Scribd
Upload
91 views

Assignment 5

1. The document describes the results of running various commands to analyze DNS queries and responses using Wireshark. NSlookup was used to find IP addresses for different domains. 2. IPconfig was used to view local TCP/IP settings and cached DNS records. Wireshark captured DNS queries for domains like mit.edu and the responses, which were sent over UDP and contained IP addresses and other DNS record types. 3. Repeated tests were done with nslookup for different record types like NS and A records. The DNS queries were sent to the local DNS server and responses contained nameservers or IP addresses as answers depending on the query type.

Uploaded by

muqaddas fatima
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
91 views

Assignment 5

1. The document describes the results of running various commands to analyze DNS queries and responses using Wireshark. NSlookup was used to find IP addresses for different domains. 2. IPconfig was used to view local TCP/IP settings and cached DNS records. Wireshark captured DNS queries for domains like mit.edu and the responses, which were sent over UDP and contained IP addresses and other DNS record types. 3. Repeated tests were done with nslookup for different record types like NS and A records. The DNS queries were sent to the local DNS server and responses contained nameservers or IP addresses as answers depending on the query type.

Uploaded by

muqaddas fatima
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 17

Assignment

Wireshark Lab: DNS

Submitted To:
Dr. Akmal Khan
Submitted By:
Muqaddas Fatima
MSCS (1st Semester)
SP20M2LA054
Assignment 5

Wireshark Lab: DNS

Part 1: nslookup

1. Run nslookup to obtain the IP address of a Web server in Asia. What is


the IP address of that server?
I performed nslookup for www.iub.com. Its IP address is 69.172.201.153

Figure 1: nslookup www.iub.com

nslookup indicates that the answer is “non-authoritative,” meaning that this answer
came from the cache of some server rather than from an authoritative IUB DNS server.

I also performed nslookup for www.mit.edu. Its IP address is 104.106.107.112.

Figure 2: nslookup www.mit.edu

nslookup indicates that the answer is “non-authoritative,” meaning that this answer
came from the cache of some server rather than from an authoritative MIT DNS
server.
Assignment 5

2. Run nslookup to determine the authoritative DNS servers for a university


in Europe?

For this query, I used the webpage for Oxford University in England. This webpage is
http://www.ox.ac.uk. The authoritative DNS server is raptor.dns.ox.ac.uk.

Figure 3: nslookup -type=NS www.ox.ac.uk

we have provided the option “-type=NS” and the domain “ox.ac.uk”.

I also performed the command which is in given file see the screenshot below.

Figure 4: nslookup -type=NS mit.edu


Assignment 5

3. Run nslookup so that one of the DNS servers obtained in Question 2 is


queried for the mail servers for Yahoo! mail. What is its IP address?
The IP address for the DNS server if queried for the Yahoo! Mail server is
87.248.118.22

Figure 5: nslookup for yahoo ! mail

The IP address for the DNS server bitsy.mit.edu is 18.0.72.3.

Figure 6: nslookup bitsy.mit.edu


Assignment 5

Part 2: IPconfig

There are no questions for part two of this lab. But there are some commands to perform.
For example Run Ipconfig /all on our current machine. This will display my machine current
TCP/IP information, including my IP address, DNS server address and other additional
information.

Figure 7: ipconfig /all

It then asks that we display our recent cached memory by using the command ipconfig
/displaydns.
Assignment 5

Figure 8: ipconfig /displaydns

Finally, we are told to clear the above cache by entering Ipconfig /flushdns.

Figure 9: IPconfig /flushdns


Assignment 5

Part 3: Tracing DNS with Wireshark

4. Locate the DNS query and response messages. Are then sent over UDP
or TCP?
The DNS query and response messages are sent over UDP.

Figure 10: Tracing DNS

5. What is the destination port for the DNS query message? What is the
source port of DNS response message?
The destination port is 53.
The source port is 53.

Figure 11: Port Number for DNS query


Assignment 5

Figure 12: Port Number for DNS response

6. To what IP address is the DNS query message sent? Use ipconfig to


determine the IP address of your local DNS server. Are these two IP
addresses the same?

The DNS query was sent to IP address 192.168.1.1. Yes it is the same IP address as that
of my local DNS server.

Figure 13: IP address of DNS Server


Assignment 5

7. Examine the DNS query message. What “Type” of DNS query is it? Does
the query message contain any “answers”?
The query message was a type “A” query, but the message did not contain any
“answers.”

Figure 14: Type of DNS query

8. Examine the DNS response message. How many “answers” are


provided? What do each of these answers contain?
There were 3 answers containing information about the name of the host, the type of
address, class, the TTL, the data length and the IP address.

Figure 15: DNS response message


Assignment 5

9. Consider the subsequent TCP SYN packet sent by your host. Does the
destination IP address of the SYN packet correspond to any of the IP
addresses provided in the DNS response message?
The first SYN packet was sent to www.itef.org.cdn.cloudflare.net which corresponds
to the first CNAME provided in the DNS response message.
The second SYN packet was sent to 104.20.1.85 which corresponds to the first IP
address provided in the DNS response message.
The third SYN packet was sent to 104.20.0.85 which corresponds to the first IP address
provided in the DNS response message.

Figure 16: DNS response message

10.This web page contains images. Before retrieving each image, does your
host issue new DNS queries?

No, my host did not issue new DNS queries before the images were retrieved.
Assignment 5

Part 3(a): Nslookup with Wireshark

Now let’s practice with nslookup.


Start packet capture.
Do an nslookup on www.mit.edu
Stop packet capture.

11.What is the destination port for the DNS query message? What is the
source port of DNS response message?
The destination port is 53.
The source port is 57170.

Figure 17: DNS query Port Number

The destination port is 57170.


The source port is 53.

Figure 18: DNS Response Port Number


Assignment 5

12.To what IP address is the DNS query message sent? Is this the IP address
of your default local DNS server?

The DNS query is sent to IP address 192.168.1.1. Yes it is the same IP address as that
of my local DNS server.

Figure 19: IP address of DNS Server

13.Examine the DNS query message. What “Type” of DNS query is it? Does
the query message contain any “answers”?

The DNS query message is a type “A” query, containing only one question and not
containing any answers.

Figure 20: Type of DNS query


Assignment 5

14. Examine the DNS response message. How many “answers” are
provided? What do each of these answers contain?
The response DNS message contains three answers containing the name of the host,
the type of address, the class, and the IP address.

Figure 21: DNS response message

15.Provide a screenshot.
I have already attached screenshot to the answer of every question.
Assignment 5

Part 3(b): Nslookup with Wireshark

Now I repeat the previous experiment, but with different command:


Start packet capture.
Do an nslookup on –type=NS mit.edu
Stop packet capture.

16.To what IP address is the DNS query message sent? Is this the IP address
of your default local DNS server?

The DNS query is sent to IP address 192.168.1.1. Yes it is the same IP address as that
of my local DNS server.

Figure 22: IP address of DNS Server

17.Examine the DNS query message. What “Type” of DNS query is it? Does
the query message contain any “answers”?

The DNS query is a type “NS” message including one question. The query message did
not contain any answers.
Assignment 5

Figure 23: Type of DNS query

18.Examine the DNS response message. What MIT nameservers does the
response message provide? Does this response message also provide the
IP addresses of the MIT nameservers?

The nameservers are usw2, asia2, eur5, use5, ns1-37, ns1-173, asia1 and use2. No, this
response message doesn’t provide the IP addresses of the MIT nameservers. If Wireshark will
provide additional information then we can find their IP addresses. But in this response
message Wireshark doesn’t provide additional information as seen below.

Figure 24: DNS response message

19.Provide a screenshot.
I have already attached screenshot to the answer of every question.
Assignment 5

Part 3(c): Nslookup with Wireshark

Now I repeat the previous experiment, but with different command:


Start packet capture.
Do an nslookup on www.aiit.or.kr bitsy.mit.edu
Stop packet capture.

20.To what IP address is the DNS query message sent? Is this the IP address
of your default local DNS server? If not, what does the IP address
correspond to?

The DNS query is sent to IP address 192.168.1.1. Yes it is the same IP address as that
of my local DNS server.

Figure 25: IP address of DNS Server

21.Examine the DNS query message. What “Type” of DNS query is it? Does
the query message contain any “answers”?

The DNS query is a type “A” message including only one question. The query message
did not contain any answers.
Assignment 5

Figure 26: Type of DNS query

22.Examine the DNS response message. How many “answers” are


provided? What does each of these answers contain?

It only provided one “answer” containing the servers IP address, however, the server
also returned a flag that stated that it could complete a recursive query.

Figure 27: DNS response message

23.Provide a screenshot.
I have already attached screenshot to the answer of every question.

You might also like