Comments on: Mapping the DNSRecord attribute http://www.indented.co.uk/index.php/2009/06/18/mapping-the-dnsrecord-attribute/ Tue, 10 Aug 2010 14:29:39 +0000 hourly 1 http://wordpress.org/?v=3.0.1 By: John Cardenas http://www.indented.co.uk/index.php/2009/06/18/mapping-the-dnsrecord-attribute/comment-page-1/#comment-48 John Cardenas Mon, 04 Jan 2010 16:41:31 +0000 http://www.highorbit.co.uk/?p=1097#comment-48 I was doing the same thing late summer. I was writing a comprehensive DNS Health check web portal and needed to get to the Dynamic vs. Static for records of AD-Integrated DNS zones. I was doing this from Linux machine using ldapsearch with -t flag to capture the dnsnode BLOBs. I used Linux od (octal dump) to index into all the various integer data types, which made my effort trivial. The only non-trivial part is the revese-engineering process. Why doesn't Microsoft just publish this? Anyway, when I first started out, I captured field names from LDP.exe queries, assuming that whoever wrote it understands the real BLOB structure. Maybe these field names will help or confuse matters more? I believe your unknown_1 is actully 3 fields, the last of which is a little-endian storing bit-level flags of various meanings. Since it was reverse-engineered with minimal data, I also do not guarantee any of this to be correct! :) Reverse Engineer of dnsRecord attribute BLOB - a work in progress [code] Bytes Field Data Type Meaning ----- ----- --------- ------- 1-2 wDataLength 16-bit int declares RR variable length 3-4 wType 16-bit int DNS RR Type (Standard) 5 Version 8-bit int ?, values seen = 5 6 Rank 8-bit int ?, values seen = 240 7-8 wFlags 16 bits presumably various bit flags? 9-12 dwSerial 32-bit int ? you show this as zone serial number upon update 13-16 dwTtlSeconds 32-bit int 17-20 dwTimeout 32-bit int ? Zone-level TTL? 21-24 dwStartRefreshHr 32-bit int record timestamp 0 for STATIC! 25 RRval_len 8-bit uint byte length of RR string value 26 wNumLabels 8-bit uint Number of DNS RR labels 27 label_len1 8-bit uint size of first label 28 - X label_chars_lens 8-bit uints rest of labelsizes and labels [/code] I was doing the same thing late summer. I was writing a comprehensive DNS Health check web portal and needed to get to the Dynamic vs. Static for records of AD-Integrated DNS zones. I was doing this from Linux machine using ldapsearch with -t flag to capture the dnsnode BLOBs. I used Linux od (octal dump) to index into all the various integer data types, which made my effort trivial. The only non-trivial part is the revese-engineering process. Why doesn’t Microsoft just publish this? Anyway, when I first started out, I captured field names from LDP.exe queries, assuming that whoever wrote it understands the real BLOB structure. Maybe these field names will help or confuse matters more? I believe your unknown_1 is actully 3 fields, the last of which is a little-endian storing bit-level flags of various meanings. Since it was reverse-engineered with minimal data, I also do not guarantee any of this to be correct! :)

Reverse Engineer of dnsRecord attribute BLOB – a work in progress

Bytes  Field            Data Type  Meaning
-----  -----            ---------  -------
1-2    wDataLength      16-bit int  declares RR variable length
3-4    wType            16-bit int  DNS RR Type (Standard)
5      Version          8-bit int   ?, values seen = 5
6      Rank             8-bit int   ?, values seen = 240
7-8    wFlags           16 bits     presumably various bit flags?
9-12   dwSerial         32-bit int  ? you show this as zone serial number upon update
13-16  dwTtlSeconds     32-bit int
17-20  dwTimeout        32-bit int  ? Zone-level TTL?
21-24  dwStartRefreshHr 32-bit int  record timestamp 0 for STATIC!
25     RRval_len        8-bit uint  byte length of RR string value
26     wNumLabels       8-bit uint  Number of DNS RR labels
27     label_len1       8-bit uint  size of first label
28 - X label_chars_lens 8-bit uints rest of labelsizes and labels
]]>