Subject: Computer Networks

Course Code: CSE 334

Course Credit: 1

Lecturer: Rajibul Anam

Computer Networks LAB-3

1. nslookup

Let’s start our investigation of the DNS by examining the nslookup command, which will
invoke the underlying DNS services to implement its functionality. The nslookup
command is available in most Microsoft, Apple IOS, and Linux operating systems. To run
nslookup you just type the nslookup command on the command line in a DOS window,
Mac IOS terminal window, or Linux shell.

In its most basic operation, nslookup allows the host running nslookup to query any
specified DNS server for a DNS record. The queried DNS server can be a root DNS server, a
top-level-domain (TLD) DNS server, an authoritative DNS server, or an intermediate DNS
server (see the textbook for definitions of these terms). For example, nslookup can be
used to retrieve a “Type=A” DNS record that maps a hostname (e.g., [Link]) to its IP
address. To accomplish this task, nslookup sends a DNS query to the specified DNS
server (or the default local DNS server for the host on which nslookup is run, if no specific
DNS server is specified), receives a DNS response from that DNS server, and displays the
result.

Let’s take nslookup out for a spin! We’ll first run nslookup on the Linux command line on
the [Link] host located in the CS Department at the University of
Massachusetts (UMass) campus, where the local name server is named
[Link] (which has an IP address [Link]). Let’s try nslookup in its
simplest form:

1|Page Rajibul Anam

 Figure 1: the basic nslookup command

In this example the nslookup command is given one argument, a hostname

([Link]). In words, this command is saying “please send me the IP address for the
host [Link].” As shown in the screenshot, the response from this command
provides two pieces of information: (1) the name and IP address of the DNS server that
provides the answer – in this case the local DNS server at UMass; and (2) the answer itself,
which is the canonical host name and IP address of [Link]. You may have noticed
that there are two name/address pairs provided for [Link]. The first ([Link])
is an IPv4 address in the familiar-looking dotted decimal notation; the second
([Link]) is a longer and more complicated looking IPv6 address. We’ll
learn about IPv4 and IPv6 and their two different addressing schemes later in Chapter 4.
For now, let’s just focus on our more comfortable (and common) IPv4 world1.

Although the response came from the local DNS server (with IP address [Link]) at
UMass, it is quite possible that this local DNS server iteratively contacted several other
DNS servers to get the answer, as described in Section 2.4 of the textbook.

In addition to using nslookup to query for a DNS “Type=A” record, we can also use
nslookup to nslookup to query for a “TYPE=NS” record, which returns the hostname (and
its IP address) of an authoritative DNS server that knows how to obtain the IP addresses for
hosts in the authoritative server’s domain.

1
For Mac OS, if you want to work just in the IPv4 world: System preferences -> Network. Then select your
active interface (e.g., Wi-Fi) and Advanced->TCP/IP. Then select the Configure IPv6 drop-down menu and set
it to “Link-local only” or “Off”.

2|Page Rajibul Anam

 Figure 2: using nslookup to find the authoritative name servers for the [Link]
domain

In the example in Figure 2, we’ve invoked nslookup with the option “-type=NS” and the
domain “[Link]”. This causes nslookup to send a query for a type-NS record to the
default local DNS server. In words, the query is saying, “please send me the host names of
the authoritative DNS for [Link]”. (When the –type option is not used, nslookup uses the
default, which is to query for type A records.) The answer, displayed in the above
screenshot, first indicates the DNS server that is providing the answer (which is the default
local UMass DNS server with address [Link]) along with three NYU DNS name
servers. Each of these servers is indeed an authoritative DNS server for the hosts on the
NYU campus. However, nslookup also indicates that the answer is “non-authoritative,”
meaning that this answer came from the cache of some server rather than from an
authoritative NYU DNS server. Finally, the answer also includes the IP addresses of the
authoritative DNS servers at NYU. (Even though the type-NS query generated by nslookup
did not explicitly ask for the IP addresses, the local DNS server returned these “for free”
and nslookup displays the result.)

nslookup has a number of additional options beyond “-type=NS” that you might want to
explore. Here’s a site with screenshots of ten popular nslookup uses:
[Link] and here are the
“man pages” for nslookup: [Link]

Lastly, we sometimes might be interested in discovering the name of the host associated
with a given IP address, i.e., the reverse of the lookup shown in Figure 1 (where the host’s
name was known/specified and the host’s IP address was returned). nslookup can also be
used to perform this so-called “reverse DNS lookup.” In Figure 3, for example, we specify

3|Page Rajibul Anam

an IP address as the nslookup argument ([Link] in this example) and nslookup
returns the host name with that address ([Link] in this example)

Figure 3: using nslookup to perform a “reverse DNS lookup”

Now that we’ve provided an overview of nslookup, it’s time for you to test drive it yourself.
Do the following (and write down the results2). If you’re doing this lab as part of class, your
teacher will provide details about how to hand in assignments, whether written or in an
LMS. If you’re unable to run the nslookup command or are answering this question using
an LMS, Figure 4 shows a screenshot of performing the nslookups in questions 1 and 4,
that will allow you to answer the questions below.

1. Run nslookup to obtain the IP address of the web server for the ZUMS, Bangladesh:
[Link] . What is the IP address of [Link]?
Ans:

The IP address is [Link]

2. What is the IP address of the DNS server that provided the answer to your nslookup
command nslookup -type=NS [Link] ?

2
For the author’s class, when answering the following questions with hand-in assignments, students
sometimes need to print out specific packets (see the introductory Wireshark lab for an explanation of how to
do this) and indicate where in the packet they’ve found the information that answers a question. They do this
by marking paper copies with a pen or annotating electronic copies with text in a colored font. There are also
learning management system (LMS) modules for teachers that allow students to answer these questions
online and have answers auto-graded for these Wireshark labs at
[Link]

4|Page Rajibul Anam

Ans:

3. Did the answer to your nslookup command in question 1 above come from an
authoritative or non-authoritative server?
Ans:

4. Use the nslookup command to determine the name of the authoritative name server
for the [Link]. What is that name? (If there are more than one authoritative
servers, what is the name of the first authoritative server returned by nslookup)? If you
had to find the IP address of that authoritative name server, how would you do so?
Ans:

5|Page Rajibul Anam

 Figure 4: using nslookup to find the IP address of [Link] and the
names of the authoritative name servers for the [Link] domain

2. The DNS cache on your computer

From the description of iterative and recursive DNS query resolution (Figures 2.19 and 2.20)
in our textbook, you might think that the local DNS server must be contacted every time an
application needs to translate from a hostname to an IP address. That’s not always true in
practice!

Most hosts (e.g., your personal computer) keep a cache of recently retrieved DNS records
(sometimes called a DNS resolver cache), just like many Web browsers keep a cache of
objects recently retrieved by HTTP. When DNS services need to be invoked by a host, that
host will first check if the DNS record needed is resident in this host’s DNS cache; if the
record is found, the host will not even bother to contact the local DNS server and will
instead use this cached DNS record. A DNS record in a resolver cache will eventually
timeout and be removed from the resolver cache, just as records cached in a local DNS
server (see Figures 2.19, 2.20) will timeout.

You can also explicitly clear the records in your DNS cache. There’s no harm in doing so – it
will just mean that your computer will need to invoke the distributed DNS service next time
it needs to use the DNS name resolution service, since it will find no records in the cache.
On a Mac computer, you can enter the following command into a terminal window to clear
your DNS resolver cache:
sudo killall -HUP mDNSResponder

On Windows computer you can enter the following command at the command prompt:
ipconfig /displaydns

ipconfig /flushdns

6|Page Rajibul Anam

and on a Linux computer, enter:
sudo systemd-resolve --flush-caches

3. Tracing DNS with Wireshark

Now that we are familiar with nslookup and clearing the DNS resolver cache, we’re ready
to get down to some serious business. Let’s first capture the DNS messages that are
generated by ordinary Web-surfing activity.

• Clear the DNS cache in your host, as described above.

• Open your Web browser and clear your browser cache.
• Open Wireshark and enter [Link] == <your_IP_address> into the display filter,
where <your_IP_address> is the IPv4 address of your computer3. With this filter,
Wireshark will only display packets that either originate from, or are destined to,
your host.
• Start packet capture in Wireshark.
• With your browser, visit the Web page: [Link]
• Stop packet capture.

If you are unable to run Wireshark on a live network connection, you can download a
packet trace file that was captured while following the steps above on one of the author’s
computers4. Answer the following questions.

3
If you’re not sure how to find the IP address of your computer, you can search the Web for articles for your
operating system. Windows 10 info is here; Mac info is here; Linux info is here
4
You can download the zip file [Link] and extract
the trace file dns-wireshark-trace1-1. These trace files can be used to answer these Wireshark lab questions
without actually capturing packets on your own. Each trace was made using Wireshark running on one of the
author’s computers, while performing the steps indicated in the Wireshark lab. Once you’ve downloaded a
trace file, you can load it into Wireshark and view the trace using the File pull down menu, choosing Open,
and then selecting the trace file name.

7|Page Rajibul Anam

5. Locate the first DNS query message resolving the name [Link]. What is the
packet number5 in the trace for the DNS query message? Is this query message sent
over UDP or TCP?
Ans:

The Packet Number is 2. Message send over UDP.

6. Now locate the corresponding DNS response to the initial DNS query. What is the
packet number in the trace for the DNS response message? Is this response message
received via UDP or TCP?

5
Remember that this “packet number” is assigned by Wireshark for listing purposes only; it is NOT a packet
number contained in any real packet header.

8|Page Rajibul Anam

Ans:

The Packet Number is 4. Message received over UDP.

7. What is the destination port for the DNS query message? What is the source port of the
DNS response message?
Ans: Destination Port: 54934, Source Port: 53

8. To what IP address is the DNS query message sent?

Ans:

9. Examine the DNS query message. How many “questions” does this DNS message
contain? How many “answers” answers does it contain?

9|Page Rajibul Anam

Ans:

Type A standard query, and it does not contain any query.

10. Examine the DNS response message to the initial query message. How many
“questions” does this DNS message contain? How many “answers” answers does it
contain?
Ans:

No answer.

10 | P a g e Rajibul Anam
11. The web page for the base file [Link] references the
image object [Link] ,
which, like the base webpage, is on [Link]. What is the packet number in
the trace for the initial HTTP GET request for the base file
[Link] What is the packet number in the trace of the
DNS query made to resolve [Link] so that this initial HTTP request can be
sent to the [Link] IP address? What is the packet number in the trace of
the received DNS response? What is the packet number in the trace for the HTTP GET
request for the image object
[Link] What is the
packet number in the DNS query made to resolve [Link] so that this
second HTTP request can be sent to the [Link] IP address? Discuss how
DNS caching affects the answer to this last question.

Now let’s play with nslookup6.

● Start packet capture.

● Do an nslookup on [Link]
● Stop packet capture.

You should get a trace that looks something like the following in your Wireshark window.
Let’s look at the first type A query (which is packet number 19 in the figure below, and
indicated by the “A” in the Info column for that packet.

6
If you are unable to run Wireshark and capture a trace file, or are using an LMS, use the trace file dns-
wireshark-trace-2 in the zip file of traces in the footnote above to answer questions 12-16 below.

11 | P a g e Rajibul Anam
12. What is the destination port for the DNS query message? What is the source port of the
DNS response message?
13. To what IP address is the DNS query message sent? Is this the IP address of your default
local DNS server?
14. Examine the DNS query message. What “Type” of DNS query is it? Does the query
message contain any “answers”?
15. Examine the DNS response message to the query message. How many “questions”
does this DNS response message contain? How many “answers”?

Last, let’s use nslookup to issue a command that will return a type NS DNS record, Enter
the following command:
nslookup –type=NS [Link]

and then answer the following questions7 :

16. To what IP address is the DNS query message sent? Is this the IP address of your default
local DNS server?
17. Examine the DNS query message. How many questions does the query have? Does the
query message contain any “answers”?

7
If you are unable to run Wireshark and capture a trace file, or are using an LMS, use the trace file dns-
wireshark-trace-3 in the zip file of traces in the footnote above to answer questions 17-19 below.

12 | P a g e Rajibul Anam
18. Examine the DNS response message. How many answers does the response have?
What information is contained in the answers? How many additional resource records
are returned? What additional information is included in these additional resource
records?

13 | P a g e Rajibul Anam