To experiment with interpreting DNS packets and performing DNS lookups.
As discussed, DNS runs on port 53 and sends packets with UDP. For that reason, we can look at DNS traffic with the following TShark command:
$ tshark -f "port 53"
If we run this command in one window, and then download a web page in a second terminal window, then we will see any DNS traffic which is caused.
Do this by requesting this lab page:
$ wget http://ianfinlayson.net/class/cpsc414/labs/09-dns
You should see some DNS packets being sent. There will actually be two requests and two responses (one for IPv4 and one for IPv6).
Next we will try looking at the actual contents of these DNS packets. Recall that we can do that by passing -x into tshark:
$ tshark -f "port 53" -x
Try this and, in another window, request a page with HTTPS:
$ wget https://en.wikipedia.org/wiki/Messier_87
If we want to find the IP of a hostname ourselves, there is a more direct way than using TShark, which is to use a command called "nslookup".The simplest way to call nslookup is to pass the domain you want to look up, then it gives us back some information:
$ nslookup ianfinlayson.net Server: 127.0.0.53 Address: 127.0.0.53#53 Non-authoritative answer: Name: ianfinlayson.net Address: 220.127.116.11
Here we asked it to do a DNS lookup of my web site. The Server and Address lines refer to the address of the DNS server used. 127.0.0.53 is a DNS server built into Linux itself. Then it gives us information back. This is not authoritative because it's from the local server only.
We can also query a specific DNS server instead of the built-in one. This is done by putting a "-" hyphen and then the address of the DNS server we want to query. For example, we can query Google's publicly available DNS server at 18.104.22.168:
$ nslookup wikipedia.org - 22.214.171.124 Server: 126.96.36.199 Address: 188.8.131.52#53 Non-authoritative answer: Name: wikipedia.org Address: 184.108.40.206 Name: wikipedia.org Address: 2620:0:861:ed1a::1
Notice that Wikpedia (unlike my site) also has an IPv6 address.
We get the same information back, but from a different source now.
We can specify what sort of records we want by using "set type=" to specify the type of record we are looking for. This can be useful for finding mail servers:
$ nslookup -type=MX gmail.com Server: 127.0.0.53 Address: 127.0.0.53#53 Non-authoritative answer: gmail.com mail exchanger = 5 gmail-smtp-in.l.google.com. gmail.com mail exchanger = 30 alt3.gmail-smtp-in.l.google.com. gmail.com mail exchanger = 10 alt1.gmail-smtp-in.l.google.com. gmail.com mail exchanger = 20 alt2.gmail-smtp-in.l.google.com. gmail.com mail exchanger = 40 alt4.gmail-smtp-in.l.google.com. $ nslookup -type=A gmail.com Server: 127.0.0.53 Address: 127.0.0.53#53 Non-authoritative answer: Name: gmail.com Address: 220.127.116.11 Name: gmail.com Address: 18.104.22.168 Name: gmail.com Address: 22.214.171.124 Name: gmail.com Address: 126.96.36.199
Notice that we get different addresses for gmail.com based on whether we are looking for the MX records or A records.
Another type of record we can look for is an "NS" record which indicates that we want the authoritative name server for a domain.
Here we ask for the authoritative name server for UMW:
$ nslookup -type=NS umw.edu Server: 127.0.0.53 Address: 127.0.0.53#53 Non-authoritative answer: umw.edu nameserver = ns0.dnsmadeeasy.com. umw.edu nameserver = ns1.dnsmadeeasy.com. umw.edu nameserver = ns4.dnsmadeeasy.com. umw.edu nameserver = ns3.dnsmadeeasy.com. umw.edu nameserver = ns2.dnsmadeeasy.com.
We can then use one of these name servers to get the authoritative address:
$ nslookup umw.edu - ns0.dnsmadeeasy.com Server: ns0.dnsmadeeasy.com Address: 188.8.131.52#53 Name: umw.edu Address: 184.108.40.206 Name: umw.edu Address: 220.127.116.11
Pick your favorite web site for the following questions:
When you're finished, email your answers to email@example.com.
Copyright © 2022 Ian Finlayson | Licensed under a Creative Commons Attribution 4.0 International License.