DNS

4.8 Interpret the fields in protocol headers as related to intrusion analysis

📘Cisco Certified CyberOps Associate (200-201 CBROPS)

DNS Header Fields – CyberOps Exam Guide

The Domain Name System (DNS) is like the phonebook of the internet. It translates human-readable names (like example.com) into IP addresses (like 192.0.2.1) that computers use to communicate. When analyzing network traffic for security purposes, understanding DNS headers helps detect suspicious activity, such as malware communicating with command-and-control servers or DNS tunneling.

DNS uses UDP (usually port 53) for queries and sometimes TCP for large responses. Each DNS message has a header that provides metadata about the query or response.

1. Structure of a DNS Message

A DNS message is divided into five sections:

  1. Header – Main metadata for the query or response
  2. Question – The domain name being queried
  3. Answer – The IP address or record returned
  4. Authority – Who is authoritative for the domain
  5. Additional – Extra helpful information

For intrusion analysis, the header is the most important because it tells you what type of DNS message it is and flags unusual activity.

2. DNS Header Fields

A DNS header is 12 bytes (96 bits) long and contains the following fields:

FieldSizeDescriptionRelevance to Intrusion Analysis
ID16 bitsUnique identifier to match queries and responsesHelps analysts match a DNS query to its reply. Multiple responses with the same ID could indicate spoofing or replay attacks.
QR (Query/Response)1 bit0 = Query, 1 = ResponseIf you see a response without a corresponding query, it could indicate suspicious activity or a reflection attack.
Opcode4 bitsType of DNS operation (0 = standard query, 1 = inverse query, 2 = server status request)Most DNS queries are standard (0). Unusual opcodes may indicate reconnaissance or exploitation attempts.
AA (Authoritative Answer)1 bit1 if the responding server is authoritative for the domainHelps verify legitimacy of responses. A non-authoritative server giving answers could indicate DNS spoofing.
TC (Truncated)1 bit1 if the message was too long and TCP should be usedTruncated responses are normal for large DNSSEC or zone transfers, but repeated truncation may indicate scanning or tunneling attempts.
RD (Recursion Desired)1 bitSet by the client to request recursive resolutionNormal in most client queries. If external attackers send RD=1 repeatedly, they may be probing your resolver.
RA (Recursion Available)1 bitSet by the server if it can perform recursionImportant for detecting misconfigured or malicious open resolvers.
Z (Reserved)3 bitsMust be 0Reserved; unusual values could indicate tampering.
RCODE (Response Code)4 bitsStatus of the response (0 = no error, 3 = NXDOMAIN, 5 = refused, etc.)Analysts look for repeated NXDOMAIN or REFUSED codes as these may indicate tunneling, phishing, or misconfiguration.
QDCOUNT16 bitsNumber of questions in the messageUsually 1. Multiple questions in one query may be used in attacks or data exfiltration.
ANCOUNT16 bitsNumber of answersHelps validate responses. More answers than expected may indicate malicious responses.
NSCOUNT16 bitsNumber of authority recordsUnusual numbers may indicate DNS poisoning attempts.
ARCOUNT16 bitsNumber of additional recordsExtra records may carry hidden data or indicate reconnaissance.

3. Key Flags for Intrusion Analysis

  • QR – Distinguish queries from responses. A response arriving without a query may be part of a spoofing or reflection attack.
  • AA – Helps verify if the DNS server is legitimate.
  • TC – Watch for truncation anomalies; attackers may exploit large UDP DNS packets.
  • RD/RA – Open recursive resolvers can be abused by attackers.
  • RCODE – Repeated errors (NXDOMAIN, REFUSED, SERVFAIL) may indicate malicious activity.

4. Common DNS Attacks Detected via Header Analysis

  1. DNS Tunneling – Encodes data in DNS queries.
    • Look for unusually long domain names or high QDCOUNT values.
  2. DNS Amplification / Reflection – Attackers send queries with spoofed source IP.
    • Observe a flood of responses (QR=1) with no matching queries (ID mismatch).
  3. DNS Spoofing / Cache Poisoning – Fake responses sent to corrupt DNS cache.
    • Check AA, RCODE, and mismatched IDs.
  4. Open Resolver Abuse – External attackers use your DNS server to perform amplification attacks.
    • RA flag set, but queries coming from unknown sources.

5. Summary – Why DNS Header Analysis Matters

  • Identify malicious queries: Unusual opcodes, multiple questions, or odd recursion flags.
  • Detect spoofing: Mismatched IDs or unexpected QR responses.
  • Prevent data exfiltration: Long domains, repeated NXDOMAIN responses, or unusual additional records.
  • Validate server behavior: AA and RA flags ensure responses come from legitimate sources.

By focusing on these fields, a CyberOps analyst can detect suspicious patterns in DNS traffic and respond before attacks escalate.

Buy Me a Coffee

Powered by
Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
None
Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
None
Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
None
Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
None
Powered by