1 / 26

Module 8

Module 8. DNS Tools & Diagnostics. Objectives. Understand dig and nslookup Understand BIND toolset Understand BIND logs Understand wire level messages. DNS Tools & Diagnostics. Dig always available with BIND (*nix) and windows Nslookup available on windows and *nix

miyo
Download Presentation

Module 8

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Module 8 DNS Tools & Diagnostics

  2. Objectives • Understand dig and nslookup • Understand BIND toolset • Understand BIND logs • Understand wire level messages

  3. DNS Tools & Diagnostics • Dig always available with BIND (*nix) and windows • Nslookup available on windows and *nix • Dig on windows – unpack zip, copy only dig.exe, libbind9.dll, libdns.dll, libisc.dll, libisccfg.dll, liblwres.dll to portable media • SamSpade.org provides windows GUI utility with dig. Freeware.

  4. DIG • Command line tool – tons of options • Powerful – gives precise DNS RRs • Typically only available with BIND • Casual use on Windows • Unpack Windows zip file • Copy to portable media dig.exe, libbind9.dll, libdns.dll, libisc.dll, libisccfg.dll, liblwres.dll • Now an install option

  5. Dig Command Format • Tons of options to govern formatting and behavior • -x required for reverse lookup • @dns = optionally defines the name or IP of name server to send the query – default is locally defined DNS (typically recursive) • target-name = name required • type = RR type (default is A) Additional pseudo types any and axfr dig [opts] [@dns] target-name type

  6. Dig Commands dig www.example.com Returns A RR of www.example.com using local DNS dig @ns1.example.com www.example.com Returns A RR of www.example.com using using ns1.example.com authoritative name server for domain dig www.example.com any Returns any RRs with label of www.example.com using local DNS dig –x 192.168.2.5 Returns reverse lookup for 192.168.2.5 using local DNS

  7. DIG command dig @ns1.example.com www.example.com

  8. DIG Response ; <<>> DiG 9.4.1-P1 <<>> ns1.example.com www.example.com ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49319 ;; flags: qr rd ra aa; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 2 ;; QUESTION SECTION: ;www.example.com. IN A ;; ANSWER SECTION: www.example.com. 5 IN A 10.10.0.5 www.example.com. 5 IN A 10.10.0.6 ;; AUTHORITY SECTION: example.com. 172800 IN NS ns1.example.com. example.com. 172800 IN NS ns2.example.com. ;; ADDITIONAL SECTION: ns1.example.com. 3000 IN A 10.10.0.8 ns2.example.com. 3000 IN A 10.10.0.9 ;; SERVER: 192.5.6.30#53(192.5.6.30)

  9. DIG Response • May contain up to 5 sections • Header – flags, status, id • QUESTION SECTION • The query • ANSWER SECTION • Present only if successful • AUTHORITY SECTION • One or more name servers • ADDITIONAL SECTION • Typically A/AAAA RRs of name servers

  10. DNS Flag Values QR – Query response received. Indicates direction of query AA - Authoritative Answer. Set if the response was received from a zone master or slave. TC - TrunCation - length greater than permitted, set on all truncated messages except the last one. RD - Recursion Desired - set in a query and copied into the response if recursion supported. RA - Recursion Available - valid in a response and if set denotes recursive query support is available. AD - Authenticated Data. DNSSEC only. Indicates that the data was reliably authenticated. CD - Checking Disabled. DNSSEC only. Disables checking at the receiving server.

  11. DNS Status Values 0 = NOERR. No error. 1 = FORMERR. Format error - the server was unable to interpret the query. 2 = SERVFAIL – name server problem or lack of information. Often also returned with the same meaning as REFUSED. 3= NXDOMAIN Name does not exist - meaningful only from an authoritative name server. 4 = NOTIMPL Not Implemented. 5 = REFUSED - typically for policy reasons, for example, a zone transfer request.

  12. DIG Result • No errors (NOERROR) • Flags query response, recursion desired, recursion available, authoritative • Answer = 2 A RRs for the web server • Authority = 2 name servers • Additional = 2 A RRs of name servers

  13. DIG commands dig @a.root-servers.net www.example.com

  14. DIG Response ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15570 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 14 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;www.example.com. IN A ;; AUTHORITY SECTION: com. 172800 IN NS A.GTLD-SERVERS.NET. com 172800 IN NS M.GTLD-SERVERS.NET. ;; ADDITIONAL SECTION: A.GTLD-SERVERS.NET 172800 IN A 192.5.6.30 A.GTLD-SERVERS.NET. 172800 IN AAAA 2001:503:a83e::2:30 .... ;; Query time: 38 msec ;; SERVER: 198.41.0.4#53(198.41.0.4)

  15. DIG Response • No error = NOERROR • Status = query response, recursion desired • No answer section • Authority = multiple • Additional = multiple A RRs • This is a referral

  16. NSLOOKUP • Available on windows and with BIND (*nix) • Command line and interactive mode • Default pretty print output • Useful quick check • depends on mindset • Detailed data or overview • Use –d2 option for RRs nslookup [opts] target [dns]

  17. NSLOOKUP Commands nslookup -type=MX example.com Gets mail server records for example.com using locally defined name server nslookup 192.168.2.1 Gets reverse mapped name for 192.168.2.1 nslookup www.example.com ns1.example.com Gets A RR for www.example.com using name server ns1.example.com nslookup Enter interactive mode – exit to terminate

  18. NSLOOKUP # nslookup www.example.com Server: ns1.example.net Address: 192.168.6.73 Name: www.example.com Address: 192.168.2.80 # nslookup www.example.com ns1.example.com Server: ns1.example.com Address: 192.168.2.53 Name: www.example.com Address: 192.168.2.80

  19. Additional Tools - BIND • named-checkzone, named-checkconf – validation utilities • Rndc, rndc-confgen – remote control of name server (optionally secure) • nsupdate - Dynamic Update (DDNS) of DNS RRs • dnssec-keygen, dnssec-signzone – secure DNS cryptographic tools

  20. DNS Logging • BIND defaults to syslog (*nix) • BIND Controlled by logging clause • Windows DNS Event log via DNS console or Event log (DNS) • Debug log default systemroot\System32\Dns\Dns.log (text file) DNS console Properties->logging

  21. BIND Log Analysis • stream log carefully (category) • single or multiple logs • watch log size! (use version/size) • iterate based on experience • post processing tools • know what a normal log looks like

  22. BIND Log Analysis lame-servers: unexpected RCODE (REFUSED) resolving 'mail10fr2.emthtpmy1.net/A/IN': 213.251.188.141#53 update-security: client 69.196.169.154#49160: update 'mediazoneplus.com/IN' denied security: client 93.174.93.72#35411: query (cache) 'doc.gov/ANY/IN' denied lame-servers: unexpected RCODE (SERVFAIL) resolving 'cns.electro-com.ru/A/IN': 86.110.161.228#53 lame-servers: host unreachable resolving 'mumns5.mtnl.net.in/A/IN': 198.32.64.12#53 security: client 12.190.240.131#9980: query (cache) 'google.com/A/IN' denied lame-servers: connection refused resolving 'pdns5.ultradns.info/A/IN': 2001:500:1a::1#53 security: client 128.223.8.114#45985: query (cache) 'com/ANY/IN' denied lame-servers: connection refused resolving '211.142.235.91.in-addr.arpa/PTR/IN': 2001:470:300::2#53

  23. DNS Diagnostics (Wire Level) • wireshark is the easiest way • load wireshark-charlotte-com.txt • dns filter partial expansion • and/or load dns-charlotte-com.pcap • dns traffic only filter • both use the domain charlottecrystalinteriordesign.com

  24. DNS - Diagnostics (Wire) Internet Protocol, Src: 192.168.1.65 (192.168.1.65), Dst: 210.23.9.17 (210.23.9.17) User Datagram Protocol, Src Port: 16533 (16533), Dst Port: domain (53) Domain Name System (query) [Response In: 4] Transaction ID: 0xef45 Flags: 0x0000 (Standard query) Questions: 1 Answer RRs: 0 Authority RRs: 0 Additional RRs: 1 Queries www.charlottecrystalinteriordesign.com: type A, class IN Name: www.charlottecrystalinteriordesign.com Type: A (Host address) Class: IN (0x0001) Additional records <Root>: type OPT

  25. DNS – Diagnostics (Wire) 0000 00 26 44 68 eb 72 70 5a b6 f2 0b 2b 08 00 45 00 .&Dh.rpZ...+..E. 0010 00 5f 59 c5 00 00 80 11 00 00 c0 a8 01 41 d2 17 ._Y..........A.. 0020 09 11 40 95 00 35 00 4b 9d 6e ef 45 00 00 00 01 ..@..5.K.n.E.... 0030 00 00 00 00 00 01 03 77 77 77 1e 63 68 61 72 6c .......www.charl 0040 6f 74 74 65 63 72 79 73 74 61 6c 69 6e 74 65 72 ottecrystalinter 0050 69 6f 72 64 65 73 69 67 6e 03 63 6f 6d 00 00 01 iordesign.com... 0060 00 01 00 00 29 10 00 00 00 80 00 00 00 ....)........

  26. Quick Quiz • What is the default RR type for dig? • What is the default RR type for nslookup? • Name any BIND utility? • Can you run dig on windows? • Dig command for mx RR for google.com? • Nslookup command for mx RR for google.com? • dig command for reverse lookup?

More Related