Wireshark Lab: DNS (Domain Name System)
In this lab I used nslookup in command Prompt
nslookup –option1 –option2 host-to-find dns-server
I observed where the DNS query's were sent out to over wireshark. The following are my results.
1. Run nslookup to obtain the IP address of a Web server in Asia.
http://www.registry.asia/
66.132.220.208
2. Run nslookup to determine the authoritative DNS servers for a university in
Europe.
nslookup –type=NS
http://www.euruni.edu/
euruni.edu nameserver = ns2.newtechwebservices.com
euruni.edu nameserver = ns1.newtechwebservices.com
Update for March of 2012
www.euruni.edu canonical name = euruni.edu
euruni.edu nameserver = dauth1.joink.com
euruni.edu nameserver = dauth2.joink.com
3. Run nslookup so that one of the DNS servers obtained in Question 2 is queried for
the mail servers for Yahoo! mail.
I received after trying this the response unkown server 65.111.249.40. no internal type for both IPv4 and IPv6 when using ns2.newtechwebservices.com
Update for March of 2012
nslookup with
nslookup with Google's server
No, my host does not need to send another DNS query.
Now repeat the previous experiment, but instead issue the command:
20. To what IP address is the DNS query message sent? Is this the IP address of your
23. Provide a screenshot:
In this lab I used nslookup in command Prompt
nslookup –option1 –option2 host-to-find dns-server
I observed where the DNS query's were sent out to over wireshark. The following are my results.
1. Run nslookup to obtain the IP address of a Web server in Asia.
http://www.registry.asia/
66.132.220.208
Command Prompt entry
Command Prompt result
2. Run nslookup to determine the authoritative DNS servers for a university in
Europe.
nslookup –type=NS
http://www.euruni.edu/
euruni.edu nameserver = ns2.newtechwebservices.com
euruni.edu nameserver = ns1.newtechwebservices.com
Update for March of 2012
www.euruni.edu canonical name = euruni.edu
euruni.edu nameserver = dauth1.joink.com
euruni.edu nameserver = dauth2.joink.com
3. Run nslookup so that one of the DNS servers obtained in Question 2 is queried for
the mail servers for Yahoo! mail.
I received after trying this the response unkown server 65.111.249.40. no internal type for both IPv4 and IPv6 when using ns2.newtechwebservices.com
Update for March of 2012
nslookup with
dauth1.joink.com
dauth2.joink.com
4. Locate the DNS query and response messages. Are then sent over UDP or TCP?
The DNS query and response messages are sent over UDP.
Notice in the following screen shot when clicking on the DNS request its says User Datagram Protocol.
Notice in the following screen shot when clicking on the DNS request its says User Datagram Protocol.
5. What is the destination port for the DNS query message? What is the source port
of DNS response message?
original results -The source port was 50042 and the destination port was 53
March 2012 update results - The source port was 56301 and the destination port was 53 (see screenshot above)
March 2012 update results - The source port was 56301 and the destination port was 53 (see screenshot above)
6. To what IP address is the DNS query message sent? Use ipconfig to determine the
IP address of your local DNS server. Are these two IP addresses the same?
The DNS query message was sent to 192.168.2.1 and the IP address of the local DNS server was also 192.168.2.1. Both IP addresses are the same.
For the screenshot in question 4 the DNS query message was sent to 192.168.2.3 and the IP address of the local DNS server was also 192.168.2.3. Both IP addresses are the same.
For the screenshot in question 4 the DNS query message was sent to 192.168.2.3 and the IP address of the local DNS server was also 192.168.2.3. Both IP addresses are the same.
7. Examine the DNS query message. What “Type” of DNS query is it? Does the
query message contain any “answers”?
The DNS query is type A. It is a standard query. It does not contain any answers.
8. Examine the DNS response message. How many “answers” are provided? What
do each of these answers contain?
The DNS response message gave me one answer with the following information.
http://www.ietf.org/: type A, class IN, addr 12.22.58.30
Name: http://www.ietf.org/
Type: A (Host address)
Class: IN (0x0001)
Time to live: 3 minutes, 43 seconds
Data length: 4
Addr: 12.22.58.30 (12.22.58.30)
Doing NS lookup with google's server 2012 below
Doing NS lookup with google's server 2012 below
9. Consider the subsequent TCP SYN packet sent by your host. Does the destination
IP address of the SYN packet correspond to any of the IP addresses provided in
the DNS response message?
Yes, the destination address of the SYN packet corresponds to the IP address provided in the DNS response answer 12.22.58.30.
10. This web page contains images. Before retrieving each image, does your host
issue new DNS queries?No, my host does not need to send another DNS query.
11. What is the destination port for the DNS query message? What is the source port
of DNS response message?
The destination port for the DNS query message is 53. The source port for the DNS response is also 53.
12. To what IP address is the DNS query message sent? Is this the IP address of your
default local DNS server?
The IP address that the DNS query is sent to is192.168.2.1. The address is the same as the default local DNS server.
13. Examine the DNS query message. What “Type” of DNS query is it? Does the
query message contain any “answers”?
The DNS query is type A (standard quarry). The query does not contain any answers.
14. Examine the DNS response message. How many “answers” are provided? What
do each of these answers contain?
Only one answers set was provided. The answer contains the following information.
Answers
http://www.mit.edu/: type A, class IN, addr 18.9.22.169
Name: http://www.mit.edu/
Type: A (Host address)
Class: IN (0x0001)
Time to live: 1 minute
Data length: 4
Addr: 18.9.22.169 (18.9.22.169)
15. Provide a screenshot.
The IP address that the DNS query is sent to is18.9.22.169. The address is the same as the default local DNS server.
16. To what IP address is the DNS query message sent? Is this the IP address of your
default local DNS server?
The IP address that the DNS query is sent to is 192.168.2.1. The address is the same as the default local DNS server.
17. Examine the DNS query message. What “Type” of DNS query is it? Does the
query message contain any “answers”?
It is a standard type NS query. It does not contain any answers.
18. Examine the DNS response message. What MIT nameservers does the response
message provide? Does this response message also provide the IP addresses of the
MIT namesers?
The repsonse message provides
mit.edu nameserver w20ns.mit.edu
mit.edu nameserver bitsy.mit.edu
mit.edu nameserver strawb.mit.edu
mit.edu nameserver w20ns.mit.edu
mit.edu nameserver bitsy.mit.edu
mit.edu nameserver strawb.mit.edu
My computer does not provide the ip adress information although as far I know It should appear.
19. Provide a screenshot.
nslookup www.aiit.or.kr bitsy.mit.edu
Answer the following questions
20. To what IP address is the DNS query message sent? Is this the IP address of your
default local DNS server? If not, what does the IP address correspond to?
The DNS query message is sent to 18.72.0.3. This is not my default DNS server. The IP corresponds to bitsy.mit.edu.
The DNS query message is sent to 18.72.0.3. This is not my default DNS server. The IP corresponds to bitsy.mit.edu.
21. Examine the DNS query message. What “Type” of DNS query is it? Does the
query message contain any “answers”?
The DNS query message is standard type A. It does not contain any answers.
The DNS query message is standard type A. It does not contain any answers.
22. Examine the DNS response message. How many “answers” are provided? What
does each of these answers contain?
