Lab No.

4


Wireshark Lab: DNS :


Experiment No.1:
NSLOOKUP

Introduction:
In this lab well make extensive use of the nslookup tool. In it is most basic operation, nslookup
tool allows the host running the tool to query any specified DNS server for a DNS record. The
queried DNS server can be a root DNS server, a top-level-domain DNS Server an authoritative
DNS Server or an intermediate DNS server. To accomplish this task, nslookup sends a DNS
query to the specified DNS server, receives a DNS reply from that same DNS server, and
displays the result.
Procedure:
To run it in Windows, we open the Command Prompt and run nslookup on the command line.
nslookup can be run in three different ways.
1) >nslookup www.website
2) >nslookup type=type domain
3) >nslookup website server
First Method:
In the first method, the command is saying please send me the IP address for the host of the
website in website field. The response from this command provides two pieces of
information. 1) The Name and IP address of the DNS server that provides the answer. 2) The
answer itself, which is the host name and IP address of the given website.
Although the response comes from the local DNS server at, it is quite possible that this local
DNS server iteratively contacts several other DNS servers to get the answer.

Second Method:
In this method we specify the type of server in type field eg. type=A or type=NS etc and the
domain in domain field. This causes nslookup to send a query for a type-NS record to the
default local DNS server.





Third Method:
In this method we want to send the query to the DNS server specified in the server field
rather than to the default (local) DNS server. Thus, the query and reply transaction takes
place directly between our querying host and the specified server.

1. Run nslook to obtain the IP address of the web server in Asia. Specify
which server you looked up and what is the IP address of that server.

Ans: Name: www.osaka-u.ac.jp
Address: 133.1.8.5





2. Run nslookup to determine the authoritative DNS servers for a University in
Europe. Specify which University you looked up and its URL.


Ans: Name: www.ox.ac.uk
Address: 163.1.60.42





3. Run nslookup so that one of the DNS servers for MIT is queried for mail
servers for Yahoo! Mail.
Ans. We cannot run nslookup of DNS servers for MIT because it is not accessible openly
for Yahoo! Mail. As u can clearly see from fig as follow
















Experiment No. 2:


Tracing DNS With Wireshark:


Ip Config


Ipconfig is utility that can be used to show current TCP/IP information of the host executing
it, including the address, DNS server addresses, adapter type and so on. It can be run simply by
typing:

1 .ipconfig

In the Command Prompt. If we desire to see all the information we enter:
2. ipconfig /all

Ipconfig is also very useful for managing the DNS information stored in the host as the host
can also cache the DNS record obtained. To see these cached results we enter, into the
command prompt:
3. ipconfig /displaydns

To clear the cache of the host:
4. ipconfig /flushdns
Is used which can clear all the entries in the hosts cache.



Tracing DNS with Wireshark

To do this we:
Use ipconfig to empty the DNS cache.
Empty the browsers cahce
Open wireshark and filter the results using our ip address.
Start the capture
Go to www.ietf.org
Stop Capture.



4. Locate the DNS query and response messages. Are they sent over
UDP or TCP.
Ans: UDP.








5. What is the destination port for the DNS query message? What is
the source port of DNS response message?

Ans. The source port of DNS is 53 which is universal port.






6. To what IP address is the DNS query message sent? Use ipconfig to
determine the IP address of your local DNS server. Are these two IP
address the same?
Ans. The destination address is : 192.168.1.1
Yes it is same.


7. Examine the DNS query message. What Type of DNS query is it?
Does the query message contain any answers?

Ans. Its a type A querry and does not contain any answer as u can see in fig follow.




8. Examine the DNS response message. How many answers are
provided? What do each of these answers contain?

Ans. There is only 1 answer & anwer contains type and class.





9. Does the host issue new DNS queries for the images that the
webpage contains.

Ans. Yes. Because it contains the queries such as :







Viewing nslookup through Wireshark

To do this task we will need to:
Start the wireshark capture.
Run nslookup on mit.edu.
Stop the Capture.
Filter the captured packets with dns filter.

10. What is the destination port of the DNS query and the source port
of DNS response message?
Ans. It is 53 for both.





11. To what IP address is the DNS query message sent? Is this IP
address of your default DNS server?
Ans. IP address: 192.168.1.1
Yes it is our default DNS server.


12. Examine the DNS query message. What Type of DNS query is
it? Does the query message contain any answers?







13. Examine the DNS response message. How many answers are
provided? What do each of these answers contain?