I have been looking at DNS response packets in Wireshark, and am not able to understand hex coding for the answer and authoritative sections.
Considering DNS query for: mail.abcd.com
The answer section contains name field, and the hex coding for this varies among:
0xc00c
0xc012
Both of them lead to the entire name being populated in the field.
The authoritative section also contains the name field, but the hex coding for this is usually:
0xc010
This leads to abcd.com being populated in the field.
Can anyone tell what is the convention followed to populate these fields, as its pretty confusing.
Thanks
DNS labels use a format of <length><data ...>.
A label may be a maximum of 63 bytes long, hence the <length> field has two bits left over. These are used to encode a label type.
If the top two bits are 0b11 then the remaining six bits are instead combined with the following byte form a compression pointer which is an offset within the DNS payload to a prior instance of another label.
Since the DNS protocol header is 12 bytes long, the shortest legal offset is 12 bytes, giving the value you saw above of 0xc00c.
[technically, one might construct a compression pointer that points into the header, but it's not strictly conformant with the protocol].
I would strongly recommend against trying to reverse engineer the specification from wire packets - you will inevitably miss stuff. Just read RFC 1035 instead - all of the core stuff is in there.