Lab 02 ‐ Module 02: A Deeper Look at DNS - Isaiah-River/SYS-255-02-SYSAdmin GitHub Wiki

I started this module by logging into the isaiah domain with my isaiah.river-adm account. After this I installed Wireshark and started up an elevated command prompt. Using the command ipconfig /flushdns I released cached DNS records.

I then pinged several different sources, a non existent website (isaiah_abc.edu), a local host (fw01-isaiah), and finally an existing remote site (champlain.edu)

After stopping the capture I made note of the source and destination IP addresses for the ping to isaiah_abc.edu.

After this I made note of the protocol used (UDP) and the source port (52259) and destination port (53).

I then did some research to find other times another type of protocol might be used for DNS, where I found out that while UDP is primarily used for DNS, there are cases where TCP is more desirable. One of these cases includes security or privacy concerns. TCP is more desirable in these cases as it offers protection against address spoofing, and it is used widely in response rate limiting for issues such as DDoS attacks. TCP can also be used instead of UDP when more than one UDP packet would be required in a DNS response. These could be cases where TCP is used to managed messages whose size is too large for DNS’s 512 byte limit, or managing full zone transfers.

I then used the filter "dns" in Wireshark to look for only packets that use use DNS. I then went to my first packet and made note of the authoritative name server used, as well as the code that is used in the .edu lookup. After this I provided a screenshot of the answer section from the query response packet for fw01-isaiah.isaiah.local, showing the address as well as some other basic information.

After this I looked into the server request for the champlain.edu ping to try to determine the server in which the response came from, and whether or not it was an authoritative server. The server response comes from 208.115.107.132, which after running an nslookup shows that it comes from wowrack.com, a site that hosts cloud servers. This leads me to question whether or not the response is from an authoritative server, as in one sense the nslookup seems like its not handling information like it would in an non-authoritative case, but wowrack.com is not one of the authoritative servers.

After this I did some research on DNS record types. Domain Name Server record types refer to information about a domain or hostname. This information also includes the IP address for said domain. There are five major types of DNS record types:

A Record - “A records” stands for “address” and shows the IP addresses for a domain or hostname. The main use of an A record is for IP address lookups. Additionally A records can be used in domain name system-based blackhole lists (DNSBL), which block mail from known spam sources.

AAAA Record - AAAA records are similar to A records in the sense that they provide IP addresses for a domain. The main difference between AAAA and A records is that AAAA records use IPv6.

CNAME Record - “Canonical name” DNS Records point points an alias domain name to another domain. The typical use of CNAME records is when one is running multiple subdomains for different purposes on the same server, in these cases the alias domain name will point to the main domain, where the actual IP address will be resolved with an A record.

MX Record - Mail exchange records are similar to the postal service for one’s email address. They show and direct emails to the domain it should go to. One can have multiple MX records for one single domain which allows one to have backup email servers, each with priority. One would want multiple servers to have backups for when the primary server is down or unable to send emails. Using MX records one can send emails to a dedicated email server as well. This is useful for setting up specialized email clients, monitoring one’s mail systems, and allowing one to improve their spam and security filters.

NS Record - A nameserver record identifies the authoritative DNS server for a domain. In this sense, the nameserver is used to bridge one's domain name to the server in which the site is actually hosted on. The nameserver includes several other types of DNS records such as an A record and MX record.

While these are the five “primary” types of DNS record types, there are quite a few other types some of which include:

TXT Record - Text record types let domain owners store some text values within the DNS. This is useful to verify the ownership of a domain.

PTR Record - A pointer record is the opposite of an A record. It gives the domain name for an IP address rather than the other way around.