Here is the setting:
- Client IP address = 192.168.170.8
- DNS server IP address = 192.168.170.20
The DNS header is the following section in Wireshark:
This is a DNS communication, since the transport protocol is UDP and the destination port is 53:
The identification field has the same value for both the DNS query and the DNS response:
The first packet sent is a DNS query:
DNS query message
A DNS query message does not contains an Answer field. It only contains a header and a Question fields.
The query contains QNAME, QTYPE and QCLASS
DNS response message
We see that the DNS response contains both “queries” field and “answers” field. This is as if the DNS server says “hey your question is blablabla, and the answer to it is blablabla”. Also, in the flags field, the Questions flag is activated although this is a DNS response. It’s just a way to tell that this message has answers to a previous question.
Here is an example that shows how ANCOUNT equals the number of answer RRs in the DNS message:
DNS response: additional records
Here is an example of the Additional information field of the DNS message. The querying host asked for an MX record of google.com. The DNS server replied with all the email servers that have the alias hostname of google.com, and as additional information, it gives the name-to-IP address mapping of these email servers in A records (pretty generous):