DNS网络协议

一、DNS协议

DNS协议是实现域名解析的核心协议，作为应用层协议其使用的传输层协议——主要场景用UDP协议，部分场景用TCP协议。

当前有DoH、DoT和DoQ等扩展协议，以解决明文泄露与劫持等问题：

DoH：DNS over HTTPS，DNS报文封装在HTTPS（HTTP/2/3），RFC 8484
DoT：DNS over TLS，在TCP之上直接加TLS加密，RFC 7858/8310
DoQ：DNS over QUIC，基于QUIC协议，RFC 9250

二、DNS协议报文

理解DNS协议报文格式是掌握域名解析原理的关键，分为查询报文和响应报文两种类型，二者格式基本一致，仅部分字段功能存在差异。
下面简称DNS协议报文为DNS报文。

DNS报文采用固定格式的二进制结构，整体分为5个区域，按顺序排列如下：

区域	长度（字节）	核心作用
Header（首部）	12	- 包含：DNS报文的基础控制信息（比如“查询/响应标识”、“操作码”、“返回码”等） - 查询报文和响应报文都必有
Question（问题区）	可变	由条目构成。 - 条目包含：待解析的域名、解析类型 - 条目数量：查询报文=1，响应报文=0或者1
Answer（回答区）	可变	由条目构成。 - 条目包含：解析结果 - 条目数量：查询报文=0，响应报文>=0
Authority（授权区）	可变	由条目构成。 - 条目包含：1）传统条目，权威DNS服务器的域名；2）扩展条目，本文不深入 - 条目数量：查询报文=0，响应报文>=0
Additional（附加区）	可变	由条目构成。 - 条目包含：1）传统条目，授权区权威DNS服务器的IP地址；2）OPT扩展条目 - 条目数量：查询报文=0或者1，响应报文>=0

须知：本文实验过程中DNS报文由Wireshark捕获，其展示字段跟RFC不尽相同。

2.1.1、含义

固定长度12字节
包含：DNS报文的基础控制信息，比如“查询/响应标识”、“操作码”、“返回码”等
查询报文和响应报文都必有

2.1.2、详细

首部是DNS报文的“控制中枢”，12字节被划分为6个2字节字段——ID，Flags，QDCOUNT，ANCOUNT，NSCOUNT和ARCOUNT，其中Flags字段又被细分为10个子字段，划分示意见表1，各个字段和子字段详细介绍见表2。

表1

*Header*
Offsets	Octet	0								1
Octet	Bit	0	1	2	3	4	5	6	7	8	9	10	11	12	13	14	15
0	0	ID (16 bits)
2	16	QR (1 bit)	Qpcode (4 bits)				AA (1 bit)	TC (1 bit)	RD (1 bit)	RA (1 bit)	Z (1 bit)	AD (1 bit)	CD (1 bit)	RCODE (4 bits)
4	32	QDCOUNT (16 bits)
6	48	ANCOUNT (16 bits)
8	64	NSCOUNT (16 bits)
10	80	ARCOUNT (16 bits)

表2

字段（2字节）	字段与子字段含义
ID（标识）	唯一标识一次DNS查询/响应会话：查询报文的ID为`0x1234`，针对该次查询的响应报文的ID也为`0x1234`
Flags（标志位）	2字节（16位）被细分为多个子字段，是首部的核心： 1、QR（1 bit）：查询/响应报文标识 - 0 = 查询报文 - 1 = 响应报文 2、Opcode（4 bits）：操作类型。查询报文设置，响应报文回显 - 0 = 标准查询，最常用，比如A记录解析 - 1 = 反向查询，事实废弃 - 2 = 状态查询，查询DNS服务器状态 - 3-15 = 保留，未公开使用 3、AA（Authoritative，1 bit）：权威响应标识。查询报文无效，响应报文有效 - 1 = Answer（回答区）有响应结果，且该响应结果由该域名的权威DNS服务器给出 - 0 = 分为两种情形：1）Answer（回答区）有响应结果，但该响应结果不由该域名的权威DNS服务器给出，可能由转发DNS服务器或者递归DNS服务器给出；2）Answer（回答区）未有响应结果 4、TC（Truncated，1 bit）：截断标识。查询报文和响应报文各自独立有效 - 1 = 报文长度超过UDP默认512字节，已被截断（需用TCP重传） - 0 = 未截断 5、RD（Recursion Desired，1 bit）：递归查询标识。查询报文设置，响应报文回显 - 1 = 请求递归查询（服务器需直接返回最终结果） - 0 = 非递归查询（服务器仅返回已知信息，可能需要客户端进一步查询） 6、RA（Recursion Available，1 bit）：递归可用标识。查询报文无效，响应报文有效 - 1 = 服务器支持递归查询 - 0 = 服务器不支持递归（若客户端请求了递归，会返回错误） 7、Z（1 bit）：保留位，必须为0（未来扩展预留） 8、AD（Authentic Data，1 bit）：标记响应数据是否经过DNSSEC验证。查询报文无效，响应报文有效 - 0 = 未验证 - 1 = 已验证 9、CD（Checking Disabled，1 bit）：客户端控制是否执行DNSSEC签名验证。查询报文设置，响应报文回显 - 0 = 不禁用，由DNS服务器按照自身安全策略决定是否进行DNSSEC签名验证 - 1 = 禁用，禁止DNS服务器进行DNSSEC签名验证，即使DNS服务器本身安全策略要求进行DNSSEC签名验证 10、RCODE（4 bits）：返回码，标识解析结果状态。查询报文无效，响应报文有效 - 0 = 成功 - 1 = 格式错误 - 2 = 服务器故障 - 3 = 域名不存在 - 4 = 不支持的操作 - 5 = 拒绝 - 6-15 = 保留
QDCOUNT（问题区条目数量）	16位无符号整型，条目数量：查询报文=1，响应报文=0或者1
ANCOUNT（回答区条目数量）	16位无符号整型，条目数量：查询报文=0，响应报文>=0
NSCOUNT（授权区条目数量）	16位无符号整型，条目数量：查询报文=0，响应报文>=0
ARCOUNT（附加区条目数量）	16位无符号整型，条目数量：查询报文=0或者1，响应报文>=0

2.1.3、实验

查询CNAME记录：dig baidu.com CNAME +short。

查询报文：

Domain Name System (query)
    Transaction ID: 0x1b08
    Flags: 0x0100 Standard query
        0... .... .... .... = Response: Message is a query
        .000 0... .... .... = Opcode: Standard query (0)
        .... ..0. .... .... = Truncated: Message is not truncated
        .... ...1 .... .... = Recursion desired: Do query recursively  (要求递归查询)
        .... .... .0.. .... = Z: reserved (0)
        .... .... ...0 .... = Non-authenticated data: Unacceptable
    Questions: 1
    Answer RRs: 0
    Authority RRs: 0
    Additional RRs: 1
    Queries
        baidu.com: type CNAME, class IN
            Name: baidu.com
            [Name Length: 9]
            [Label Count: 2]
            Type: CNAME (Canonical NAME for an alias) (5)
            Class: IN (0x0001)
    Additional records
        <Root>: type OPT
            Name: <Root>
            Type: OPT (41)
            UDP payload size: 512
            Higher bits in extended RCODE: 0x00
            EDNS0 version: 0
            Z: 0x0000
                0... .... .... .... = DO bit: Cannot handle DNSSEC security RRs
                .000 0000 0000 0000 = Reserved: 0x0000
            Data length: 0

响应报文：

Domain Name System (response)
    Transaction ID: 0x1b08
    Flags: 0x8180 Standard query response, No error
        1... .... .... .... = Response: Message is a response
        .000 0... .... .... = Opcode: Standard query (0)
        .... .0.. .... .... = Authoritative: Server is not an authority for domain
        .... ..0. .... .... = Truncated: Message is not truncated
        .... ...1 .... .... = Recursion desired: Do query recursively
        .... .... 1... .... = Recursion available: Server can do recursive queries  (支持递归查询)
        .... .... .0.. .... = Z: reserved (0)
        .... .... ..0. .... = Answer authenticated: Answer/authority portion was not authenticated by the server
        .... .... ...0 .... = Non-authenticated data: Unacceptable
        .... .... .... 0000 = Reply code: No error (0)
    Questions: 1
    Answer RRs: 0  (递归查询后确实没有baidu.com的别名记录)
    Authority RRs: 1
    Additional RRs: 1
    Queries
        baidu.com: type CNAME, class IN
            Name: baidu.com
            [Name Length: 9]
            [Label Count: 2]
            Type: CNAME (Canonical NAME for an alias) (5)
            Class: IN (0x0001)
    Authoritative nameservers
        baidu.com: type SOA, class IN, mname dns.baidu.com
            Name: baidu.com
            Type: SOA (Start Of a zone of Authority) (6)
            Class: IN (0x0001)
            Time to live: 600 (10 minutes)
            Data length: 31
            Primary name server: dns.baidu.com
            Responsible authority's mailbox: sa.baidu.com
            Serial Number: 2012150707
            Refresh Interval: 300 (5 minutes)
            Retry Interval: 300 (5 minutes)
            Expire limit: 2592000 (30 days)
            Minimum TTL: 600 (10 minutes)
    Additional records
        <Root>: type OPT
            Name: <Root>
            Type: OPT (41)
            UDP payload size: 1232
            Higher bits in extended RCODE: 0x00
            EDNS0 version: 0
            Z: 0x0000
                0... .... .... .... = DO bit: Cannot handle DNSSEC security RRs
                .000 0000 0000 0000 = Reserved: 0x0000
            Data length: 0

2.2、问题区（Question）

2.2.1、含义

可变字节
问题区由条目构成：
- 条目用于携带查询的具体信息，比如“要查询的域名”，“查询的资源记录类型”，“查询类”
- 条目数量（查询报文=1，响应报文=0或者1，由首部QDCOUNT指定）：响应报文通过包含问题区，能够明确地对应之前的查询请求，让接收方清楚地知道这次响应是针对哪个具体的查询做出的

2.2.2、条目格式

字段	长度（字节）	含义与示例
QNAME（域名）	可变	域名有“常规格式”和“压缩格式”两种表示方式常规格式：将域名按“.”分割为多个部分，每个部分前加1字节标识“部分长度”，最后用1字节`0x00`标识域名结束，比如：域名`www.baidu.com`按“.”分割为“www”，“baidu”和“com”3个部分，最后编码为`0x03(部分长度) 0x77 0x77 0x77 0x05(部分长度) 0x62 0x61 0x69 0x64 0x75 0x03(部分长度) 0x63 0x6F 0x6D 0x00(标识域名结束)` 压缩格式：前2位为`11`，用于标识压缩格式，后14位为“域名在报文中的偏移地址”，比如：若在报文偏移`0x0C`处存在相同域名，可编码为`0xC00C(11000000,00001100)` 由于问题区在报文的位置，问题区条目域名一般只能使用常规格式
QTYPE（类型）	2	需要解析的记录类型，常见类型： - 0x0006 = SOA记录 - 0x0002 = NS记录 - 0x0001 = A记录 - 0x0005 = CNAME记录 - 0x000c = PTR记录 - 0x000f = MX记录 - 0x0010 = TXT记录 - 0x001c = AAAA记录
QCLASS（类别）	2	解析的网络类别，一般就为`0x0001 = IN类（代表Internet）`

2.2.3、实验

查询TXT记录：dig 163.com txt +short。

响应报文：

Domain Name System (response)
    Transaction ID: 0xe0ef
    Flags: 0x8180 Standard query response, No error
        1... .... .... .... = Response: Message is a response
        .000 0... .... .... = Opcode: Standard query (0)
        .... .0.. .... .... = Authoritative: Server is not an authority for domain
        .... ..0. .... .... = Truncated: Message is not truncated
        .... ...1 .... .... = Recursion desired: Do query recursively
        .... .... 1... .... = Recursion available: Server can do recursive queries
        .... .... .0.. .... = Z: reserved (0)
        .... .... ..0. .... = Answer authenticated: Answer/authority portion was not authenticated by the server
        .... .... ...0 .... = Non-authenticated data: Unacceptable
        .... .... .... 0000 = Reply code: No error (0)
    Questions: 1
    Answer RRs: 7
    Authority RRs: 0
    Additional RRs: 1
    Queries
        163.com: type TXT, class IN  //对应的字节流：0x03 0x31 0x36 0x33 0x03 0x63 0x6f 0x6d 0x00 0x00 0x10 0x00 0x01
            Name: 163.com
            [Name Length: 7]
            [Label Count: 2]
            Type: TXT (Text strings) (16)
            Class: IN (0x0001)
    Answers
        163.com: type TXT, class IN
            Name: 163.com
            Type: TXT (Text strings) (16)
            Class: IN (0x0001)
            Time to live: 18000 (5 hours)
            Data length: 37
            TXT Length: 36
            TXT: v=spf1 include:spf.mail.163.com -all
        163.com: type TXT, class IN
            Name: 163.com
            Type: TXT (Text strings) (16)
            Class: IN (0x0001)
            Time to live: 18000 (5 hours)
            Data length: 33
            TXT Length: 32
            TXT: 0hz8zn8jpkr3vffgll8hnd6j873bzvsg
        163.com: type TXT, class IN
            Name: 163.com
            Type: TXT (Text strings) (16)
            Class: IN (0x0001)
            Time to live: 18000 (5 hours)
            Data length: 61
            TXT Length: 60
            TXT: facebook-domain-verification=kqgnezlldheaauy9huiesb3j2emhh3 
        163.com: type TXT, class IN
            Name: 163.com
            Type: TXT (Text strings) (16)
            Class: IN (0x0001)
            Time to live: 18000 (5 hours)
            Data length: 33
            TXT Length: 32
            TXT: 57c23e6c1ed24f219803362dadf8dea3
        163.com: type TXT, class IN
            Name: 163.com
            Type: TXT (Text strings) (16)
            Class: IN (0x0001)
            Time to live: 18000 (5 hours)
            Data length: 33
            TXT Length: 32
            TXT: qdx50vkxg6qpn3n1k6n1tg2syg5wp96y
        163.com: type TXT, class IN
            Name: 163.com
            Type: TXT (Text strings) (16)
            Class: IN (0x0001)
            Time to live: 18000 (5 hours)
            Data length: 69
            TXT Length: 68
            TXT: google-site-verification=hRXfNWRtd9HKlh-ZBOuUgGrxBJh526R8Uygp0jEZ9wY
        163.com: type TXT, class IN
            Name: 163.com
            Type: TXT (Text strings) (16)
            Class: IN (0x0001)
            Time to live: 18000 (5 hours)
            Data length: 33
            TXT Length: 32
            TXT: c69jw6kms2htsyyw3l50bfxycgzp3v50
    Additional records
        <Root>: type OPT
            Name: <Root>
            Type: OPT (41)
            UDP payload size: 1232
            Higher bits in extended RCODE: 0x00
            EDNS0 version: 0
            Z: 0x0000
                0... .... .... .... = DO bit: Cannot handle DNSSEC security RRs
                .000 0000 0000 0000 = Reserved: 0x0000
            Data length: 0

2.3、回答区（Answer）

2.3.1、含义

可变字节
回答区由条目构成：
- 条目用于携带回答信息
- 条目数量（查询报文=0，响应报文>=0，由首部ANCOUNT指定）：不是必有，是可能“没配置相应DNS资源”、“不是直接结果，而是‘权威域名服务器’中间结果”、“查询失败”、“查询被拒绝”等情形

2.3.2、条目格式

字段	长度（字节）	含义与示例
NAME（域名）	可变	含义和格式与问题区QNAME一致
TYPE（类型）	2	含义和格式与问题区QTYPE一致
CLASS（类别）	2	含义和格式与问题区QCLASS一致
TTL（生存时间）	4	32位有符号整型值，单位“秒”，表示该解析结果在DNS客户端所能缓存的有效时间，在“递归DNS服务器和转发DNS服务器查询相应DNS资源记录”场景，其作为DNS客户端，缓存时间也为该值
RDLENGTH（数据长度）	2	表示后续`RDATA`字段的字节数
RDATA（记录数据）	可变（跟`RDLENGTH`字段表征值一致）	具体解析结果数据，格式由`TYPE`字段决定： - 若`0x0001 = A记录`：RDATA为4字节IPv4地址 - 若`0x001c = AAAA记录`：RDATA为16字节IPv6地址 - 若`0x0005 = CNAME记录`：RDATA为目标域名，域名的表示方式跟问题区QNAME一致 - 若`0x000f = MX记录`：RDATA前2字节为“优先级”，后续字节为邮件服务器域名，域名的表示方式跟问题区QNAME一致

2.3.3、实验

1、实验1
查询AAAA记录：dig google.com AAAA +short。

响应报文：

Domain Name System (response)
    Transaction ID: 0x2c5e
    Flags: 0x8180 Standard query response, No error
        1... .... .... .... = Response: Message is a response
        .000 0... .... .... = Opcode: Standard query (0)
        .... .0.. .... .... = Authoritative: Server is not an authority for domain
        .... ..0. .... .... = Truncated: Message is not truncated
        .... ...1 .... .... = Recursion desired: Do query recursively
        .... .... 1... .... = Recursion available: Server can do recursive queries
        .... .... .0.. .... = Z: reserved (0)
        .... .... ..0. .... = Answer authenticated: Answer/authority portion was not authenticated by the server
        .... .... ...0 .... = Non-authenticated data: Unacceptable
        .... .... .... 0000 = Reply code: No error (0)
    Questions: 1
    Answer RRs: 1
    Authority RRs: 0
    Additional RRs: 1
    Queries
        google.com: type AAAA, class IN
            Name: google.com
            [Name Length: 10]
            [Label Count: 2]
            Type: AAAA (IPv6 Address) (28)
            Class: IN (0x0001)
    Answers
        google.com: type AAAA, class IN, addr 2404:6800:4005:81a::200e   //对应的字节流：[NAME]0xc0 0x0c [TYPE]0x00 0x1c [CLASS]0x00 0x01 [TTL]0x00 0x00 0x01 0x26 [RDLENGTH]0x00 0x10 [RDATA]0x24 0x04 0x68 0x00 0x40 0x05 0x08 0x1a 0x00 0x00 0x00 0x00 0x00 0x00 0x20 0x0e
            Name: google.com
            Type: AAAA (IPv6 Address) (28)
            Class: IN (0x0001)
            Time to live: 294 (4 minutes, 54 seconds)
            Data length: 16
            AAAA Address: 2404:6800:4005:81a::200e
    Additional records
        <Root>: type OPT
            Name: <Root>
            Type: OPT (41)
            UDP payload size: 1232
            Higher bits in extended RCODE: 0x00
            EDNS0 version: 0
            Z: 0x0000
                0... .... .... .... = DO bit: Cannot handle DNSSEC security RRs
                .000 0000 0000 0000 = Reserved: 0x0000
            Data length: 0

2、实验2
查询AAAA记录：dig tiktok.com AAAA +short。

响应报文（未配置tiktok.com的AAAA记录，回答区为空）：

Domain Name System (response)
    Transaction ID: 0xf63f
    Flags: 0x8180 Standard query response, No error
        1... .... .... .... = Response: Message is a response
        .000 0... .... .... = Opcode: Standard query (0)
        .... .0.. .... .... = Authoritative: Server is not an authority for domain
        .... ..0. .... .... = Truncated: Message is not truncated
        .... ...1 .... .... = Recursion desired: Do query recursively
        .... .... 1... .... = Recursion available: Server can do recursive queries
        .... .... .0.. .... = Z: reserved (0)
        .... .... ..0. .... = Answer authenticated: Answer/authority portion was not authenticated by the server
        .... .... ...0 .... = Non-authenticated data: Unacceptable
        .... .... .... 0000 = Reply code: No error (0)
    Questions: 1
    Answer RRs: 0
    Authority RRs: 1
    Additional RRs: 1
    Queries
        tiktok.com: type AAAA, class IN
            Name: tiktok.com
            [Name Length: 10]
            [Label Count: 2]
            Type: AAAA (IPv6 Address) (28)
            Class: IN (0x0001)
    Authoritative nameservers
        tiktok.com: type SOA, class IN, mname a9-66.akam.net
            Name: tiktok.com
            Type: SOA (Start Of a zone of Authority) (6)
            Class: IN (0x0001)
            Time to live: 879 (14 minutes, 39 seconds)
            Data length: 59
            Primary name server: a9-66.akam.net
            Responsible authority's mailbox: hostmaster.akamai.com
            Serial Number: 1554957829
            Refresh Interval: 43200 (12 hours)
            Retry Interval: 7200 (2 hours)
            Expire limit: 604800 (7 days)
            Minimum TTL: 7200 (2 hours)
    Additional records
        <Root>: type OPT
            Name: <Root>
            Type: OPT (41)
            UDP payload size: 1232
            Higher bits in extended RCODE: 0x00
            EDNS0 version: 0
            Z: 0x0000
                0... .... .... .... = DO bit: Cannot handle DNSSEC security RRs
                .000 0000 0000 0000 = Reserved: 0x0000
            Data length: 0

2.4、授权区（Authority）

2.4.1、含义

可变字节
授权区由两类条目构成，两类条目数量之和“查询报文=0，响应报文>=0，由首部NSCOUNT指定”：
- 传统条目：
  - 条目用于携带权威DNS服务器的域名信息：1）在回答区（Answer）为空时，存在的授权区（Authority）记录NS，表明——当前处于DNS迭代查询过程，DNS客户端下一步迭代查询的权威DNS服务器为NS；2）在回答区（Answer）不为空时，存在的授权区（Authority）记录NS，只是用来冗余告知DNS客户端该域名的权威DNS服务器列表
  - 条目数量（查询报文=0，响应报文>=0）
- 扩展条目：
  - RRSIG、NSEC3等类型扩展条目，本文不作深入
  - 条目数量（查询报文=0，响应报文>=0）

2.4.2、条目格式

1、传统条目
条目格式跟回答区条目格式一致，差异在TYPE = 0x0002（即NS记录）。

2、扩展条目
条目格式跟回答区条目格式一致，差异在TYPE = 0x002e（即RRSIG记录）| 0x0032（即NSEC3记录）|...，本文不作深入。

2.4.3、实验

查询A记录，trace参数是为了模拟完整的DNS域名解析迭代过程：dig 163.com A +short +trace。

响应报文：

Domain Name System (response)
    Transaction ID: 0x6e3a
    Flags: 0x8000 Standard query response, No error
        1... .... .... .... = Response: Message is a response
        .000 0... .... .... = Opcode: Standard query (0)
        .... .0.. .... .... = Authoritative: Server is not an authority for domain
        .... ..0. .... .... = Truncated: Message is not truncated
        .... ...0 .... .... = Recursion desired: Don't do query recursively
        .... .... 0... .... = Recursion available: Server can't do recursive queries
        .... .... .0.. .... = Z: reserved (0)
        .... .... ..0. .... = Answer authenticated: Answer/authority portion was not authenticated by the server
        .... .... ...0 .... = Non-authenticated data: Unacceptable
        .... .... .... 0000 = Reply code: No error (0)
    Questions: 1
    Answer RRs: 0
    Authority RRs: 11
    Additional RRs: 4
    Queries
        163.com: type A, class IN
            Name: 163.com
            [Name Length: 7]
            [Label Count: 2]
            Type: A (Host Address) (1)
            Class: IN (0x0001)
    Authoritative nameservers
        163.com: type NS, class IN, ns ns3.nease.net    //对应的字节流：[NAME]0xc0 0x0c [TYPE]0x00 0x02 [CLASS]0x00 0x01 [TTL]0x00 0x02 0xa3 0x00 [RDLENGTH]0x00 0x0f [RDATA]0x03 0x6e 0x73 0x33 0x05 0x6e 0x65 0x61 0x73 0x65 0x03 0x6e 0x65 0x74 0x00
            Name: 163.com
            Type: NS (authoritative Name Server) (2)
            Class: IN (0x0001)
            Time to live: 172800 (2 days)
            Data length: 15
            Name Server: ns3.nease.net
        163.com: type NS, class IN, ns ns4.nease.net
            Name: 163.com
            Type: NS (authoritative Name Server) (2)
            Class: IN (0x0001)
            Time to live: 172800 (2 days)
            Data length: 6
            Name Server: ns4.nease.net
        163.com: type NS, class IN, ns ns5.nease.net
            Name: 163.com
            Type: NS (authoritative Name Server) (2)
            Class: IN (0x0001)
            Time to live: 172800 (2 days)
            Data length: 6
            Name Server: ns5.nease.net
        163.com: type NS, class IN, ns ns6.nease.net
            Name: 163.com
            Type: NS (authoritative Name Server) (2)
            Class: IN (0x0001)
            Time to live: 172800 (2 days)
            Data length: 6
            Name Server: ns6.nease.net
        163.com: type NS, class IN, ns ns1.nease.net
            Name: 163.com
            Type: NS (authoritative Name Server) (2)
            Class: IN (0x0001)
            Time to live: 172800 (2 days)
            Data length: 6
            Name Server: ns1.nease.net
        163.com: type NS, class IN, ns ns2.166.com
            Name: 163.com
            Type: NS (authoritative Name Server) (2)
            Class: IN (0x0001)
            Time to live: 172800 (2 days)
            Data length: 10
            Name Server: ns2.166.com
        163.com: type NS, class IN, ns ns8.166.com
            Name: 163.com
            Type: NS (authoritative Name Server) (2)
            Class: IN (0x0001)
            Time to live: 172800 (2 days)
            Data length: 6
            Name Server: ns8.166.com
        CK0POJMG874LJREF7EFN8430QVIT8BSM.com: type NSEC3, class IN
            Name: CK0POJMG874LJREF7EFN8430QVIT8BSM.com
            Type: NSEC3 (50)
            Class: IN (0x0001)
            Time to live: 900 (15 minutes)
            Data length: 35
            Hash algorithm: SHA-1 (1)
            NSEC3 flags: 1
                .... ...1 = NSEC3 Opt-out flag: Additional insecure delegations allowed
            NSEC3 iterations: 0
            Salt length: 0
            Salt value: <MISSING>
            Hash length: 20
            Next hashed owner: 6501a1f9b0431d4a29c7dfa99833a16ff9c8a2b5
            RR type in bit map: NS (authoritative Name Server)
            RR type in bit map: SOA (Start Of a zone of Authority)
            RR type in bit map: RRSIG (Resource Record Signature)
            RR type in bit map: DNSKEY (DNS Public Key)
            RR type in bit map: NSEC3PARAM
        CK0POJMG874LJREF7EFN8430QVIT8BSM.com: type RRSIG, class IN
            Name: CK0POJMG874LJREF7EFN8430QVIT8BSM.com
            Type: RRSIG (Resource Record Signature) (46)
            Class: IN (0x0001)
            Time to live: 900 (15 minutes)
            Data length: 87
            Type Covered: NSEC3 (50)
            Algorithm: ECDSA Curve P-256 with SHA-256 (13)
            Labels: 2
            Original TTL: 900 (15 minutes)
            Signature Expiration: Apr 28, 2026 08:26:36.000000000 CST
            Signature Inception: Apr 21, 2026 07:16:36.000000000 CST
            Key Tag: 27677
            Signer's name: com
            Signature: 6d00e7f47806a87a8265ecf543c7cbe0c76d9f862e787de5…
        O6DB05FMEAJK2DRN5PFFM8H296OGGG7D.com: type NSEC3, class IN
            Name: O6DB05FMEAJK2DRN5PFFM8H296OGGG7D.com
            Type: NSEC3 (50)
            Class: IN (0x0001)
            Time to live: 900 (15 minutes)
            Data length: 34
            Hash algorithm: SHA-1 (1)
            NSEC3 flags: 1
                .... ...1 = NSEC3 Opt-out flag: Additional insecure delegations allowed
            NSEC3 iterations: 0
            Salt length: 0
            Salt value: <MISSING>
            Hash length: 20
            Next hashed owner: c19ab0ef374bbc31352c30d9c077bebad33340e5
            RR type in bit map: NS (authoritative Name Server)
            RR type in bit map: DS (Delegation Signer)
            RR type in bit map: RRSIG (Resource Record Signature)
        O6DB05FMEAJK2DRN5PFFM8H296OGGG7D.com: type RRSIG, class IN
            Name: O6DB05FMEAJK2DRN5PFFM8H296OGGG7D.com
            Type: RRSIG (Resource Record Signature) (46)
            Class: IN (0x0001)
            Time to live: 900 (15 minutes)
            Data length: 87
            Type Covered: NSEC3 (50)
            Algorithm: ECDSA Curve P-256 with SHA-256 (13)
            Labels: 2
            Original TTL: 900 (15 minutes)
            Signature Expiration: Apr 27, 2026 08:44:04.000000000 CST
            Signature Inception: Apr 20, 2026 07:34:04.000000000 CST
            Key Tag: 27677
            Signer's name: com
            Signature: 6d00018ee50812a3309fb0635e9fe3de7d8ab4427d271d3a…
    Additional records
        ns2.166.com: type A, class IN, addr 103.71.201.3
            Name: ns2.166.com
            Type: A (Host Address) (1)
            Class: IN (0x0001)
            Time to live: 172800 (2 days)
            Data length: 4
            Address: 103.71.201.3
        ns8.166.com: type A, class IN, addr 18.182.82.158
            Name: ns8.166.com
            Type: A (Host Address) (1)
            Class: IN (0x0001)
            Time to live: 172800 (2 days)
            Data length: 4
            Address: 18.182.82.158
        ns8.166.com: type A, class IN, addr 44.228.163.69
            Name: ns8.166.com
            Type: A (Host Address) (1)
            Class: IN (0x0001)
            Time to live: 172800 (2 days)
            Data length: 4
            Address: 44.228.163.69
        <Root>: type OPT
            Name: <Root>
            Type: OPT (41)
            UDP payload size: 4096
            Higher bits in extended RCODE: 0x00
            EDNS0 version: 0
            Z: 0x8000
                1... .... .... .... = DO bit: Accepts DNSSEC security RRs
                .000 0000 0000 0000 = Reserved: 0x0000
            Data length: 0

2.5、附加区（Additional）

2.5.1、含义

可变字节
附加区由两类条目构成，两类条目数量之和“查询报文=0或者1，响应报文>=0，由首部ARCOUNT指定”：
- 传统条目：
  - 表示授权区权威DNS服务器域名对应的IP地址，从而减少查询
  - 条目数量（查询报文=0，响应报文>=0）
- OPT扩展条目：
  - OPT扩展条目在EDNS(Extension Mechanisms for DNS)中定义[3]，用于在不破坏原有DNS报文结构的前提下，突破512字节限制、扩展标志位与RCODE、支持DNSSEC等新功能
  - 条目数量（查询报文=0或者1，响应报文=0或者1）：附加区中最多只能有一条OPT扩展条目

2.5.2、条目格式

1、传统条目
条目格式跟回答区条目格式一致，差异在TYPE一般是两个取值：

TYPE = 0x0001：A记录，该条目表示权威DNS服务器的IPv4地址
TYPE = 0x001c：AAAA记录，该条目表示权威DNS服务器的IPv6地址

2、OPT扩展条目
为兼容，OPT扩展条目基于传统条目进行扩展，其格式如下。

长度（字节）	旧字段名	旧字段含义与示例	新字段名	新字段含义与示例
可变	NAME	域名	NAME	固定值`0x00`
2	TYPE	类型	TYPE	固定值`0x0029`
2	CLASS	类别	UDP Payload Size	UDP最大载荷
4	TTL	生存时间
			EXT-RCODE（1字节）	扩展响应码，与首部RCODE组合为12位完整RCODE
			EDNS-Version（1字节）	目前固定为`0x00`
			Z（2字节）	高第1位DO（DNSSEC OK，1 bit）： - 1 = 客户端支持并接受DNSSEC安全记录（RRSIG、NSEC、NSEC3、DNSKEY），递归服务器必须返回完整DNSSEC签名链给客户端，开启DNSSEC校验、防域名劫持/伪造 - 0 = 客户端不支持DNSSEC，服务器不返回RRSIG/NSEC/NSEC3，只返回普通业务记录（A/AAAA/CNAME），不做签名校验，无DNSSEC安全防护低15位，固定为0值，用于未来扩展
2	RDLENGTH	数据长度	RDLENGTH	OPT数据总长度
可变	RDATA	记录数据	RDATA	EDNS选项列表

2.5.3、实验

查询A记录，trace参数是为了模拟完整的DNS域名解析迭代过程：dig baidu.com A +short +trace。

查询报文：

Domain Name System (query)
    Transaction ID: 0x85f5
    Flags: 0x0020 Standard query
        0... .... .... .... = Response: Message is a query
        .000 0... .... .... = Opcode: Standard query (0)
        .... ..0. .... .... = Truncated: Message is not truncated
        .... ...0 .... .... = Recursion desired: Don't do query recursively
        .... .... .0.. .... = Z: reserved (0)
        .... .... ..1. .... = AD bit: Set
        .... .... ...0 .... = Non-authenticated data: Unacceptable
    Questions: 1
    Answer RRs: 0
    Authority RRs: 0
    Additional RRs: 1
    Queries
        baidu.com: type A, class IN
            Name: baidu.com
            [Name Length: 9]
            [Label Count: 2]
            Type: A (Host Address) (1)
            Class: IN (0x0001)
    Additional records
        <Root>: type OPT     //对应的字节流：[NAME]0x00 [TYPE]0x00 0x29 [UDP Payload Size]0x04 0xd0 [EXT-RCODE]0x00 [EDNS-Version]0x00 [Z]0x80 0x00 [RDLENGTH]0x00 0x0c [RDATA]0x00 0x0a 0x00 0x08 0xe7 0xa6 0x96 0xf6 0x27 0x45 0xd2 0xe8
            Name: <Root>
            Type: OPT (41)
            UDP payload size: 1232
            Higher bits in extended RCODE: 0x00
            EDNS0 version: 0
            Z: 0x8000
                1... .... .... .... = DO bit: Accepts DNSSEC security RRs
                .000 0000 0000 0000 = Reserved: 0x0000
            Data length: 12
            Option: COOKIE
                Option Code: COOKIE (10)
                Option Length: 8
                Option Data: e7a696f62745d2e8
                Client Cookie: e7a696f62745d2e8
                Server Cookie: <MISSING>

响应报文：

Domain Name System (response)
    Transaction ID: 0x85f5
    Flags: 0x8400 Standard query response, No error
        1... .... .... .... = Response: Message is a response
        .000 0... .... .... = Opcode: Standard query (0)
        .... .1.. .... .... = Authoritative: Server is an authority for domain
        .... ..0. .... .... = Truncated: Message is not truncated
        .... ...0 .... .... = Recursion desired: Don't do query recursively
        .... .... 0... .... = Recursion available: Server can't do recursive queries
        .... .... .0.. .... = Z: reserved (0)
        .... .... ..0. .... = Answer authenticated: Answer/authority portion was not authenticated by the server
        .... .... ...0 .... = Non-authenticated data: Unacceptable
        .... .... .... 0000 = Reply code: No error (0)
    Questions: 1
    Answer RRs: 4
    Authority RRs: 5
    Additional RRs: 11
    Queries
        baidu.com: type A, class IN
            Name: baidu.com
            [Name Length: 9]
            [Label Count: 2]
            Type: A (Host Address) (1)
            Class: IN (0x0001)
    Answers
        baidu.com: type A, class IN, addr 111.63.65.247
            Name: baidu.com
            Type: A (Host Address) (1)
            Class: IN (0x0001)
            Time to live: 600 (10 minutes)
            Data length: 4
            Address: 111.63.65.247
        baidu.com: type A, class IN, addr 124.237.177.164
            Name: baidu.com
            Type: A (Host Address) (1)
            Class: IN (0x0001)
            Time to live: 600 (10 minutes)
            Data length: 4
            Address: 124.237.177.164
        baidu.com: type A, class IN, addr 110.242.74.102
            Name: baidu.com
            Type: A (Host Address) (1)
            Class: IN (0x0001)
            Time to live: 600 (10 minutes)
            Data length: 4
            Address: 110.242.74.102
        baidu.com: type A, class IN, addr 111.63.65.103
            Name: baidu.com
            Type: A (Host Address) (1)
            Class: IN (0x0001)
            Time to live: 600 (10 minutes)
            Data length: 4
            Address: 111.63.65.103
    Authoritative nameservers
        baidu.com: type NS, class IN, ns dns.baidu.com
            Name: baidu.com
            Type: NS (authoritative Name Server) (2)
            Class: IN (0x0001)
            Time to live: 86400 (1 day)
            Data length: 6
            Name Server: dns.baidu.com
        baidu.com: type NS, class IN, ns ns2.baidu.com
            Name: baidu.com
            Type: NS (authoritative Name Server) (2)
            Class: IN (0x0001)
            Time to live: 86400 (1 day)
            Data length: 6
            Name Server: ns2.baidu.com
        baidu.com: type NS, class IN, ns ns3.baidu.com
            Name: baidu.com
            Type: NS (authoritative Name Server) (2)
            Class: IN (0x0001)
            Time to live: 86400 (1 day)
            Data length: 6
            Name Server: ns3.baidu.com
        baidu.com: type NS, class IN, ns ns4.baidu.com
            Name: baidu.com
            Type: NS (authoritative Name Server) (2)
            Class: IN (0x0001)
            Time to live: 86400 (1 day)
            Data length: 6
            Name Server: ns4.baidu.com
        baidu.com: type NS, class IN, ns ns7.baidu.com
            Name: baidu.com
            Type: NS (authoritative Name Server) (2)
            Class: IN (0x0001)
            Time to live: 86400 (1 day)
            Data length: 6
            Name Server: ns7.baidu.com
    Additional records
        dns.baidu.com: type A, class IN, addr 110.242.68.134    //对应的字节流：[NAME]0xc0 0x67 [TYPE]0x00 0x01 [CLASS]0x00 0x01 [TTL]0x00 0x00 0x02 0x58 [RDLENGTH]0x00 0x04 [RDATA]0x6e 0xf2 0x44 0x86
            Name: dns.baidu.com
            Type: A (Host Address) (1)
            Class: IN (0x0001)
            Time to live: 600 (10 minutes)
            Data length: 4
            Address: 110.242.68.134
        ns2.baidu.com: type A, class IN, addr 220.181.33.31
            Name: ns2.baidu.com
            Type: A (Host Address) (1)
            Class: IN (0x0001)
            Time to live: 86400 (1 day)
            Data length: 4
            Address: 220.181.33.31
        ns3.baidu.com: type A, class IN, addr 36.155.132.78
            Name: ns3.baidu.com
            Type: A (Host Address) (1)
            Class: IN (0x0001)
            Time to live: 86400 (1 day)
            Data length: 4
            Address: 36.155.132.78
        ns3.baidu.com: type A, class IN, addr 153.3.238.93
            Name: ns3.baidu.com
            Type: A (Host Address) (1)
            Class: IN (0x0001)
            Time to live: 86400 (1 day)
            Data length: 4
            Address: 153.3.238.93
        ns4.baidu.com: type A, class IN, addr 14.215.178.80
            Name: ns4.baidu.com
            Type: A (Host Address) (1)
            Class: IN (0x0001)
            Time to live: 86400 (1 day)
            Data length: 4
            Address: 14.215.178.80
        ns4.baidu.com: type A, class IN, addr 111.45.3.226
            Name: ns4.baidu.com
            Type: A (Host Address) (1)
            Class: IN (0x0001)
            Time to live: 86400 (1 day)
            Data length: 4
            Address: 111.45.3.226
        ns7.baidu.com: type A, class IN, addr 180.76.76.92
            Name: ns7.baidu.com
            Type: A (Host Address) (1)
            Class: IN (0x0001)
            Time to live: 86400 (1 day)
            Data length: 4
            Address: 180.76.76.92
        dns.baidu.com: type AAAA, class IN, addr 240e:bf:b801:1002:0:ff:b024:26de
            Name: dns.baidu.com
            Type: AAAA (IPv6 Address) (28)
            Class: IN (0x0001)
            Time to live: 600 (10 minutes)
            Data length: 16
            AAAA Address: 240e:bf:b801:1002:0:ff:b024:26de
        ns2.baidu.com: type AAAA, class IN, addr 240e:940:603:4:0:ff:b01b:589a
            Name: ns2.baidu.com
            Type: AAAA (IPv6 Address) (28)
            Class: IN (0x0001)
            Time to live: 600 (10 minutes)
            Data length: 16
            AAAA Address: 240e:940:603:4:0:ff:b01b:589a
        ns7.baidu.com: type AAAA, class IN, addr 240e:bf:b801:1002:0:ff:b024:26de
            Name: ns7.baidu.com
            Type: AAAA (IPv6 Address) (28)
            Class: IN (0x0001)
            Time to live: 86400 (1 day)
            Data length: 16
            AAAA Address: 240e:bf:b801:1002:0:ff:b024:26de
        ns7.baidu.com: type AAAA, class IN, addr 240e:940:603:4:0:ff:b01b:589a
            Name: ns7.baidu.com
            Type: AAAA (IPv6 Address) (28)
            Class: IN (0x0001)
            Time to live: 86400 (1 day)
            Data length: 16
            AAAA Address: 240e:940:603:4:0:ff:b01b:589a

参考文献

[1]https://datatracker.ietf.org/doc/html/rfc1035
[2]https://datatracker.ietf.org/doc/html/rfc2535
[3]https://datatracker.ietf.org/doc/html/rfc6891

dslztx

DNS网络协议

一、DNS协议

二、DNS协议报文

2.1、首部（Header）

2.1.1、含义

2.1.2、详细

2.1.3、实验

2.2、问题区（Question）

2.2.1、含义

2.2.2、条目格式

2.2.3、实验

2.3、回答区（Answer）

2.3.1、含义

2.3.2、条目格式

2.3.3、实验

2.4、授权区（Authority）

2.4.1、含义

2.4.2、条目格式

2.4.3、实验

2.5、附加区（Additional）

2.5.1、含义

2.5.2、条目格式

2.5.3、实验

参考文献