nslookup - light2shine.comlight2shine.com/nw/csit340_jaesooklee_extracredit... · wireshark lab:...
TRANSCRIPT
![Page 1: nslookup - light2shine.comlight2shine.com/nw/CSIT340_JaeSookLee_ExtraCredit... · Wireshark Lab: DNS v7.0 nslookup 1. ... 3. Run nslookup so that one of the DNS servers obtained in](https://reader031.vdocuments.net/reader031/viewer/2022012308/5b80a2e57f8b9ad4778dbaf1/html5/thumbnails/1.jpg)
1
Jae Sook Lee
FA16 CSIT 340 – 01
Dr. Constantine Coutras
Extra Credit
Wireshark Lab: DNS v7.0
nslookup
1. Run nslookup to obtain the IP address of a Web server in Asia. What is the IP address of that
server?
Answer: IP Address: 1) 23.67.251.17, 2) 23.67.251.10
2. Run nslookup to determine the authoritative DNS servers for a university in Europe.
3. Run nslookup so that one of the DNS servers obtained in Question 2 is queried for the mail
servers for Yahoo! Mail. What is its IP address?
Answer: IP Address: 74.6.50.150
![Page 2: nslookup - light2shine.comlight2shine.com/nw/CSIT340_JaeSookLee_ExtraCredit... · Wireshark Lab: DNS v7.0 nslookup 1. ... 3. Run nslookup so that one of the DNS servers obtained in](https://reader031.vdocuments.net/reader031/viewer/2022012308/5b80a2e57f8b9ad4778dbaf1/html5/thumbnails/2.jpg)
2
Ipconfig 4. ipconfig /all
![Page 3: nslookup - light2shine.comlight2shine.com/nw/CSIT340_JaeSookLee_ExtraCredit... · Wireshark Lab: DNS v7.0 nslookup 1. ... 3. Run nslookup so that one of the DNS servers obtained in](https://reader031.vdocuments.net/reader031/viewer/2022012308/5b80a2e57f8b9ad4778dbaf1/html5/thumbnails/3.jpg)
3
5. ipconfig /displaydns
6. ipconfig /flushdns
![Page 4: nslookup - light2shine.comlight2shine.com/nw/CSIT340_JaeSookLee_ExtraCredit... · Wireshark Lab: DNS v7.0 nslookup 1. ... 3. Run nslookup so that one of the DNS servers obtained in](https://reader031.vdocuments.net/reader031/viewer/2022012308/5b80a2e57f8b9ad4778dbaf1/html5/thumbnails/4.jpg)
4
Tracing DNS with Wireshark
4. Locate the DNS query and response messages. Are then sent over UDP or TCP?
Answer: UDP
5. What is the destination port for the DNS query message? What is the source port of DNS
response message?
Answer: Destination port: 53, Source port: 49529
6. To what IP address is the DNS query message sent? Use ipconfig to determine the IP address
of your local DNS server. Are these two IP addresses the same?
Answer: 1) 8.8.8.8, 2) 8.8.8.4
![Page 5: nslookup - light2shine.comlight2shine.com/nw/CSIT340_JaeSookLee_ExtraCredit... · Wireshark Lab: DNS v7.0 nslookup 1. ... 3. Run nslookup so that one of the DNS servers obtained in](https://reader031.vdocuments.net/reader031/viewer/2022012308/5b80a2e57f8b9ad4778dbaf1/html5/thumbnails/5.jpg)
5
7. Examine the DNS query message. What “Type” of DNS query is it? Does the query message
contain any “answers”?
Answer: 0x0100 Standard query
8. Examine the DNS response message. How many “answers” are provided? What do each
these answers contain?
Answer: 3 answers provided
www.ietf.org: type CNAME, class IN, cname www.ietf.org.cdn.cloudflare-dnssec.net
-> Change alias to machine host name by cname
www.ietf.org.cdn.cloudflare-dnssec.net: type A, class IN, addr 104.20.0.85
www.ietf.org.cdn.cloudflare-dnssec.net: type A, class IN, addr 104.20.1.85
->Two different machine IP address under DNS
![Page 6: nslookup - light2shine.comlight2shine.com/nw/CSIT340_JaeSookLee_ExtraCredit... · Wireshark Lab: DNS v7.0 nslookup 1. ... 3. Run nslookup so that one of the DNS servers obtained in](https://reader031.vdocuments.net/reader031/viewer/2022012308/5b80a2e57f8b9ad4778dbaf1/html5/thumbnails/6.jpg)
6
9. Consider the subsequent TCP SYN packet sent by your host. Does the destination IP address
of the SYN packet correspond to any of the IP addresses provided in the DNS response
message?
Answer: IP: 104.20.0.85 Port: 80
10. This web page contains images. Before retrieving each image, does your host issue new DNS
queries?
Answer
No. Host does not issue new DNS queries. DNS query and messages are the same format.
![Page 7: nslookup - light2shine.comlight2shine.com/nw/CSIT340_JaeSookLee_ExtraCredit... · Wireshark Lab: DNS v7.0 nslookup 1. ... 3. Run nslookup so that one of the DNS servers obtained in](https://reader031.vdocuments.net/reader031/viewer/2022012308/5b80a2e57f8b9ad4778dbaf1/html5/thumbnails/7.jpg)
7
Now let’s play with nslook. • Start packet capture. • Do an nslookup on www.mit.edu • Stop packet capture.
11. What is the destination port for the DNS query message? What is the source port of DNS
response message?
Answer
Destination port for the DNS query message: 53
Source port of DNS response message: 53
![Page 8: nslookup - light2shine.comlight2shine.com/nw/CSIT340_JaeSookLee_ExtraCredit... · Wireshark Lab: DNS v7.0 nslookup 1. ... 3. Run nslookup so that one of the DNS servers obtained in](https://reader031.vdocuments.net/reader031/viewer/2022012308/5b80a2e57f8b9ad4778dbaf1/html5/thumbnails/8.jpg)
8
Destination
Source
![Page 9: nslookup - light2shine.comlight2shine.com/nw/CSIT340_JaeSookLee_ExtraCredit... · Wireshark Lab: DNS v7.0 nslookup 1. ... 3. Run nslookup so that one of the DNS servers obtained in](https://reader031.vdocuments.net/reader031/viewer/2022012308/5b80a2e57f8b9ad4778dbaf1/html5/thumbnails/9.jpg)
9
12. To what IP address is the DNS query message sent? Is this the IP address of your default
local DNS server?
Answer: 8.8.8.8
13. Examine the DNS query message. What “Type” of DNS query is it? Does the query message
contain any “answer”?
Answer: Type: A (Host Address) 1
14. Examine the DNS response message. How many “answers” are provided? What do each of
these answers contain?
Answer
3 answers provided
1) www.mit.edu: type CNAME, class IN, cname www.mit.edu.edgekey.net
-> Change alias to machine host name as www.mit.edu.edgekey.net
2) www.mit.edu.edgekey.net: type CNAME, class IN, cname e9566.dscb.akamaiedge.net
-> Change alias to machine host name as e9566.dscb.akamaiedge.net
3) e9566.dscb.akamaiedge.net: type A class IN, addr 23.10.80.128
-> e9566.dscb.akamaiedge.net name has IP Address 23.10.80.128
15. Provide a screenshot.
![Page 10: nslookup - light2shine.comlight2shine.com/nw/CSIT340_JaeSookLee_ExtraCredit... · Wireshark Lab: DNS v7.0 nslookup 1. ... 3. Run nslookup so that one of the DNS servers obtained in](https://reader031.vdocuments.net/reader031/viewer/2022012308/5b80a2e57f8b9ad4778dbaf1/html5/thumbnails/10.jpg)
10
Now repeat the previous experiment, but instead issue the command: nslookup –type=NS mit.edu Answer the following questions :
16. To what IP address is the DNS query message sent? Is this the IP address of your default local DNS server? Answer: IP Address: 8.8.8.8
17. Examine the DNS query message. What “Type” of DNS query is it? Does the query message contain any “answers”? Answer: DNS query has type NS. No answer contains.
![Page 11: nslookup - light2shine.comlight2shine.com/nw/CSIT340_JaeSookLee_ExtraCredit... · Wireshark Lab: DNS v7.0 nslookup 1. ... 3. Run nslookup so that one of the DNS servers obtained in](https://reader031.vdocuments.net/reader031/viewer/2022012308/5b80a2e57f8b9ad4778dbaf1/html5/thumbnails/11.jpg)
11
18. Examine the DNS response message. What MIT nameservers does the response message provide? Does this response message also provide the IP addresses of the MIT namesers? Answer: It does provide response massages and doesn’t not provide IP Address.
mit.edu: type NS, class IN, ns asial.akam.net
mit.edu: type NS, class IN, ns asia2.akam.net
mit.edu: type NS, class IN, ns ns1-173.akam.net
mit.edu: type NS, class IN, eur5.akam.net
mit.edu: type NS, class IN, ns1-37.akam.net
mit.edu: type NS, class IN, usw2.akam.net
mit.edu: type NS, class IN, ns use5.akam.net
19. Provide a screenshot.
![Page 12: nslookup - light2shine.comlight2shine.com/nw/CSIT340_JaeSookLee_ExtraCredit... · Wireshark Lab: DNS v7.0 nslookup 1. ... 3. Run nslookup so that one of the DNS servers obtained in](https://reader031.vdocuments.net/reader031/viewer/2022012308/5b80a2e57f8b9ad4778dbaf1/html5/thumbnails/12.jpg)
12
Now repeat the previous experiment, but instead issue the command: nslookup www.aiit.or.kr bitsy.mit.edu Answer the following questions:
20. To what IP address is the DNS query message sent? Is this the IP address of your default
local DNS server? If not, what does the IP address correspond to?
Answer: Two IP Addresses: 1) 8.8.8.8, 2) 8.8.4.4
21. Examine the DNS query message. What “Type” of DNS query is it? Does the query message contain any “answers”? Answer: Type: A (Host Address) (1), and It doesn’t contain any answer
IP: 8.8.8.8
![Page 13: nslookup - light2shine.comlight2shine.com/nw/CSIT340_JaeSookLee_ExtraCredit... · Wireshark Lab: DNS v7.0 nslookup 1. ... 3. Run nslookup so that one of the DNS servers obtained in](https://reader031.vdocuments.net/reader031/viewer/2022012308/5b80a2e57f8b9ad4778dbaf1/html5/thumbnails/13.jpg)
13
IP: 8.8.4.4
22. Examine the DNS response message. How many “answers” are provided? What does each of these answers contain? Answer
IP Address: 8.8.8.8 and 8.8.4.4 both have one answer and contains the same answer.
botsy.mit.edu: type A, class IN, addr 18.72.0.3
name: bitsy.mit.edu
Type: A (Host Address) (1)
Class: IN (0x0001)
Time to live: 737
Data length: 4
Address: 18.72.0.3
23. Provide a screenshot.
(Screenshot Attached)
![Page 14: nslookup - light2shine.comlight2shine.com/nw/CSIT340_JaeSookLee_ExtraCredit... · Wireshark Lab: DNS v7.0 nslookup 1. ... 3. Run nslookup so that one of the DNS servers obtained in](https://reader031.vdocuments.net/reader031/viewer/2022012308/5b80a2e57f8b9ad4778dbaf1/html5/thumbnails/14.jpg)
14