A simple DNS message and response implementation. It only supports name queries. good informations about dns: rfc1035 http://technet.microsoft.com/en-us/library/dd197470(v=ws.10).aspx serveral more could be found via google. What we need: dns header 6 * 16bit 16bit ID 16bit Flags 1bit request/response indicator (0 = request) 4bit operation code / what operation to be done (0 = query) 1bit authoritive answer / obviosly only used for responses 1bit truncation / indicate that the message was to large for a UDP datagram 1bit recursion desired / 1 to recurse the request (we normally want this) 1bit recursion available / obvious 3bit reserved / set to 000 4bit return code / 0 means successfull, currently all other are wrong for us 16bit Question count 16bit Answer count 16bit Authority count 16bit Additional count 1 question resource record (valriable len) our would look like this. question name: 0x09localhost0x00 16bit question type: 0x0001 (for A record question) 16bit question class: 0x0001 (represents the IN question class) TYPE value and meaning ======================================================== (removed all obsolete and experimental codes) A 1 a host address NS 2 an authoritative name server CNAME 5 the canonical name for an alias SOA 6 marks the start of a zone of authority WKS 11 a well known service description PTR 12 a domain name pointer HINFO 13 host information MINFO 14 mailbox or mail list information MX 15 mail exchange TXT 16 text strings QTYPE values ======================================================== QTYPE fields appear in the question part of a query. QTYPES are a superset of TYPEs, hence all TYPEs are valid QTYPEs. In addition, the following QTYPEs are defined: AXFR 252 A request for a transfer of an entire zone * 255 A request for all records CLASS values ======================================================== IN 1 the Internet CH 3 the CHAOS class HS 4 Hesiod [Dyer 87] Our hardcoded request message: 434301000001000000000000096C6F63616C686F73740000010001 ^ ^ ^ ^ ^ ^ ID | | | | | flags | | | | one query | | | query name (localhost) | | type | class OK, as i analyse the response i realize that my request was repeated back along with the answer. For now I assume this is the default behaviour of DNS. At least I can be sure that our DNS will always respond that way. The last 4 bytes of the answer record represent the ip address. We can savely assume this as currently we only query IPv4 A records. With these this should be always true. out complete response was: 434381800001000100000000096c6f63616c686f73740000010001c00c000100010000000f00040a0100dc ^ ^ ^ no error | | one request | one response We cut of the headers and the request (as it was our own...we do not care about it), leaving us with: c00c000100010000000f00040a0100dc ^ ^ ^ ^ ^ ^ nref | | | | | type | | | | class | | | TTL | | resource date len | here starts our ip nref => is a reference of the name queried corresponding the DNS Packet Compression Schema: 2bits: compression indicator (11 when compression is active) rest: offset to name In our case this means the offset is 0x0c (12). The offset is the offset from the start of the message.