Home CPSC 414

Lab 9: DNS Exercise

 

Objective

To experiment with interpreting DNS packets and performing DNS lookups.


 

Part 1: TShark

As discussed, DNS runs on port 53 and sends packets with UDP. For that reason, we can look at DNS traffic with the following TShark command:

$ tshark -f "port 53"

If we run this command in one window, and then download a web page in a second terminal window, then we will see any DNS traffic which is caused.

Do this by requesting this lab page:

$ wget http://ianfinlayson.net/class/cpsc414/labs/09-dns

You should see some DNS packets being sent. There will actually be two requests and two responses (one for IPv4 and one for IPv6).

Questions:

  1. What is the IP address of my website?
  2. What is the name of the DNS server used by my website?
  3. What identification numbers are used for the two query/responses? These are hex numbers and should be the same between 2 pairs.
  4. How much time did the DNS lookup take?
  5. Do the same wget command a few more times about a second apart. Is there DNS traffic for every HTTP request, or just some?

Next we will try looking at the actual contents of these DNS packets. Recall that we can do that by passing -x into tshark:

$ tshark -f "port 53" -x

Try this and, in another window, request a page with HTTPS:

$ wget https://en.wikipedia.org/wiki/Messier_87

Questions:

  1. Is there any readable text inside of the DNS packets? Explain the significance of this.

 

Part 2: DNS Lookups

If we want to find the IP of a hostname ourselves, there is a more direct way than using TShark, which is to use a command called "nslookup".

The simplest way to call nslookup is to pass the domain you want to look up, then it gives us back some information:

$ nslookup ianfinlayson.net
Server:		127.0.0.53
Address:	127.0.0.53#53

Non-authoritative answer:
Name:	ianfinlayson.net
Address: 35.207.63.9

Here we asked it to do a DNS lookup of my web site. The Server and Address lines refer to the address of the DNS server used. 127.0.0.53 is a DNS server built into Linux itself. Then it gives us information back. This is not authoritative because it's from the local server only.

We can also query a specific DNS server instead of the built-in one. This is done by putting a "-" hyphen and then the address of the DNS server we want to query. For example, we can query Google's publicly available DNS server at 8.8.8.8:

$ nslookup wikipedia.org - 8.8.8.8
Server:		8.8.8.8
Address:	8.8.8.8#53

Non-authoritative answer:
Name:	wikipedia.org
Address: 208.80.154.224
Name:	wikipedia.org
Address: 2620:0:861:ed1a::1

Notice that Wikpedia (unlike my site) also has an IPv6 address.

We get the same information back, but from a different source now.

We can specify what sort of records we want by using "set type=" to specify the type of record we are looking for. This can be useful for finding mail servers:

$ nslookup -type=MX gmail.com
Server:		127.0.0.53
Address:	127.0.0.53#53

Non-authoritative answer:
gmail.com	mail exchanger = 5 gmail-smtp-in.l.google.com.
gmail.com	mail exchanger = 30 alt3.gmail-smtp-in.l.google.com.
gmail.com	mail exchanger = 10 alt1.gmail-smtp-in.l.google.com.
gmail.com	mail exchanger = 20 alt2.gmail-smtp-in.l.google.com.
gmail.com	mail exchanger = 40 alt4.gmail-smtp-in.l.google.com.

$ nslookup -type=A gmail.com
Server:		127.0.0.53
Address:	127.0.0.53#53

Non-authoritative answer:
Name:	gmail.com
Address: 74.125.141.18
Name:	gmail.com
Address: 74.125.141.83
Name:	gmail.com
Address: 74.125.141.17
Name:	gmail.com
Address: 74.125.141.19

Notice that we get different addresses for gmail.com based on whether we are looking for the MX records or A records.

Another type of record we can look for is an "NS" record which indicates that we want the authoritative name server for a domain.

Here we ask for the authoritative name server for UMW:

$ nslookup -type=NS umw.edu
Server:		127.0.0.53
Address:	127.0.0.53#53

Non-authoritative answer:
umw.edu	nameserver = ns0.dnsmadeeasy.com.
umw.edu	nameserver = ns1.dnsmadeeasy.com.
umw.edu	nameserver = ns4.dnsmadeeasy.com.
umw.edu	nameserver = ns3.dnsmadeeasy.com.
umw.edu	nameserver = ns2.dnsmadeeasy.com.

We can then use one of these name servers to get the authoritative address:

$ nslookup umw.edu - ns0.dnsmadeeasy.com
Server:		ns0.dnsmadeeasy.com
Address:	208.94.148.2#53

Name:	umw.edu
Address: 52.34.33.62
Name:	umw.edu
Address: 34.210.255.160

Questions:

  1. What is the domain name of one of the umw.edu mail servers?
  2. What is the IP address of that mail server?

Pick your favorite web site for the following questions:

Questions:

  1. What is the domain name for this site?
  2. What is the IP address of it (just use one if there are multiple)?
  3. What is the authoritative name server as a domain name?
  4. What is the IP of the authoritative name server?
  5. Does this site have any MX records? If so, it has an email server. If not, it does not.

 

Submitting

When you're finished, email your answers to ifinlay@umw.edu.

Copyright © 2019 Ian Finlayson | Licensed under a Creative Commons Attribution 4.0 International License.