1.2.

nslookup

Read carefully the instructions of nslookup and make the comments you want

It displays information about the default server and the address, the information that you
can use to diagnose Domain Name System (DNS) infrastructure. Nslookup is only
available if you have the TCP/IP protocol installed.

Nslookup have 2 modes, interactive and noninteractive.

If you need to look up only a single piece of data, use noninteractive mode.

If you need to look up more than one piece of data, you can use interactive mode.

Can you find what your local-default DNS server is? Explain how you got that
information.

Run nslookup and try

a) entering hostnames for popular hosts (such as cnn.com or Microsoft.com)

b) entering some hostnames for the less popular hosts (choose the ones you want).

Can you see the same number of IP addresses in both cases? Try to find an
explanation to what you see.

In the less popular host we see that it has less addresses than the popular ones.

In case a), try to enter the same hostname several times. Do you get always the same
IP address as a response? Why (give an explanation)?

In this case the result is the same, it puts the addresses in different order, but because the
server load balancing the results could variate. Server Load Balancing is the practice of
distributing web and application traffic across multiple servers in different locations to
improve network performance, increase reliability, and achieve high availability.
For example with google the results vary.

Open the Wireshark sniffer program. Save the messages that are exchanged in a
nslookup request. Try to explain the different fields that you see in those messages
and to identify all of them according to what we have seen in the theoretical part of
this subject.

In this case, there is a question that indicates that a device on the network is attempting to
resolve the domain name "microsoft.com" to an IP address. Type A is the type of an IP
address. Class IN represents the network class, in this case internet.
These are the RR answers. Type A is the type of an IP address. Class IN represents the
network class, in this case internet. The time to live is the time in seconds that this record
is valid in cache before consulting again. The data length is the length of the data field.

In this case, type AAAA refers to the IP6 address.

Type CNAME associates a domain alias with the canonical (real) name.

Does it rely on TCP or UDP as transport layer (try to find examples with both cases)?
The domain www.msftncsi.com is used for the Microsoft Network Connectivity Status
Indicator (NCSI). It's part of what makes "network awareness" work in Windows.

It relies on both TCP and UDP, but it have more messages on UDP than TCP.

Some of the nslookup sites also return the hostname and IP address of the name
server that provides the information. Also, some of the nslookup sites indicate
whether the result is non-authoritative (i.e., obtained from a cache). Try to find
examples of all these cases.
Some of the nslookup sites allow the user to supply more information. For example,
the user can request to receive the canonical hostname and IP address for a mail
server. And the user can also indicate the name server at which it wants the chain of
queries to begin.

Try to find examples of all these cases.

1.3. Dig and host

Optional: Try to repeat some of the questions you have answered in point 1.2, but now
using the dig tool.

Dig works like nslookup but proportionate more information and allow the use of trace and
recursive consults, specific servers.

With “trace” you trace the delegation path down from the root name servers for the name
being looked up.
1.4. Going deeper (additional and optional work):

Make research on some of the following DNS related issues:

- Iterative vs recursive (table with the main differences, pros and cons, dangers of the
use of any of them, ...)

- Inverse query - DNS server status

- Root name servers (architecture, location, redundancy, statistics of use, ...)

- ... any other issue related to DNS

Iterative vs recursive:
For the iterative, the client (user or DNS server) queries multiple servers, one by one. It
asks a DNS server if it knows the IP address and if not it tells where to ask. This
process is in loop until you find the IP. Some advantages are that it uses less memory
and processing power than recursive, and have less risk of attacks because doesn’t
store messages. Is slower than recursive due to multiple steps, and can also be difficult
to configure.
For the recursive, A DNS server resolves everything for you and provides the final
answer. You ask a DNS server and he does all the research for you and give you the
final IP address. Is faster than iterative, and no need to know which server to query. If
there are too many requests the server can be overloaded, and also is more vulnerable
to attacks (DNS poisoning).

Inverse query:

An inverse DNS query is the process of determining the domain name associated with a
given IP address. This is the opposite of the DNS lookup used in the exercises before.

Reverse DNS lookups are useful for various network diagnostic and administrative tasks,
lime verifying the domain names of incoming email servers to combat spam or identifying
the domain names associated with IP addresses in server logs.

It works like this. You have an IP address like 8.8.8.8. You use the nslookup command for
example to request the domain name of that IP. The DNS looks for a special record called
a "PTR record" (Pointer Record).

If found, the DNS server replies with the domain name:

If not found, the server returns that the domain is non-existant.

Lab3 - DNS
Alex Langarita, Samuel Orgaz, Arkaitz Subías and Pablo Tudela.
Nslookup: Interactive and Noninteractive
Modes
Noninteractive Interactive Mode
Mode
Use for single data lookups. Quick and simple. Use for multiple data lookups. More versatile.
Exploring Hostnames with
Nslookup
Popular Hosts Less Popular Hosts
1 2
Hosts like cnn.com have multiple IP addresses. Less popular hosts have fewer IP addresses.
Nslookup and Server Load
Balancing
Repeated queries may return different IP address orders.

Server load balancing distributes traffic across multiple servers.

Wireshark Analysis of Nslookup
Requests

Question Type A Class IN

Indicates that a device on the network Indicates an IP address request (IPv4). Represents the Internet network class.
is attempting to resolve the domain
name "microsoft.com" to an IP
address.
Type AAAA Type CNAME
Refers to the IPv6 address. Associates a domain alias with the real name.
TCP vs UDP in Nslookup
TCP
1
Used for some DNS queries.

UDP
2
More frequently used for DNS queries.
 Dig: Advanced DNS
Query Tool
Dig provides more information than nslookup.

It allows trace and recursive consults.

With “trace” you trace the delegation path down from the root
name servers for the name being looked up.
 Inverse Query
Is the process of determining the domain name associated with a
given IP address. This is the opposite of the DNS lookup used in
the exercises before.

There are useful for various network diagnostic and

administrative tasks, for example lime verifying the domain
names of incoming email servers to combat spam or identifying
the domain names associated with IP addresses in server logs.
 Iterative vs
Iterative recursive Recursive
The client (user or DNS server) queries multiple A DNS server resolves everything for you and provides the final
servers, one by one. answer. You ask a DNS server and he does all the research for
Asks a DNS server if it knows the IP address and if you and give you the final IP address.
not it tells where to ask. This process is in loop until
you find the IP. Is faster than iterative, and no need to know which server to query.

Uses less memory and processing power If there are too many requests the server can be overloaded, and
have less risk of attacks because doesn’t store also is more vulnerable to attacks (DNS poisoning).
messages

Is slower than recursive due to multiple steps, and

can also be difficult to configure.