Wireshark Lab 3 DNS
Part 1: NSLookup
1. Run nslookup to obtain the IP address of a Web server in Asia. What is the IP address of that server?
- For this question, I queried the webpage for the Asian Institute of Technology in Thialand. The IP address of that server was 203.159.12.3.
2. Run nslookup to determine the authoritative DNS servers for a university in Europe.
- For this question, I used the webpage for Cambridge University in England. This webpage is http://www.cam.ac.uk. The authoritative DNS server is authdns0.csx.cam.ac.uk.
3. Run nslookup so that one of the DNS servers obtained in Question 2 is queried for the mail servers for Yahoo! mail. What is its IP address?
- The IP addreess for the DNS server if queried for the Yahoo! mail server is 209.191.122.42
———————————————————————————————————————————————————————-
Part 2: IPconfig
There are no questions for part two of this lab. All it requires is that we run IPconfig /all on our current machine. This will display my machines current TCP/IP information, including my IP address, DNS server address and other additional information.
It then asks that we display our recent cached memory by using the command ipconfig /displaydns
Finally, we are told to clear the above cache by entering IPconfig /flushdns
———————————————————————————————————————————————————————-
Part 3: Tracing DNS with Wireshark
Lab Video: for Part 1
STEPS: Part 1: IPconfig
Step 1: Use ipconfig to empty the DNS cache in your host.
Step 2: Open your browser and empty your browser cache. (With Internet Explorer, go to Tools menu and select Internet Options; then in the General tab select Delete Files.)
Step 3: Open Wireshark and enter “ip.addr == your_IP_address” into the filter, where you obtain your_IP_address with ipconfig. This filter removes all packets that neither originate nor are destined to your host.
Step 4: Start packet capture in Wireshark.
Step 5: With your browser, visit the Web page: http://www.ietf.org
Step 6: Stop packet capture.
QUESTIONS:
4. Locate the DNS query and response messages. Are then sent over UDP or TCP?
- The DNS query and response messages are sent over UDP.
5. What is the destination port for the DNS query message? What is the source port of DNS response message?
- The destination port is 53
- The source port is 50133
6. To what IP address is the DNS query message sent? Use ipconfig to determine the IP address of your local DNS server. Are these two IP addresses the same?
- The DNS query was sent to IP address 10.40.4.44. Yes it is the same IP address as that of my local DNS server.
7. Examine the DNS query message. What “Type” of DNS query is it? Does the query message contain any “answers”?
- The query message was a type “A” query, but the message did not contain any “answers.”
8. Examine the DNS response message. How many “answers” are provided? What do each of these answers contain?
- The response message contained one answer to the query which was the sites address [64.170.98.30]. Although it also provided 6 authoritative nameservers, and 11 other responses containing additional information.
9. Consider the subsequent TCP SYN packet sent by your host. Does the destination IP address of the SYN packet correspond to any of the IP addresses provided in the DNS response message?
- The destination of the SYN packet is 64.170.98.30, the same address that was provided in the DNS response message as the type “A” address of the webpage.
10. This web page contains images. Before retrieving each image, does your host issue new DNS queries?
- Yes, my host did issue new DNS queries before the images were retrieved. For example, one such query was for an image from open-stand.org. The image corresponding to the page was not returned until this query was made.
———————————————————————————————————————————————————————-
Lab Video, Part 2:
STEPS: Part 2: NSLookup
Step 1: Start packet capture.
Step 2: Do an nslookup on http://www.mit.edu
Step 3: Stop packet capture.
QUESTIONS
11. What is the destination port for the DNS query message? What is the source port of DNS response message?
- Destination Port: 53
- Source Port: 53098
12. To what IP address is the DNS query message sent? Is this the IP address of your default local DNS server?
- The DNS query message is sent to IP address 10.40.4.44, the same address as my default local DNS server.
13. Examine the DNS query message. What “Type” of DNS query is it? Does the query message contain any “answers”?
- The DNS query message is a type “A” query, containing only one question and not containing any answers.
14. Examine the DNS response message. How many “answers” are provided? What do each of these answers contain?
- The response message contains one answer to the aformentioned query which is the type “A” address of http://www.mit.edu or 18.9.22.169. It also contained information on 3 authoritative nameservers and 3 additional records.
15. Provide a screenshot.
- See bottom of steps
———————————————————————————————————————————————————————-
Lab Video Part 2.1:
STEPS:
Step 1: repeat the previous experiment
Step 2: but instead issue the command: nslookup –type=NS mit.edu
QUESTIONS:
16. To what IP address is the DNS query message sent? Is this the IP address of you default local DNS server?
- The query is sent to 10.40.4.44, the same IP address as that of my default local DNS server.
17. Examine the DNS query message. What “Type” of DNS query is it? Does the query message contain any “answers”
- The DNS query is a type “NS” message including one question. The query message did not contain any answers.
18. Examine the DNS response message. What MIT nameservers does the response message provide? Does this response message also provide the IP addresses of the MIT namesevers?
- The response message provides 3 MIT nameservers: w20ns.mit.edu[18.70.0.160], strawb.mit.edu[18.71.0.150], and bitsy.mit.edu[18.72.0.3]. The IP addresses for the nameservers was included under the additional records category sent back as part of the response message.
19. Provide a screenshot.
- See image under lab steps for Part 2.1
———————————————————————————————————————————————————————-
Lab 3, Part 2.2 Video:
STEPS:
Step 1: Now repeat the previous experiment
Step 2: but instead issue the command: nslookup http://www.aiit.or.kr bitsy.mit.edu
QUESTIONS:
20. To what IP address is the DNS query message sent? Is this the IP address of your default local DNS server? If not, what does the IP address correspond to?
- This DNS query message is sent to 149.152.136.65 which is the IP address of the MIT DNS response sender.
21. Examine the DNS query message. What “Type” of DNS query is it? Does the query message contain any “answers”?
- This DNS query is a type “A” query. The message does not contain any answers.
22. Examine the DNS response message. How many “answers” are provided? What does each of these answers contain?
- It only provided one “answer” containing the servers IP address, however, the server also returned a flag that stated that it could complete a recursive query.
23. Provide a screenshot.
- Please see picture under steps
thank you