wireshark lab DNSv8.1

文章详细介绍了如何使用nslookup获取网站的IP地址,以及通过Wireshark追踪DNS查询和响应的过程。内容涉及到DNS服务器类型、端口、查询与响应的包号、协议,以及DNS缓存的影响。此外,还讨论了使用nslookup获取特定类型DNS记录的方法。

摘要生成于 C知道 ,由 DeepSeek-R1 满血版支持, 前往体验 >

我的答案并不完善,欢迎纠正。

lab URL:https://gaia.cs.umass.edu/kurose_ross/wireshark.php

1.nslookup


1.Run nslookup to obtain the IP address of the web server for the Indian Institute of Technology in Bombay, India: www.iitb.ac.in. What is the IP address of www.iitb.ac.in

As the image shows above,the IP address of www.iitb.ac.in is 103.21.124.10 .

2.What is the IP address of the DNS server that provided the answer to your nslookup command in question 1 above?

127.0.0.53

3.Did the answer to your nslookup command in question 1 above come from an authoritative or non-authoritative server?

From an non-authoritative server.

4.Use the nslookup command to determine the name of the authoritative name server for the iit.ac.in domain. What is that name? (If there are more than one authoritative servers, what is the name of the first authoritative server returned by nslookup)? If you had to find the IP address of that authoritative name server, how would you do so?

2.The DNS cache on your computer


Just like many Web browsers keep a cache of objects recently retrieved by HTTP,most hosts(e.g.,your personal computer)keep a cache of recently retrieved DNS records(sometimes called a DNS resolver cache).When DNS services need to be invoked by a host, that host will first check if the DNS record needed is resident in this host’s DNS cache; if the record is found, the host will not even bother to contact the local DNS server and will instead use this cached DNS record.A DNS record in a resolver cache will eventually timeout and be removed from the resolver cache, just as records cached in a local DNS server will timeout.

对于windows系统的电脑,输入命令ipconfig /flushdns清理DNS缓存

3.Tracing DNS with Wireshark


· Clear the DNS cache in your host, as described above.

· Open your Web browser and clear your browser cache.

· Open Wireshark and enter ip.addr == <your_IP_address> into the display filter, where <your_IP_address> is the IPv4 address of your computer[1]. With this filter, Wireshark will only display packets that either originate from, or are destined to, your host.

· Start packet capture in Wireshark.

· With your browser, visit the Web page: http://gaia.cs.umass.edu/kurose_ross/

· Stop packet capture.

questions:

  1. Locate the first DNS query message resolving the name gaia.cs.umass.edu. What is the packet number[1] in the trace for the DNS query message? Is this query message sent over UDP or TCP?

  1. Now locate the corresponding DNS response to the initial DNS query. What is the packet number in the trace for the DNS response message? Is this response message received via UDP or TCP?

  1. What is the destination port for the DNS query message? What is the source port of the DNS response message?

  1. To what IP address is the DNS query message sent?

  1. Examine the DNS query message. How many “questions” does this DNS message contain? How many “answers” answers does it contain?

  1. Examine the DNS response message to the initial query message. How many “questions” does this DNS message contain? How many “answers” answers does it contain?

  1. The web page for the base file http://gaia.cs.umass.edu/kurose_ross/ references the image object http://gaia.cs.umass.edu/kurose_ross/header_graphic_book_8E_2.jpg , which, like the base webpage, is on gaia.cs.umass.edu. What is the packet number in the trace for the initial HTTP GET request for the base file http://gaia.cs.umass.edu/kurose_ross/? What is the packet number in the trace of the DNS query made to resolve gaia.cs.umass.edu so that this initial HTTP request can be sent to the gaia.cs.umass.edu IP address? What is the packet number in the trace of the received DNS response? What is the packet number in the trace for the HTTP GET request for the image object http://gaia.cs.umass.edu/kurose_ross/header_graphic_book_8E2.jpg? What is the packet number in the DNS query made to resolve gaia.cs.umass.edu so that this second HTTP request can be sent to the gaia.cs.umass.edu IP address? Discuss how DNS caching affects the answer to this last question.


1.

No.15. UDP

2.

No.16. UDP

3.The destination port of DNS query is 53.The source port of DNS query response is 53.

4.It is sent to 202.99.166.4.It's one of my local DNS servers.

5.It's a standard DNS query.One.Zero.

6.It's a standard query response.One.One.

7.


Now let’s play with nslookup[1].

● Start packet capture.

● Do an nslookup on www.cs.umass.edu

● Stop packet capture.

You should get a trace that looks something like the following in your Wireshark window. Let’s look at the first type A query (which is packet number 19 in the figure below, and indicated by the “A” in the Info column for that packet.

  1. What is the destination port for the DNS query message? What is the source port of the DNS response message?

  1. To what IP address is the DNS query message sent? Is this the IP address of your default local DNS server?

  1. Examine the DNS query message. What “Type” of DNS query is it? Does the query message contain any “answers”?

  1. Examine the DNS response message to the query message. How many “questions” does this DNS response message contain? How many “answers”?

1.The destination port is 53.The source port of the DNS response message is 53,too.

2.202.99.166.4,which is one of my local DNS servers.Yes.

3.The type is A.No.

4.The number of both is one.


Last, let’s use nslookup to issue a command that will return a type NS DNS record, Enter the following command:

nslookup –type=NS umass.edu

and then answer the following questions :

  1. To what IP address is the DNS query message sent? Is this the IP address of your default local DNS server?

  1. Examine the DNS response message. How many answers does the response have? What information is contained in the answers?

  1. Examine the DNS response message. How many answers does the response have? What information is contained in the answers? How many additional resource records are returned? What additional information is included in these additional resource records?

1.202.99.166.4,which is one of my default local DNS servers.

2.One.No

3.Three answers .The mapping from the domain name(e.g.,umass.edu) to a list of DNS servers authoritative for that domain.However,what I've got is a list of non-authoritative.

### 使用 Wireshark 进行 DNS 流量分析 Wireshark 是一款强大的网络协议分析工具,能够帮助用户深入理解各种网络通信细节。对于希望深入了解域名系统 (DNS) 的工作原理以及如何通过 Wireshark 捕获并解析 DNS 数据包的学习者来说,官方文档提供了详尽的操作指南[^1]。 #### 安装与配置 为了确保最佳体验,在开始之前应确认已安装最新版本的 Wireshark 软件。如果尚未下载,请访问官方网站获取适合操作系统的安装文件。完成安装后启动程序,并熟悉界面布局及其主要功能按钮的位置。 #### 开始捕获数据包 要捕捉特定类型的流量,比如 DNS 请求/响应消息,可以设置过滤条件来缩小范围。进入“Capture Options”,在弹出窗口中的 Filter 字段输入 `port 53` 或更精确地指定目标 IP 地址和端口号组合以减少无关信息干扰[^2]。 ```bash # 设置仅抓取UDP 53端口的数据包 tcpdump -i any udp port 53 ``` #### 应用显示过滤器 一旦收集到足够的样本,就可以利用 Display Filters 来进一步筛选感兴趣的内容。例如,可以通过键入 `dns.qry.name contains "example.com"` 查看针对 example.com 域名查询的相关记录;或者尝试其他高级表达式如 `http.host == www.google.com && dns.flags.response == 0` 结合 HTTP 和 DNS 协议特征定位具体会话流[^3]。 #### 实验室练习建议 - **基础任务**:识别不同种类的 DNS 查询类型(A, AAAA, MX 等),观察其对应的回应格式; - **中级挑战**:构建简单的本地测试环境模拟真实的互联网场景,实践从客户端发出请求直到接收到服务器回复整个过程; - **高级课题**:研究常见攻击手法如缓存投毒、DDoS 放大效应等在网络层面上的表现形式,并探讨相应的防御措施。 #### 参考资料推荐 除了上述介绍外,还可以参考以下资源加深理解和技能提升: - [Wireshark 用户手册](https://www.wireshark.org/docs/wsug_html_chunked/) 提供全面的功能说明和技术支持。 - YouTube 上有许多高质量视频教程专门讲解 Wireshark 的使用方法,特别是有关于 DNS 分析的部分。 - 社区论坛也是解决问题的好去处,遇到困难时不妨向有经验的朋友求助。
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包

打赏作者

Fantasy`

你的鼓励将是我创作的最大动力

¥1 ¥2 ¥4 ¥6 ¥10 ¥20
扫码支付:¥1
获取中
扫码支付

您的余额不足,请更换扫码支付或充值

打赏作者

实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值