Understanding the DNS Header

The Tiny Packet That Runs the Internet

Author

Mohinish S
October 29, 2025

The Domain Name System (DNS) is often called the “phonebook of the internet,” translating human-readable domain names like serverless.fyi into IP addresses that computers can understand. While most users interact with DNS through their browsers, the real magic happens in the DNS header, a compact 12-byte structure that drives every query and response.

Why the DNS Header Matters

Every time you open a website, your device sends a DNS query to a server. The DNS header contains the information needed to route the query, track the response, and apply special rules for caching, recursion, or security. Understanding it can be a game-changer for network engineers, penetration testers, and developers working with networking protocols.

Anatomy of a DNS Header

A DNS header is exactly 12 bytes, divided into six key fields: 

+---------------------+---------------------+
|        ID (16)      |   Flags (16)        |
+---------------------+---------------------+
|      QDCOUNT (16)   |      ANCOUNT (16)   |
+---------------------+---------------------+
|      NSCOUNT (16)   |      ARCOUNT (16)   |
+---------------------+---------------------+

Breakdown:

  • ID (16 bits): Unique identifier for the query, used to match requests and responses.

  • Flags (16 bits): Bit-level flags controlling query/response type, recursion, and error codes.

  • QDCOUNT (16 bits): Number of questions in the query section.

  • ANCOUNT (16 bits): Number of answer records.

  • NSCOUNT (16 bits): Number of authority records.

  • ARCOUNT (16 bits): Number of additional records.

A Closer Look at Flags

The Flags field is packed with bit-level details that affect DNS behavior: 

QR | Opcode | AA | TC | RD | RA | Z | RCODE

  • QR (1 bit): Query (0) or Response (1)

  • Opcode (4 bits): Type of query (standard, inverse, status)

  • AA (1 bit): Authoritative Answer

  • TC (1 bit): Truncated message

  • RD (1 bit): Recursion Desired

  • RA (1 bit): Recursion Available

  • Z (3 bits): Reserved

  • RCODE (4 bits): Response code (NoError, NXDomain, etc.)

Pro Tip: You can manipulate RD and RA flags when testing DNS resolvers to see how recursion affects response times and caching.

Hands-On: Inspecting DNS Headers

Here’s a sample packet dump from a dig command: 

dig @8.8.8.8 serverless.fyi +norecurse +tcp
;; HEADER SECTION:
;; opcode: QUERY, status: NOERROR, id: 0x1a2b
;; flags: qr rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

  • id: 0x1a2b → matches request and response

  • flags: qr rd → response, recursion desired

  • Counts: QD=1, AN=1

For network engineers, this is a simple way to verify resolver behavior and test DNS configurations.

Tricks and Tips with DNS Headers

  1. Custom Queries: Modify the ID and flags to test how servers handle out-of-order or spoofed requests.

  2. Load Testing: Adjust QDCOUNT to batch multiple questions in one query to simulate high DNS load.

  3. Security Analysis: Inspect the AA, TC, and RCODE bits to detect misconfigured authoritative servers.

  4. Packet Crafting: Tools like scapy let you build raw DNS packets and control every header bit: 

from scapy.all import *
dns_query = IP(dst="8.8.8.8")/UDP()/DNS(id=0x1234, rd=1, qd=DNSQR(qname="serverless.fyi"))
send(dns_query)

Conclusion: Small Header, Big Impact

The DNS header may only be 12 bytes, but it carries critical instructions that govern the behavior of the most important internet service. From troubleshooting latency issues to testing server security, understanding each field opens a world of possibilities. Whether you are a developer, engineer, or cybersecurity enthusiast, mastering DNS headers gives you deeper insight into the hidden mechanics of the internet.

Next time you open a website, remember: a tiny header is working behind the scenes to make it all possible.