This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Weird DNS Query

0

Hi, Can someone explain why do i get the field Length before the field Transaction ID in this DNS queries ?
The query type is TKEY .
Can you provide a RFC or something similar ?
Because according to the structure of the DNS it should start with the Transaction ID .

alt text

asked 24 Feb '15, 08:33

saeedh's gravatar image

saeedh
26337
accept rate: 0%

One Answer:

1

That's because it's DNS over TCP, and since the DNS content may be (and is, in your case) spread over multiple segments, the protocol needs to announce how many bytes there are in total for reassembly.

answered 24 Feb '15, 08:46

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

so the only change is because its over tcp ? meaning can i get now all dns variants that i would normally get in udp but with the addition of those two bytes ? are those bytes a must in dns over tcp ?

(24 Feb '15, 09:05) saeedh

Yes, see RFC 1035 sect 4.2.2 TCP usage:

The message is prefixed with a two byte length field which gives the message length, excluding the two byte length field. This length field allows the low-level processing to assemble a complete message before beginning to parse it.
(24 Feb '15, 09:10) grahamb ♦

yes, you get those two bytes only for TCP, and every time. They are a must.

(24 Feb '15, 09:10) Jasper ♦♦