DNS Protocol Packet Capture

（一）nslookup

1. Run nslookup to obtain the IP address of a Web server in Asia. What is its IP address? 
ANSWER: I performed nslookup for www.baidu.com. Its IP address is 120.232.145.144.The 222.200.129.134 is the IP of local sever .

The purpose of this command is to obtain the IP address of the host www.baidu.com. The response to this command provides two pieces of information:

        1.Provide the name and IP address of the corresponding DNS server;
        2.The response itself is the host name and IP address of www.baidu.com. The local DNS server is likely to iteratively contact several other DNS servers to obtain results.

2. Run nslookup to determine the authoritative DNS server of a European university. 

ANSWER: (1) Obtain the web server IP address for the University of Cambridge: 128.232.132.8

(2) Obtain the authoritative DNS server name used by the University of Cambridge:

3. Run nslookup so that one of the DNS servers obtained in Question 2 is queried for the mail servers for Yahoo! mail. What is its IP address?

ANSWER: The request timed out, so I directly checked the IP address of Yahoo's email server， and the IP address of the mail server(s) is 74.6.160.138

（二）ipconfig

4. Enter the command prompt and enter:

ipconfig/all 

All information about the host has been displayed:The host can cache the recently obtained DNS records. To view these cache records and their information, enter:

ipconfig/displaydns

To clear the cache, enter:

ipconfig/flushdns

（三）Tracking DNS by Wireshark

5. Locate the DNS query and response messages. Are then sent over UDP or TCP? ANSWER: They are sent over UDP

This is the filter ip. addr=10.22.89.131, followed by my computer's IPv4 address:6. What is the destination port for the DNS query message? What is the source port of DNS response message?

ANSWER:

Destination port for the DNS query: 53

Source port of the DNS response: 537. To what IP address is the DNS query message sent? Use ipconfig to determine the IP address of your local DNS server. Are these two IP addresses the same?

ANSWER: It’s sent to 222.200.129.134, which is the IP address of one of my local DNS servers.8. Examine the DNS query message. What “Type” of DNS query is it? Does the query 
message contain any “answers”?

ANSWER: It’s a type A Standard Query and it doesn’t contain any answers.9. Examine the DNS response message. How many “answers” are provided? What do each of these answers contain?

ANSWER: There were 2 answers containing information about the name of the host, the type of address, class, the TTL, the data length and the IP address.10. Consider the subsequent TCP SYN packet sent by your host. Does the destination IP
address of the SYN packet correspond to any of the IP addresses provided in the DNS response message?

ANSWER: The first SYN packet was sent to 10.252.89.131 which corresponds to the first IP address provided in the DNS response message.11. This web page contains images. Before retrieving each image, does your host issue new DNS queries?

ANSWER: No, only partially resend new DNS queries.

（四）DNS queries for nslookup①

Use nslookup to search for www.mit.adu. The packet capture is as follows.12. What is the destination port for the DNS query message? What is the source port of DNS response message?

ANSWER: The destination port of DNS query is 53 and the source port of DNS response is 53.13. To what IP address is the DNS query message sent? Is this the IP address of your default local DNS server?

ANSWER: It’s sent to 222.200.129.134 which as we can see from the ipconfig –all screenshot, is the default local DNS server.222.200.129.134 is the IP address of my default local DNS server.

14. Examine the DNS query message. What “Type” of DNS query is it? Does the query message contain any “answers”?

ANSWER: The query is of type A and it doesn’t contain any answers.15. Examine the DNS response message. How many “answers” are provided? What do each of these answers contain?

ANSWER: The response DNS message contains one answer containing the name of the host, the type of address, the class, and the IP address.

（五）DNS queries for nslookup②

nslookup -type=NS mit.edu

16. To what IP address is the DNS query message sent? Is this the IP address of your default local DNS server?

ANSWER: It was sent to 128.238.29.22 which is my default DNS server.222.200.129.134 is the IP address of my default local DNS server.

17. Examine the DNS query message. What “Type” of DNS query is it? Does the query 
message contain any “answers”?

ANSWER: It’s a type NS DNS query that doesn’t contain any answers.

18. Examine the DNS response message. What MIT nameservers does the response message provide? Does this response message also provide the IP addresses of the MIT nameservers?
ANSWER: The nameservers are bitsy, strawb and w20ns. We can find their IP addresses if we 
expand the Additional records field in Wireshark as seen below.The response message did not provide the IP address of MIT's domain name.

（六）DNS queries for nslookup③

nslookup www.aiit.or.kr bitsy.mit.edu

19. To what IP address is the DNS query message sent? Is this the IP address of your default local DNS server? If not, what does the IP address correspond to?

ANSWER: The query is sent to 192.168.192.33. The source of 192.168.192.186 is not the ip of my local dns service.

20. Examine the DNS query message. What “Type” of DNS query is it? Does the query
message contain any “answers”?

ANSWER: It’s a type NS DNS query that doesn’t contain any answers.

21. Examine the DNS response message. What MIT nameservers does the response message provide? Does this response message also provide the IP addresses of the MIT nameservers?
ANSWER: The nameservers are bitsy, strawb and w20ns. We can find their IP addresses if we
expand the Additional records field in Wireshark as seen below.