Wireshark 1.6: Wireshark Lab: DNS (Domain Name System)

Wireshark Lab: DNS (Domain Name System)

In this lab I used nslookup in command Prompt

nslookup –option1 –option2 host-to-find dns-server

I observed where the DNS query's were sent out to over wireshark. The following are my results.

1. Run nslookup to obtain the IP address of a Web server in Asia.
http://www.registry.asia/
66.132.220.208

Command Prompt entry

Command Prompt result

2. Run nslookup to determine the authoritative DNS servers for a university in
Europe.

nslookup –type=NS
http://www.euruni.edu/

euruni.edu nameserver = ns2.newtechwebservices.com
euruni.edu nameserver = ns1.newtechwebservices.com

Update for March of 2012

www.euruni.edu canonical name = euruni.edu
euruni.edu nameserver = dauth1.joink.com
euruni.edu nameserver = dauth2.joink.com

3. Run nslookup so that one of the DNS servers obtained in Question 2 is queried for
the mail servers for Yahoo! mail.

I received after trying this the response unkown server 65.111.249.40. no internal type for both IPv4 and IPv6 when using ns2.newtechwebservices.com

Update for March of 2012

nslookup with

dauth1.joink.com

dauth2.joink.com

nslookup with Google's server

4. Locate the DNS query and response messages. Are then sent over UDP or TCP?

The DNS query and response messages are sent over UDP.
Notice in the following screen shot when clicking on the DNS request its says User Datagram Protocol.

5. What is the destination port for the DNS query message? What is the source port

of DNS response message?

original results -The source port was 50042 and the destination port was 53

March 2012 update results - The source port was 56301 and the destination port was 53 (see screenshot above)

6. To what IP address is the DNS query message sent? Use ipconfig to determine the

IP address of your local DNS server. Are these two IP addresses the same?

The DNS query message was sent to 192.168.2.1 and the IP address of the local DNS server was also 192.168.2.1. Both IP addresses are the same.

For the screenshot in question 4 the DNS query message was sent to 192.168.2.3 and the IP address of the local DNS server was also 192.168.2.3. Both IP addresses are the same.

7. Examine the DNS query message. What “Type” of DNS query is it? Does the

query message contain any “answers”?

The DNS query is type A. It is a standard query. It does not contain any answers.

8. Examine the DNS response message. How many “answers” are provided? What

do each of these answers contain?

The DNS response message gave me one answer with the following information.

http://www.ietf.org/: type A, class IN, addr 12.22.58.30

Name: http://www.ietf.org/

Type: A (Host address)

Class: IN (0x0001)

Time to live: 3 minutes, 43 seconds

Data length: 4

Addr: 12.22.58.30 (12.22.58.30)

Doing NS lookup with google's server 2012 below

9. Consider the subsequent TCP SYN packet sent by your host. Does the destination

IP address of the SYN packet correspond to any of the IP addresses provided in

the DNS response message?

Yes, the destination address of the SYN packet corresponds to the IP address provided in the DNS response answer 12.22.58.30.

10. This web page contains images. Before retrieving each image, does your host

issue new DNS queries?

No, my host does not need to send another DNS query.

11. What is the destination port for the DNS query message? What is the source port

of DNS response message?

The destination port for the DNS query message is 53. The source port for the DNS response is also 53.

12. To what IP address is the DNS query message sent? Is this the IP address of your

default local DNS server?

The IP address that the DNS query is sent to is192.168.2.1. The address is the same as the default local DNS server.

13. Examine the DNS query message. What “Type” of DNS query is it? Does the

query message contain any “answers”?

The DNS query is type A (standard quarry). The query does not contain any answers.

14. Examine the DNS response message. How many “answers” are provided? What

do each of these answers contain?

Only one answers set was provided. The answer contains the following information.

Answers

http://www.mit.edu/: type A, class IN, addr 18.9.22.169

Name: http://www.mit.edu/

Type: A (Host address)

Class: IN (0x0001)

Time to live: 1 minute

Data length: 4

Addr: 18.9.22.169 (18.9.22.169)

15. Provide a screenshot.

The IP address that the DNS query is sent to is18.9.22.169. The address is the same as the default local DNS server.

16. To what IP address is the DNS query message sent? Is this the IP address of your

default local DNS server?

The IP address that the DNS query is sent to is 192.168.2.1. The address is the same as the default local DNS server.

17. Examine the DNS query message. What “Type” of DNS query is it? Does the

query message contain any “answers”?

It is a standard type NS query. It does not contain any answers.

18. Examine the DNS response message. What MIT nameservers does the response

message provide? Does this response message also provide the IP addresses of the

MIT namesers?

The repsonse message provides
mit.edu nameserver w20ns.mit.edu
mit.edu nameserver bitsy.mit.edu
mit.edu nameserver strawb.mit.edu

My computer does not provide the ip adress information although as far I know It should appear.

19. Provide a screenshot.

Now repeat the previous experiment, but instead issue the command:

nslookup www.aiit.or.kr bitsy.mit.edu

Answer the following questions

20. To what IP address is the DNS query message sent? Is this the IP address of your

default local DNS server? If not, what does the IP address correspond to?

The DNS query message is sent to 18.72.0.3. This is not my default DNS server. The IP corresponds to bitsy.mit.edu.

21. Examine the DNS query message. What “Type” of DNS query is it? Does the

query message contain any “answers”?

The DNS query message is standard type A. It does not contain any answers.

22. Examine the DNS response message. How many “answers” are provided? What

does each of these answers contain?