 6e65 7400
Query for presscom.net
Query type – zone transfer
Query class - Internet
00fc
0001
6
Now, let’s look at this same query using pointers as an evasive tactic.
0020 245a 0100 0001 0000 0000 0000 0870 7265 7373 636f 6dc0 1b00 fc00 0103 6e65 7400
0
2
4
6
8
a
c
d
10
12 14
16
18 1a
1c
1e
(byte count)
We see that the byte count has changed from 0x1e (30) to 0x20 (32) to accommodate two additional
bytes. We have all the same beginning bytes that denote the DNS identification number, flags, query
and responses numbers and then we see the initial node of presscom as represented in hex (0870
7265 7373 636f 6d). The highlighted bytes represent the pointer to displacement 0x1b that points to
the final node of com (03 6e65 74). The resolution returns to the bytes after the first pointer, which are
00fc 0001 for a type of zone transfer and a class of Internet. This returns all the records from the DNS
server associated with presscom.net. One thing to note about the displacement or pointer values is
that the counting starts after the initial 2-byte length value.
Now that we understand that TCP can be used to send evasive traffic, what should we be concerned
about? We need to look for any signature that we would using UDP and we should be able to detect
zone transfers as well. The obvious DNS field to key on for detecting zone transfers would be the
message type of 00fc, but if we try to anchor this with any portion of the DNS query, we must be able to
strip out the pointers before analyzing the traffic.
TCP Worst Case Scenario
The initial suspicion was that by concocting a TCP query using the maximum number of pointers and
iteratively issuing this query, we could wreak havoc on the DNS servers. Fortunately, for you defenders
of networks, this was not the case.
The limitation for the TCP payload size is the pointer size. The pointer is a 2-byte field and the two
high-order bits are reserved to distinguish a pointer from a label. Therefore, the maximum number of
bytes displacement that we can represent is 214 - 1 or 16383. When a packet was crafted to do the
same zone transfer using the maximum number of pointers and directed against a test DNS server
running BIND 8.2.1, the response for the zone transfer was immediate. In other words, this seemed to
have no impact on the ability of the DNS server to respond.
This same query was put into a loop and directed against the DNS server for 100 million queries. The
DNS server was still able to answer the zone transfers and additionally, answer queries directed to it at
this same time with no noticeable degradation in response time. Finally, this same looping process
was replicated on the same sending host four more times and directed to the same DNS server.
Again, there was no observable performance degradation in response time for queries. Similar tests
were performed against BIND 4.9.7 with the same results; there appeared to be no empirical signs of
any type of denial of service against the DNS server.
It should be noted that the DNS servers used were strictly test hosts used in a lab environment. That
said; results might vary with a production DNS under heavy load. While we have deemed that these
tests did not present a denial of service threat, as with any protocol, if enough packets are generated
from enough sources, a denial of service is inevitable.
Sidestep’s False Positive Query
A final option for sidestep traffic is to generate a DNS query that is likely to set off a false positive alert
for a version of BIND query although there really is no such query.
7
12:40:06.669947
10.100.100.201.1130
version.bind.robertgraham.com. (47)
4500
0a64
0001
0462
616d
004b
6402
0000
696e
0363
0578
046a
0000
640c
6f6d
0000
0035
0000
726f
0000
8011
0037
0776
6265
0100
bff9
7ca5
6572
7274
01>
>
0a64 64c9
<000b 0100
7369 6f6e
6772 6168
DNS.SERVER:
11+
E..K.x.......dd.
.....j.5.7|.....
.........version
.bind.robertgrah
am.com.....
The question generated looks for an address association for version.bind.robertgraham.com. If
an intrusion detection system simply does a “network grep” for the string 0776 6572 7369 6f6e
0462 696e 64, it will falsely alert on a query for the version of BIND. Another difference between
this question and the real version of BIND query is the DNS message type and class. Both the
type and class are a hexadecimal 0001 – which is an IP address lookup for the Internet class.
The Bottom Line
So what does the sidstep evasion accomplish in terms of IDS signatures? The use of pointers as
an evasive technique means that we cannot reduce the signature for this activity to a known
predictable string. It is possible to manipulate this activity to have pointers to other pointers and
eventually point to a label, or pointers to labels followed by more pointers. What this means is that
there must be at least some kind of partial decode of DNS query name formulation to discover
this evasive technique. It is no longer enough to have a static string that can discover this
particular evasive query as well as other evasive queries that rely on the use of pointers.
What we can almost assuredly deduce is that if there is a pointer used in a query, it is an evasive
maneuver of some sort. Queries do not use pointers as a rule since it appears that even though
there is a field for the number of queries, only one query at a time is found in a DNS message.
Attempts to generate multiple queries per DNS message failed. Therefore, there is no legitimate
use of a pointer in a question name since there is no prior reference of a node to which the
pointer could point.
Ideally, the DNS decode software should examine:
A DNS query only (other DNS flag bit settings don’t seem to have any effect on the
response outcome)
Pointers
o They must point to a byte within the range of the beginning of the DNS payload
and the end of the DNS payload
o They must not repeat (this is indicative of a pointer loop)
o They can point either backward or forward
o They can point to other pointers or other labels
o There should be a finite number of pointers that will be tolerated after which, the
software will warn of an evasive tactic and exit; the software should not become
consumed in a resource exhausting task.
The message type and class
o Found after the final label (00) for queries that do not have pointers
o Found after the first pointer for queries that do have pointers
Bear in mind that ultimately, there will have to be a properly formatted DNS question; otherwise
the only possible response from the DNS server will be a format error.
8
A?
Appendix
A
RFC 1035 – Domain Names – Implementation and Specification
The header contains the following fields:
1 1 1 1 1 1
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
|
ID
|
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
|QR|
Opcode |AA|TC|RD|RA|
Z
|
RCODE
|
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
|
QDCOUNT
|
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
|
ANCOUNT
|
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
|
NSCOUNT
|
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
|
ARCOUNT
|
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
where:
ID
QR
A 16 bit identifier assigned by the program that
generates any kind of query. This identifier is copied
the corresponding reply and can be used by the requester
to match up replies to outstanding queries.
A one bit field that specifies whether this message is a
query (0), or a response (1).
OPCODE A four bit field that specifies kind of query in this
message. This value is set by the originator of a query
and copied into the response. The values are:
0
a standard query (QUERY)
1
an inverse query (IQUERY)
2
a server status request (STATUS)
3-15
reserved for future use
AA
TC
Authoritative Answer - this bit is valid in responses,
and specifies that the responding name server is an
authority for the domain name in question section.
Note that the contents of the answer section may have
multiple owner names because of aliases. The AA bit
corresponds to the name which matches the query name, or
the first owner name in the answer section.
Truncation - specifies that this message was truncated
9
due to length greater than that permitted on the
transmission channel.
RD
Recursion Desired - this bit may be set in a query and
is copied into the response. If RD is set, it directs
the name server to pursue the query recursively.
Recursive query support is optional.
RA
Recursion Available - this be is set or cleared in a
response, and denotes whether recursive query support is
available in the name server.
Z
Reserved for future use. Must be zero in all queries
and responses.
RCODE Response code - this 4 bit field is set as part of
responses. The values have the following
interpretation:
0
No error condition
1
Format error - The name server was
unable to interpret the query.
2
Server failure - The name server was
unable to process this query due to a
problem with the name server.
3
Name Error - Meaningful only for
responses from an authoritative name
server, this code signifies that the
domain name referenced in the query does
not exist.
4
Not Implemented - The name server does
not support the requested kind of query.
5
Refused - The name server refuses to
perform the specified operation for
policy reasons. For example, a name
server may not wish to provide the
information to the particular requester,
or a name server may not wish to perform
a particular operation (e.g., zone
transfer) for particular data.
6-15
Reserved for future use.
QDCOUNT
an unsigned 16 bit integer specifying the number of
entries in the question section.
ANCOUNT
an unsigned 16 bit integer specifying the number of
resource records in the answer section.
NSCOUNT
an unsigned 16 bit integer specifying the number of name
server resource records in the authority records
section.
ARCOUNT
an unsigned 16 bit integer specifying the number of
resource records in the additional records section.
Question section format
10
The question section is used to carry the "question" in most queries, i.e., the
parameters that define what is being asked. The section contains QDCOUNT (usually
1) entries, each of the following format:
1 1 1 1 1 1
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
|
|
/
QNAME
/
/
/
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
|
QTYPE
|
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
|
QCLASS
|
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
where:
QNAME
a domain name represented as a sequence of
labels, where each label consists of length
octet followed by that number of octets. The
domain name terminates with the zero length
octet for the null label of the root. Note
that this field may be an odd number of
octets; no padding is used.
QTYPE
a two octet code which specifies the type of
the query. The values for this field include
all codes valid for a TYPE field, together
with some more general codes which can match
more than one type of RR.
QCLASS
a two octet code that specifies the class of
the query. For example, the QCLASS field is
IN for the Internet.
Message compression
In order to reduce the size of messages, the domain system utilizes a compression
scheme which eliminates the repetition of domain names in a message. In this
scheme, an entire domain name or a list of labels at the end of a domain name is
replaced with a pointer to a prior occurrence of the same name.
The pointer takes the form of a two octet sequence:
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
| 1 1|
OFFSET
|
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
The first two bits are ones. This allows a pointer to be distinguished from a label, since
the label must begin with two zero bits because labels are restricted to 63 octets or
less. (The 10 and 01 combinations are reserved for future use.) The OFFSET field
specifies an offset from the start of the message (i.e., the first octet of the ID field in
the domain header). A zero offset specifies the first byte of the ID field, etc.
The compression scheme allows a domain name in a
message to be represented as either:
- a sequence of labels ending in a zero octet
11
- a pointer
- a sequence of labels ending with a pointer
Pointers can only be used for occurrences of a domain name where the format is not
class specific. If this were not the case, a name server or resolver would be required
to know the format of all RRs it handled. As yet, there are no such cases, but they
may occur in future RDATA formats.
If a domain name is contained in a part of the message
subject to a length field (such as the RDATA section of
an RR), and compression is
used, the length of the compressed name is used in the
length calculation, rather than the length of the
expanded name.
Programs are free to avoid using pointers in messages they generate, although this
will reduce datagram capacity, and may cause truncation. However all programs are
required to understand arriving messages that contain pointers.
For example, a datagram might need to use the domain names F.ISI.ARPA,
FOO.F.ISI.ARPA, ARPA, and the root. Ignoring the other fields of the message, these
domain names might be represented as:
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
20 |
1
|
F
|
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
22 |
3
|
I
|
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
24 |
S
|
I
|
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
26 |
4
|
A
|
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
28 |
R
|
P
|
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
30 |
A
|
0
|
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
40 |
3
|
F
|
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
42 |
O
|
O
|
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
44 | 1 1|
20
|
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
64 | 1 1|
26
|
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
92 |
0
|
|
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
The domain name for F.ISI.ARPA is shown at offset 20. The domain name
FOO.F.ISI.ARPA is shown at offset 40; this definition uses a pointer to concatenate a
label for FOO to the previously defined F.ISI.ARPA. The domain name ARPA is
defined at offset 64 using a pointer to the ARPA component of the name F.ISI.ARPA
12
at 20; note that this pointer relies on ARPA being the last label in the string at 20. The
root domain name is
defined by a single octet of zeros at 92; the root domain
name has no labels.
TYPE values
TYPE fields are used in resource records. Note that
these types are a subset of QTYPEs.
TYPE
A
NS
MD
MF
CNAME
SOA
MB
MG
MR
NULL
WKS
PTR
HINFO
MINFO
MX
TXT
value and meaning
1 a host address
2 an authoritative name server
3 a mail destination (Obsolete - use MX)
4 a mail forwarder (Obsolete - use MX)
5 the canonical name for an alias
6 marks the start of a zone of authority
7 a mailbox domain name (EXPERIMENTAL)
8 a mail group member (EXPERIMENTAL)
9 a mail rename domain name (EXPERIMENTAL)
10 a null RR (EXPERIMENTAL)
11 a well known service description
12 a domain name pointer
13 host information
14 mailbox or mail list information
15 mail exchange
16 text strings
QTYPE values
QTYPE fields appear in the question part of a query. QTYPES are a superset of
TYPEs, hence all TYPEs are valid QTYPEs. In addition, the following QTYPEs are
defined:
AXFR
252 A request for a transfer of an entire
zone
MAILB
253 A request for mailbox-related records
(MB, MG or MR)
MAILA
254 A request for mail agent RRs (Obsolete –
see MX)
255 A request for all records
CLASS values
CLASS fields appear in resource records. The following
CLASS mnemonics and values are defined:
IN
CS
CH
HS
1 the Internet
2 the CSNET class (Obsolete - used only for
examples in some obsolete RFCs)
3 the CHAOS class
4 Hesiod [Dyer 87]
13
