What Do the Numbers In Parentheses Mean In My Windows DNS Debug Log?

This is one of those little things that I was always curious about but never asked.

On a Windows DNS Server, you can enable DNS Debug Logging and watch the packets fly by.

A line from that log might look like this:

6/5/2013 10:00:32 AM 0E70 PACKET  00000000033397A0 UDP Rcv 10.161.60.71    5b47   Q [0001   D   NOERROR] A      (12)somecomputer(6)domain(3)com(0)

The part that I'm interested in is the actual queried name at the end:

(12)somecomputer(6)domain(3)com(0)

What do those numbers that have replaced the periods mean?


Your obfuscation confused the issue a bit, but your top level domain is definitely not com or else it would have been (3)com.

In a DNS query, the name you are requesting (QNAME) is represented in "pascal" style string format: a byte representing the length of the string followed by that many characters. Each level of the name is sent as a separate string without the . character, with an empty string (length 0) sent at the end, so a query for the address of twelveletter.domain.com. would be (12)twelveletter(6)domain(3)com(0).

From 4.1.2 of the RFC:

QNAME          a domain name represented as a sequence of labels, where
               each label consists of a length octet followed by that
               number of octets.  The domain name terminates with the
               zero length octet for the null label of the root.  Note
               that this field may be an odd number of octets; no
               padding is used.