doc: update explanation of DNS output [skip ci]

jvns · jvns · commit c813bb12fe32 · 2026-03-12T17:29:27.000-04:00
Structure the output explanation into a bulleted list, to make it easier
for users to find the field they're interested in.

- Rename the section titles to "DNS Requests" and "DNS Responses"
  because it was hard for me to tell that "TCP and UDP Name Server" were
  meant to refer to DNS.
- Remove the "written in Greek" disclaimer and instead just make it more
  clear for folks who may not have read RFC 1035
- Use IP addresses instead of hostnames in the output examples, since
  that's the recommended way to use tcpdump

Query section:

- In "Other Anomalies", say that tcpdump will also print the hex value
  if "TC" is set in the query

Response section:

- Add a more complete description of how the flags are represented
  (including AA and AD, not just TC and RA). Verified by running some
  test DNS queries.
diff --git a/dns.md b/dns.md
@@ -0,0 +1,68 @@
+## DNS requests
+
+DNS requests are formatted as:
+ 
+>     src > dst: id op? flags qtype qclass name (len)
+
+For example, let's break down this line:
+
+>     192.0.2.1.1234 > 8.8.8.8.53: 492+ [1au] A? example.com. (36)
+
+The most commonly used fields here are:
+
+* **Source IP and port**: \`192.0.2.1.1234'
+* **Destination IP and port**: \`8.8.8.8.53'
+* **DNS query type**: \`A'. The query type is right before the \`?'
+* **Domain name** being looked up: \`example.com.'
+
+All the other fields, in the order they appear:
+
+* **Query ID**: \`492'
+* **Opcode**: The opcode was the normal one, *Query*, so it was omitted.
+  Any other opcode would have been printed between the \`492' and
+  the \`+', for example \`492 update+'
+* **Flags**: \`+' means the "recursion desired" flag was set
+* **Records in the query**: \`[1au]' means that the query contains 1 record in the "additional" section. In general:
+   * \`\[*n*a\]' means "*n* answer records"
+   * \`\[*n*n\]' means "*n* authority records"
+   * \`\[*n*au\]' means "*n* additional records"
+* **Class**: The query class was the normal one, *C_IN*, so it was omitted.
+  Any other query class would have been printed immediately after the \`A'
+* **Other anomalies**: If any of the response bits are set (AA, RA, TC or response code)
+  or any of the "must be zero" bits are set in bytes two and three,
+  \`\[b2&3=*x*\]' is printed, where *x* is the hex value of header bytes
+  two and three.
+* **Query length**: 36 bytes (excluding the TCP or UDP and IP protocol headers)
+
+## DNS Responses
+
+DNS responses are formatted as
+ 
+>     src > dst:  id op rcode flags a/n/au type class data (len)
+ 
+Here are 2 example responses we'll break down:
+
+>     #1: IP 8.8.8.8.53 > 192.0.2.1.1234: 492 2/0/1 A 104.18.27.120, A 104.18.26.120 (72)
+>     #2: IP 8.8.8.8.53 > 192.0.2.1.1234: 492 NXDomain 0/0/1 (46)
+
+The most commonly used fields here are:
+
+* **Source IP and port**: `192.0.2.1.1234`
+* **Destination IP and port**: `8.8.8.8.53`
+* **The records**: In example 1, the server replied with two A records: \`A 104.18.27.120' and \`A 104.18.26.120'
+* **DNS response code**: In example 2, the response code is "NXDomain", which means the domain wasn't found
+ 
+All the other fields, in the order they appear:
+
+* **Query ID**: 492  
+* **Opcode**: Same as for DNS requests above. Omitted here.
+* **Flags**: Flags are after the query ID and opcode (for example `492 update|`), and are encoded like this:
+  * RA: '-' if RA is missing ("Recursion Available")
+  * TC: '|' ("Truncated")
+  * AA: '*' ("Authoritative Answer")
+  * AD: '$' ("Authenticated Data")
+* **Question records**: If the \`question' section doesn't contain
+    exactly one entry, \`\[*n*q\]' is printed.
+* **Total number of records**: `2/0/1`: This means 2 _answer records_, 0 _authority records_, and 1 _additional record_ (from example 1)
+* **Class**: Same as for DNS requests above. Omitted here.
+* **Length**: Same as for DNS requests above.
diff --git a/tcpdump.1.in b/tcpdump.1.in
@@ -1750,90 +1750,213 @@ Some UDP services are recognized (from the source or destination
 port number) and the higher level protocol information printed.
 In particular, Domain Name service requests (RFC 1034/1035) and Sun
 RPC calls (RFC 1050) to NFS.
-.SS TCP or UDP Name Server Requests
+.SS
+DNS requests
 .LP
-\fI(N.B.:The following description assumes familiarity with
-the Domain Service protocol described in RFC 1035.
-If you are not familiar
-with the protocol, the following description will appear to be written
-in Greek.)\fP
+DNS requests are formatted as:
+.RS
 .LP
-Name server requests are formatted as
+.EX
+src > dst: id op? flags qtype qclass name (len)
+.EE
+.RE
+.PP
+For example, let\(cqs break down this line:
 .RS
-.nf
-.sp .5
-\fIsrc > dst: id op? flags qtype qclass name (len)\fP
-.sp .5
-\f(CWh2opolo.1538 > helios.domain: 3+ A? ucbvax.berkeley.edu. (37)\fR
-.sp .5
-.fi
+.LP
+.EX
+192.0.2.1.1234 > 8.8.8.8.53: 492+ [1au] A? example.com. (36)
+.EE
 .RE
-Host \fIh2opolo\fP asked the domain server on \fIhelios\fP for an
-address record (qtype=A) associated with the name \fIucbvax.berkeley.edu.\fP
-The query id was `3'.
-The `+' indicates the \fIrecursion desired\fP flag
-was set.
-The query length was 37 bytes, excluding the TCP or UDP and
-IP protocol headers.
-The query operation was the normal one, \fIQuery\fP,
-so the op field was omitted.
-If the op had been anything else, it would
-have been printed between the `3' and the `+'.
-Similarly, the qclass was the normal one,
-.BR C_IN ,
-and omitted.
-Any other qclass would have been printed
-immediately after the `A'.
-.LP
-A few anomalies are checked and may result in extra fields enclosed in
-square brackets:  If a query contains an answer, authority records or
-additional records section,
-.IR ancount ,
-.IR nscount ,
-or
-.I arcount
-are printed as `[\fIn\fPa]', `[\fIn\fPn]' or  `[\fIn\fPau]' where \fIn\fP
-is the appropriate count.
-If any of the response bits are set (AA, RA or rcode) or any of the
-`must be zero' bits are set in bytes two and three, `[b2&3=\fIx\fP]'
-is printed, where \fIx\fP is the hex value of header bytes two and three.
-.SS TCP or UDP Name Server Responses
-.LP
-Name server responses are formatted as
+.PP
+The most commonly used fields here are:
+.IP "\(bu" 3
+\fBSource IP and port\fR: \(ga192.0.2.1.1234\(cq
+.if n \
+.sp -1
+.if t \
+.sp -0.25v
+.IP "\(bu" 3
+\fBDestination IP and port\fR: \(ga8.8.8.8.53\(cq
+.if n \
+.sp -1
+.if t \
+.sp -0.25v
+.IP "\(bu" 3
+\fBDNS query type\fR: \(gaA\(cq. The query type is right before the \(ga?\(cq
+.if n \
+.sp -1
+.if t \
+.sp -0.25v
+.IP "\(bu" 3
+\fBDomain name\fR being looked up: \(gaexample.com.\(cq
+.LP
+All the other fields, in the order they appear:
+.IP "\(bu" 3
+\fBQuery ID\fR: \(ga492\(cq
+.if n \
+.sp -1
+.if t \
+.sp -0.25v
+.IP "\(bu" 3
+\fBOpcode\fR: The opcode was the normal one, \fIQuery\fR, so it was omitted.
+Any other opcode would have been printed between the \(ga492\(cq and
+the \(ga+\(cq, for example \(ga492 update+\(cq
+.if n \
+.sp -1
+.if t \
+.sp -0.25v
+.IP "\(bu" 3
+\fBFlags\fR: \f(CR+\fR means the \(lqrecursion desired\(rq flag was set
+.if n \
+.sp -1
+.if t \
+.sp -0.25v
+.IP "\(bu" 3
+\fBRecords in the query\fR: \(ga[1au]\(cq means that the query contains 1 record in the \(lqadditional\(rq section. In general:
 .RS
-.nf
-.sp .5
-\fIsrc > dst:  id op rcode flags a/n/au type class data (len)\fP
-.sp .5
-\f(CWhelios.domain > h2opolo.1538: 3 3/3/7 A 128.32.137.3 (273)
-helios.domain > h2opolo.1537: 2 NXDomain* 0/1/0 (97)\fR
-.sp .5
-.fi
+.IP "\(bu" 3
+\(ga[\fIn\fRa]\(cq means \(lq\fIn\fR answer records\(rq
+.if n \
+.sp -1
+.if t \
+.sp -0.25v
+.IP "\(bu" 3
+\(ga[\fIn\fRn]\(cq means \(lq\fIn\fR authority records\(rq
+.if n \
+.sp -1
+.if t \
+.sp -0.25v
+.IP "\(bu" 3
+\(ga[\fIn\fRau]\(cq means \(lq\fIn\fR additional records\(rq
 .RE
-In the first example, \fIhelios\fP responds to query id 3 from \fIh2opolo\fP
-with 3 answer records, 3 name server records and 7 additional records.
-The first answer record is type A (address) and its data is internet
-address 128.32.137.3.
-The total size of the response was 273 bytes,
-excluding TCP or UDP and IP headers.
-The op (Query) and response code
-(NoError) were omitted, as was the class
-.RB ( C_IN )
-of the A record.
-.LP
-In the second example, \fIhelios\fP responds to query 2 with a
-response code of nonexistent domain (NXDomain) with no answers,
-one name server and no authority records.
-The `*' indicates that
-the \fIauthoritative answer\fP bit was set.
-Since there were no
-answers, no type, class or data were printed.
-.LP
-Other flag characters that might appear are `\-' (recursion available,
-RA, \fInot\fP set) and `|' (truncated message, TC, set).
-If the
-`question' section doesn't contain exactly one entry, `[\fIn\fPq]'
-is printed.
+.if n \
+.sp -1
+.if t \
+.sp -0.25v
+.IP "\(bu" 3
+\fBClass\fR: The query class was the normal one, \fIC_IN\fR, so it was omitted.
+Any other query class would have been printed immediately after the \(gaA\(cq
+.if n \
+.sp -1
+.if t \
+.sp -0.25v
+.IP "\(bu" 3
+\fBOther anomalies\fR: If any of the response bits are set (AA, RA, TC or response code)
+or any of the \(lqmust be zero\(rq bits are set in bytes two and three,
+\(ga[b2&3=\fIx\fR]\(cq is printed, where \fIx\fR is the hex value of header bytes
+two and three.
+.if n \
+.sp -1
+.if t \
+.sp -0.25v
+.IP "\(bu" 3
+\fBQuery length\fR: 36 bytes (excluding the TCP or UDP and IP protocol headers)
+.SS
+DNS Responses
+.LP
+DNS responses are formatted as
+.RS
+.LP
+.EX
+src > dst:  id op rcode flags a/n/au type class data (len)
+.EE
+.RE
+.PP
+Here are 2 example responses we\(cqll break down:
+.RS
+.LP
+.EX
+#1: IP 8.8.8.8.53 > 192.0.2.1.1234: 492 2/0/1 A 104.18.27.120, A 104.18.26.120 (72)
+#2: IP 8.8.8.8.53 > 192.0.2.1.1234: 492 NXDomain 0/0/1 (46)
+.EE
+.RE
+.PP
+The most commonly used fields here are:
+.IP "\(bu" 3
+\fBSource IP and port\fR: \f(CR192.0.2.1.1234\fR
+.if n \
+.sp -1
+.if t \
+.sp -0.25v
+.IP "\(bu" 3
+\fBDestination IP and port\fR: \f(CR8.8.8.8.53\fR
+.if n \
+.sp -1
+.if t \
+.sp -0.25v
+.IP "\(bu" 3
+\fBThe records\fR: In example 1, the server replied with two A records: \(gaA 104.18.27.120\(cq and \(gaA 104.18.26.120\(cq
+.if n \
+.sp -1
+.if t \
+.sp -0.25v
+.IP "\(bu" 3
+\fBDNS response code\fR: In example 2, the response code is \(lqNXDomain\(rq, which means the domain wasn\(cqt found
+.LP
+All the other fields, in the order they appear:
+.IP "\(bu" 3
+\fBQuery ID\fR: 492
+.br
+.if n \
+.sp -1
+.if t \
+.sp -0.25v
+.IP "\(bu" 3
+\fBOpcode\fR: Same as for DNS requests above. Omitted here.
+.if n \
+.sp -1
+.if t \
+.sp -0.25v
+.IP "\(bu" 3
+\fBFlags\fR: Flags are after the query ID and opcode (for example \f(CR492 update|\fR), and are encoded like this:
+.RS
+.IP "\(bu" 3
+RA: \(oq-\(cq if RA is missing (\(lqRecursion Available\(rq)
+.if n \
+.sp -1
+.if t \
+.sp -0.25v
+.IP "\(bu" 3
+TC: \(oq|\(cq (\(lqTruncated\(rq)
+.if n \
+.sp -1
+.if t \
+.sp -0.25v
+.IP "\(bu" 3
+AA: \(oq*\(cq (\(lqAuthoritative Answer\(rq)
+.if n \
+.sp -1
+.if t \
+.sp -0.25v
+.IP "\(bu" 3
+AD: \(oq$\(cq (\(lqAuthenticated Data\(rq)
+.RE
+.if n \
+.sp -1
+.if t \
+.sp -0.25v
+.IP "\(bu" 3
+\fBQuestion records\fR: If the \(gaquestion\(cq section doesn\(cqt contain
+exactly one entry, \(ga[\fIn\fRq]\(cq is printed.
+.if n \
+.sp -1
+.if t \
+.sp -0.25v
+.IP "\(bu" 3
+\fBTotal number of records\fR: \f(CR2/0/1\fR: This means 2 \fIanswer records\fR, 0 \fIauthority records\fR, and 1 \fIadditional record\fR (from example 1)
+.if n \
+.sp -1
+.if t \
+.sp -0.25v
+.IP "\(bu" 3
+\fBClass\fR: Same as for DNS requests above. Omitted here.
+.if n \
+.sp -1
+.if t \
+.sp -0.25v
+.IP "\(bu" 3
+\fBLength\fR: Same as for DNS requests above.
 .SS SMB/CIFS Decoding
 .LP
 \fItcpdump\fP now includes fairly extensive SMB/CIFS/NBT decoding for data
