How does DNS Query differ from DNS Response in Wireshark?
Same packet structure with a flag flipped — Query has QR=0 ("question"), Response has QR=1 ("answer"). The Response also fills in the Answer section.
* DNS query/response: same structure, QR flag flipped, matched by Transaction ID. *
The DNS message structure (same for both):
+----------+
| Header | Flags (QR=0/1, opcode, rcode), counts
+----------+
| Question | Domain being asked about
+----------+
| Answer | Resolved records (filled only in Response)
+----------+
| Authority| Authoritative name servers
+----------+
| Additional| Extra useful records
+----------+
Query example:
Header: QR=0 (query), Questions=1, Answers=0
Question: www.google.com, Type=A, Class=IN
Answer: (empty)
Response example:
Header: QR=1 (response), Questions=1, Answers=1
Question: www.google.com, Type=A, Class=IN (echoed)
Answer: www.google.com, Type=A, TTL=300, Address=142.250.179.196
Why echo the Question in the Response:
DNS uses UDP (no connection state) → the response must self-identify what it's responding to. The 16-bit Transaction ID + the echoed Question lets the client match replies to outstanding queries.
Common Response Codes (rcode):
| Code | Name | Meaning |
|---|---|---|
| 0 | NOERROR | Success |
| 1 | FORMERR | Malformed query |
| 2 | SERVFAIL | Server failure (couldn't resolve) |
| 3 | NXDOMAIN | Domain doesn't exist |
| 5 | REFUSED | Server refused (e.g., not authoritative) |
Spoofing risk:
Since UDP is connectionless and the response just needs to match the query ID + question, attackers can race to inject forged responses. DNS cache poisoning abuses this — Kaminsky's 2008 attack used it to take over millions of domains. Mitigations: source-port randomization, DNSSEC, DNS-over-HTTPS.
Tip: Filter dns.flags.response == 0 for queries only, dns.flags.response == 1 for responses only — useful when separating the two streams in busy captures.
Go deeper:
Domain Name System (Wikipedia) — the message format, QR flag, and the echoed Question/Answer sections.
Dan Kaminsky (Wikipedia) — the 2008 cache-poisoning flaw the spoofing note refers to, and its source-port fix.