This is mind, the only data structure I can use for the decompressed DNS packet is a binary string.
So, the real question is: What kind of things do we want to do with a deep packet inspection of the DNS packet. Well, there's:
- TTL aging
- RR rotation
- Converting a NS referral packet in to one where we say "The NS servers for names ending in whatever consist of the following IPs, the following IPv6 IPs, and the following names which we still need to look up"
- Converting an incomplete CNAME referral packet in to one where we say "This is a dangling CNAME answer that points to this name"
- If the A record points to a given IP, we may want to make this a "not there" packet (working around ISPs with NXDOMAIN redirects)
- If we get a "not found", we may want to make this an A or AAAA answer (so we can be an ISP with a NXDOMAIN redirect)
- Finding the TTL of the packet (already done)
OK, so the next thought for the next blog entry: What kind of metadeta do we put in the DNS record as we're decompressing it?