c1 in place of c0 (pointer) in DNS reply packet

dns
answer

asked 2023-06-24 16:36:40 +0000

I'm capturing DNS packets in Wireshark and know that 0xc0 indicates a pointer to decode the name or cname as part of the compression format used. I have a DNS reply for res.cdn.office.net and out of 8 answers, the last 3 have 0xc1 instead of 0xc0 and still produce a valid cname. Anyone know what 0xc1 means in a DNS reply in terms of decoding the name?

I hope I've explained that ok :)

edit retag flag offensive close merge delete

add a comment

1 Answer

Sort by » oldest newest most voted

answered 2023-06-24 17:17:07 +0000

Chuckc
2873 ●6 ●571 ●20

updated 2023-06-24 17:17:26 +0000

https://datatracker.ietf.org/doc/html...

The pointer takes the form of a two octet sequence:

    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
    | 1  1|                OFFSET                   |
    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+

Did the offset exceed 255 so needed a bit in the upper octet?

edit flag offensive delete link

Comments

I counted out the bytes and you're spot on, it is indeed over 255 bytes. Thanks a lot Chuckc, I started at it blankly long enough,sometimes you just need a prod in the right direction :)

notaclue ( 2023-06-24 17:28:59 +0000 )edit

When all else fails, read the instructions. Or the RFC. :-)

Chuckc ( 2023-06-24 17:31:10 +0000 )edit

add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2023-06-24 16:36:40 +0000

Seen: 116 times

Last updated: Jun 24 '23

c1 in place of c0 (pointer) in DNS reply packet edit