Skip to content

Wireshark Lab 3 DNS

February 28, 2013

Part 1: NSLookup

1. Run nslookup to obtain the IP address of a Web server in Asia. What is the IP  address of that server?

  • For this question, I queried the webpage for the Asian Institute of Technology in Thialand. The IP address of that server was 203.159.12.3.

3.1

2. Run nslookup to determine the authoritative DNS servers for a university in Europe.

  • For this question, I used the webpage for Cambridge University in England. This webpage is http://www.cam.ac.uk. The authoritative DNS server is authdns0.csx.cam.ac.uk.

3.2

3. Run nslookup so that one of the DNS servers obtained in Question 2 is queried for the mail servers for Yahoo! mail. What is its IP address?

  • The IP addreess for the DNS server if queried for the Yahoo! mail server is 209.191.122.42

3.3———————————————————————————————————————————————————————-

Part 2: IPconfig

There are no questions for part two of this lab. All it requires is that we run IPconfig /all on our current machine. This will display my machines current TCP/IP information, including my IP address, DNS server address and other additional information.

3.32

It then asks that we display our recent cached memory by using the command ipconfig /displaydns

3.33

Finally, we are told to clear the above cache by entering IPconfig /flushdns

3.34

———————————————————————————————————————————————————————-

Part 3: Tracing DNS with Wireshark

Lab Video: for Part 1

STEPS: Part 1: IPconfig

Step 1: Use ipconfig to empty the DNS cache in your host.

Step 2: Open your browser and empty your browser cache. (With Internet Explorer, go to Tools menu and select Internet Options; then in the General tab select  Delete Files.)

Step 3: Open Wireshark and enter “ip.addr == your_IP_address” into the filter, where  you obtain your_IP_address with ipconfig. This filter removes all packets that neither originate nor are destined to your host. 

Step 4: Start packet capture in Wireshark.

Step 5: With your browser, visit the Web page: http://www.ietf.org 

Step 6: Stop packet capture.

3.part3

QUESTIONS:

4. Locate the DNS query and response messages. Are then sent over UDP or TCP?

  • The DNS query and response messages are sent over UDP.

3.4

5. What is the destination port for the DNS query message? What is the source port of DNS response message?

  • The destination port is 53
  • The source port is 50133

3.5

6. To what IP address is the DNS query message sent? Use ipconfig to determine the IP address of your local DNS server. Are these two IP addresses the same? 

  • The DNS query was sent to IP address 10.40.4.44. Yes it is the same IP address as that of my local DNS server.

3.6

7. Examine the DNS query message. What “Type” of DNS query is it? Does the query message contain any “answers”?

  • The query message was a type “A” query, but the message did not contain any “answers.”

3.7

8. Examine the DNS response message. How many “answers” are provided? What do each of these answers contain?

  • The response message contained one answer to the query which was the sites address [64.170.98.30]. Although it also provided 6 authoritative nameservers, and 11 other responses containing additional information.

3.8

9. Consider the subsequent TCP SYN packet sent by your host. Does the destination IP address of the SYN packet correspond to any of the IP addresses provided in the DNS response message?

  • The destination of the SYN packet is 64.170.98.30, the same address that was provided in the DNS response message as the type “A” address of the webpage. 

10. This web page contains images. Before retrieving each image, does your host issue new DNS queries?

  • Yes, my host did issue new DNS queries before the images were retrieved. For example, one such query was for an image from open-stand.org. The image corresponding to the page was not returned until this query was made.

3.10

———————————————————————————————————————————————————————-

Lab Video, Part 2:

STEPS: Part 2: NSLookup

Step 1: Start packet capture.

Step 2: Do an nslookup on http://www.mit.edu

Step 3: Stop packet capture.

3.part4

QUESTIONS

11. What is the destination port for the DNS query message? What is the source port of DNS response message?

  • Destination Port: 53
  • Source Port: 53098

3.11

12. To what IP address is the DNS query message sent? Is this the IP address of your default local DNS server? 

  • The DNS query message is sent to IP address 10.40.4.44, the same address as my default local DNS server.

3.12

13. Examine the DNS query message. What “Type” of DNS query is it? Does the query message contain any “answers”?

  • The DNS query message is a type “A” query, containing only one question and not containing any answers.

14. Examine the DNS response message. How many “answers” are provided? What do each of these answers contain?

  • The response message contains one answer to the aformentioned query which is the type “A” address of http://www.mit.edu or 18.9.22.169. It also contained information on 3 authoritative nameservers and 3 additional records.

15. Provide a screenshot.

  • See bottom of steps

———————————————————————————————————————————————————————-

Lab Video Part 2.1:

STEPS:

Step 1: repeat the previous experiment

Step 2: but instead issue the command: nslookup –type=NS mit.edu

lab3part2.2

QUESTIONS:

16. To what IP address is the DNS query message sent? Is this the IP address of you default local DNS server?

  • The query is sent to 10.40.4.44, the same IP address as that of my default local DNS server.

17. Examine the DNS query message. What “Type” of DNS query is it? Does the query message contain any “answers”

  • The DNS query is a type “NS” message including one question. The query message did not contain any answers.

3.17

18. Examine the DNS response message. What MIT nameservers does the response message provide? Does this response message also provide the IP addresses of the MIT namesevers?

  • The response message provides 3 MIT nameservers: w20ns.mit.edu[18.70.0.160], strawb.mit.edu[18.71.0.150], and bitsy.mit.edu[18.72.0.3]. The IP addresses for the nameservers was included under the additional records category sent back as part of the response message.

3.18

19. Provide a screenshot.

  • See image under lab steps for Part 2.1

———————————————————————————————————————————————————————-

Lab 3, Part 2.2 Video:

STEPS: 

Step 1: Now repeat the previous experiment

Step 2: but instead issue the command: nslookup http://www.aiit.or.kr bitsy.mit.edu

3.35

QUESTIONS:

20. To what IP address is the DNS query message sent? Is this the IP address of your default local DNS server? If not, what does the IP address correspond to?

  •  This DNS query message is sent to 149.152.136.65 which is the IP address of the MIT DNS response sender.

2.20

21. Examine the DNS query message. What “Type” of DNS query is it? Does the query message contain any “answers”?

  •  This DNS query is a type “A” query. The message does not contain any answers.

3.21

22. Examine the DNS response message. How many “answers” are provided? What does each of these answers contain?

  •  It only provided one “answer” containing the servers IP address, however, the server also returned a flag that stated that it could complete a recursive query.

3.22

23. Provide a screenshot.

  • Please see picture under steps

From → Wireshark Labs

One Comment
  1. KImjuns permalink

    thank you

    Reply

Leave a comment

«
»