Wireshark Lab 3：DNS详解

写在前面

今天开学了，正式开启了我的大三生活，希望这半年能把基础知识正式打造完成。还是先继续完成wireshark抓包吧。

1. nslookup

1.1 Run nslookup to obtain the IP address of a Web server in Asia. What is the IP address of that server?

图中可以看到其IP地址为39.156.66.14。

1.2 Run nslookup to determine the authoritative DNS servers for a university in Europe.

这里查询的剑桥大学的权威DNS服务器，其网址为NS cam.ac.uk。

可以看到图中有6个权威DNS服务器，但是是缓存。

1.3 Run nslookup so that one of the DNS servers obtained in Question 2 is queried for the mail servers for Yahoo! mail. What is its IP address?

2. ipconfig

这一部分没有实验，略过。

3. Tracing DNS with Wireshark

Q1

准备工作

首先先把准备工作做好。第一步先把DNS缓存清了，利用ipconfig。

第二步是清除掉浏览器的缓存，这里就不做演示了。

第三步，打开Wireshark并在过滤器中输入“ip.addr==your_ip_address”，ip地址可以通过ipconfig查询。

准备工作就到这里了。

3.1 Locate the DNS query and response messages. Are then sent over UDP or TCP?

DNS用的UDP发送。

3.2 What is the destination port for the DNS query message? What is the source port of DNS response message?

如图显示，sourse port是58497，destination port是53。

3.3 To what IP address is the DNS query message sent? Use ipconfig to determine the IP address of your local DNS server. Are these two IP addresses the same?

查询地址如下图所示，为211.137.160.5。

本地DNS地址用ipconfig查询，如下图所示，

二者为同一地址。

3.4 Examine the DNS query message. What “Type” of DNS query is it? Does the query message contain any “answers”?

如上图所示，Type为A，answer为0。

3.5 Examine the DNS response message. How many “answers” are provided? What do each of these answers contain?

如图，提供了3个answer，包含两个IP地址和一个规范主机名。

3.6 Consider the subsequent TCP SYN packet sent by your host. Does the destination IP address of the SYN packet correspond to any of the IP addresses provided in the DNS response message?

是对应的。

3.7 This web page contains images. Before retrieving each image, does your host issue new DNS queries?

没有发送新的IP地址了。

Q2

准备工作

还是先用ipconfig /flushdns清一下缓存，然后开始抓包，在cmd里面输入nslookup mit.edu就能看到如下界面了。

3.8 What is the destination port for the DNS query message? What is the source port of DNS response message?

destination port是53，source port是59604。

3.9 To what IP address is the DNS query message sent? Is this the IP address of your default local DNS server?

发送到192.168.1.104，是本地的IP地址。

3.10 Examine the DNS query message. What “Type” of DNS query is it? Does the query message contain any “answers”?

Type为A，不包括任何answer。

3.11 Examine the DNS response message. How many “answers” are provided? What do each of these answers contain?

提供了一个answer。包含一个IP地址。

3.12 Provide a screenshot.

略

Q3

准备工作

跟Q2一致，只不过把nslookup mit.edu换成nslookup –type=NS mit.edu。

3.13 To what IP address is the DNS query message sent? Is this the IP address of your default local DNS server?

发送到192.168.1.104。和本地IP一样。

3.14 Examine the DNS query message. What “Type” of DNS query is it? Does the query message contain any “answers”?

Type是NS，不包括。

3.15 Examine the DNS response message. What MIT nameservers does the response message provide? Does this response message also provide the IP addresses of the MIT namesers?

响应信息有NS mit.edu NS asia2.akam.net NS ns1-173.akam.net NS ns1-37.akam.net NS asia1.akam.net NS use2.akam.net NS usw2.akam.net NS use5.akam.net NS eur5.akam.net,不包括IP地址。

3.16 Provide a screenshot.

略

Q4

这里给的nslookup www.aiit.or.kr bitsy.mit.edu我一直报超时，挂了梯子也是，看了下题目和之前是一样的，偷个懒略过了。

写在后面

ok，这一个lab就结束了，内容看似很多，不过大多都是重复性的内容。实验的主要目的一个是熟悉抓包的流程，另一个就是在抓包的过程中体会DNS的一些特点。下章再见。