Available under Creative Commons-ShareAlike 4.0 International License.
The Domain Name System (DNS) plays a key role in the Internet today as it allows applications to use fully qualified domain names (FQDN) instead of IPv4 or IPv6 addresses. Many tools allow to perform queries through DNS servers. For this exercise, we will use dig which is installed on most Unix systems.
A typical usage of dig is as follows
dig @server -t type fqdn
where
- server is the IP address or the name of a DNS server or resolver
- type is the type of DNS record that is requested by the query such as NS for a nameserver, A for an IPv4 address, AAAA for an IPv6 address, MX for a mail relay, ...
- fqdn is the fully qualified domain name being queried
- What are the IP addresses of the resolvers that the dig implementation you are using relies on 1?
- What is the IP address that corresponds to inl.info.ucl.ac.be ? Which type of DNS query does dig send to obtain this information ?
- Which type of DNS request do you need to send to obtain the nameservers that are responsible for a given domain ?
- What are the nameservers that are responsible for the be top-level domain ? Where are they located ? Is it possible to use IPv6 to query them ?
- When run without any parameter, dig queries one of the root DNS servers and retrieves the list of the the names of all root DNS servers. For technical reasons, there are only 13 different root DNS servers. This information is also available as a text file from here What are the IP addresses of all these servers. Can they be queried by using IPv6 2?
- Assume now that you are residing in a network where there is no DNS resolver and that you need to start your query from the DNS root.
- Use dig to send a query to one of these root servers to find the IP address of the DNS server(s) (NS record) responsible for the org top-level domain
- Use dig to send a query to one of these DNS servers to find the IP address of the DNS server(s) (NS record) responsible for root-servers.org‘
- Continue until you find the server responsible for this site
- What is the lifetime associated to this IP address ?
- Perform the same analysis for a popular website such as Google. What is the lifetime associated to this IP address ? If you perform the same request several times, do you always receive the same answer ? Can you explain why a lifetime is associated to the DNS replies ?
- Use dig to find the mail relays used by the uclouvain.be and gmail.com domains. What is the TTL of these records (use the +ttlid option when using dig) ? Can you explain the preferences used by the MX records. You can find more information about the MX records in RFC 974
- Use dig to query the IPv6 address (DNS record AAAA) of the following hosts
- www.sixxs.net
- www.google.com
- ipv6.google.com
- When dig is run, the header section in its output indicates the id the DNS identifier used to send the query. Does your implementation of dig generates random identifiers ?
dig -t MX gmail.com ; <<>> DiG 9.4.3-P3 <<>> -t MX gmail.com ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<-opcode: QUERY, status: NOERROR, id: 25718
11. A DNS implementation such as dig and more importantly a name resolver such as bind or unbound, always checks that the received DNS reply contains the same identifier as the DNS
request that it sent. Why is this so important ?
- Imagine an attacker who is able to send forged DNS replies to, for example, associate www.bigbank.com to his own IP address. How could he attack a DNS implementation that
- sends DNS requests containing always the same identifier
- sends DNS requests containing identifiers that are incremented by one after each request
- sends DNS requests containing random identifiers
- 2301 reads
