Wire Shark Lab 3: DNS

Part 1) NSLOOKUP

Questions)
1.) Run nslookup to obtain the IP address of a Web server in Asia. What is the IP address of that server?

2.) Run nslookup to determine the authoritative DNS servers for a university in Europe.

3.) Run nslookup so that one of the DNS servers obtained in Question 2 is queried for the mail servers for Yahoo! mail. What is its IP address?

I wasn’t sure which one was correct so I typed both ip addresses into my browser and found that 98.139.102.145 was the ip address for yahoo mail.
Although this is the page that was displayed.

Part 2) IPCONFIG

Part 3) Tracing DNS with Wireshark

Now that we are familiar with nslookup and ipconfig, we’re ready to get down to some serious business. Let’s first capture the DNS packets that are generated by ordinary Web surfing activity.
• Use ipconfig to empty the DNS cache in your host.

• Open your browser and empty your browser cache. (With Internet Explorer,
go to Tools menu and select Internet Options; then in the General tab select
Delete Files.)

• Open Wireshark and enter “ip.addr == your_IP_address” into the filter, where
you obtain your_IP_address with ipconfig. This filter removes all packets that
neither originate nor are destined to your host.

• Start packet capture in Wireshark.

• With your browser, visit the Web page: http://www.ietf.org

• Stop packet capture.

Questions)
4.) Locate the DNS query and response messages. Are then sent over UDP or TCP?

The DNS query and response messages are sent over a TCP connection.

5.) What is the destination port for the DNS query message? What is the source port of DNS response message?

The destination port for the DNS query message is 80 .
The source port of the DNS response message is 58508 .

6.)To what IP address is the DNS query message sent? Use ipconfig to determine the IP address of your local DNS server. Are these two IP addresses the same?

The DNS query message is sent to 64.170.98.30 and the IP address of my local DNS server is 10.33.129.139. These two IP Adresses are not the same.

7.) Examine the DNS query message. What “Type” of DNS query is it? Does the query message contain any “answers”?

8. Examine the DNS response message. How many “answers” are provided? What do each of these answers contain?

9. Consider the subsequent TCP SYN packet sent by your host. Does the destination IP address of the SYN packet correspond to any of the IP addresses provided in the DNS response message?

10. This web page contains images. Before retrieving each image, does your host issue new DNS queries?

Now let’s play with nslookup for http://www.mit.edu


11. What is the destination port for the DNS query message? What is the source port of DNS response message?
The destination port for the DNS query message is 80 .
The source port of the DNS response message is 51774 .

12. To what IP address is the DNS query message sent? Is this the IP address of your default local DNS server?
The DNS query message is sent to 18.9.22.169. This is not the default local DNS server.

13. Examine the DNS query message. What “Type” of DNS query is it? Does the query message contain any “answers”

14. Examine the DNS response message. How many “answers” are provided? What do each of these answers contain?

15. Provide a screenshot.
Screenshot is provided above question 11.

Now repeat the previous experiment, but instead issue the command: nslookup –type=NS mit.edu
Answer the following questions

16. To what IP address is the DNS query message sent? Is this the IP address of your default local DNS server?

17. Examine the DNS query message. What “Type” of DNS query is it? Does the query message contain any “answers”?

18. Examine the DNS response message. What MIT nameservers does the response message provide? Does this response message also provide the IP addresses of the MIT namesers?

19. Provide a screenshot.

Now repeat the previous experiment, but instead issue the command: nslookup http://www.aiit.or.kr bitsy.mit.edu
Answer the following questions

20. To what IP address is the DNS query message sent? Is this the IP address of your default local DNS server? If not, what does the IP address correspond to?
The DNS query message was sent to 18.72.0.3. This is not the IP address of my default DNS server.

21. Examine the DNS query message. What “Type” of DNS query is it? Does the query message contain any “answers”?

22. Examine the DNS response message. How many “answers” are provided? What does each of these answers contain?

23. Provide a screenshot.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: