| 1 | DNS Exercise 1 |
|---|
| 2 | |
|---|
| 3 | DIG |
|---|
| 4 | --- |
|---|
| 5 | |
|---|
| 6 | 1. Issue DNS queries using 'dig': |
|---|
| 7 | |
|---|
| 8 | 1a. Run each command, look for the ANSWER section and write down the result. |
|---|
| 9 | Make a note the TTL as well. |
|---|
| 10 | |
|---|
| 11 | Repeat the command. Is the TTL the same? Are the responses Authoritative? |
|---|
| 12 | |
|---|
| 13 | RESULT 1 RESULT 2 |
|---|
| 14 | -------- -------- |
|---|
| 15 | $ dig your-favorite-domain a |
|---|
| 16 | $ dig www.google.com. a |
|---|
| 17 | $ dig afnog.org. mx |
|---|
| 18 | $ dig NonExistentDomain.sometld any |
|---|
| 19 | $ dig tiscali.co.uk. txt |
|---|
| 20 | $ dig www.afrinic.net aaaa |
|---|
| 21 | $ dig ipv6.google.com aaaa |
|---|
| 22 | |
|---|
| 23 | 1b. Now send some queries to another caching server. |
|---|
| 24 | |
|---|
| 25 | (Run each of the following twice, and note the time in ms for each attempt) |
|---|
| 26 | |
|---|
| 27 | $ dig @8.8.8.8 news.bbc.co.uk. a |
|---|
| 28 | $ dig @resolver1.opendns.com yahoo.com. a |
|---|
| 29 | $ dig @<a server of your choice> <domain of your choice> a |
|---|
| 30 | |
|---|
| 31 | How long did it take each answer to be received? (on the first, and |
|---|
| 32 | on the second lookup) |
|---|
| 33 | |
|---|
| 34 | 2. Reverse DNS lookups |
|---|
| 35 | |
|---|
| 36 | Now try some reverse DNS lookups. |
|---|
| 37 | |
|---|
| 38 | $ dig -x 10.10.X.1 |
|---|
| 39 | $ dig -x 10.10.X.2 |
|---|
| 40 | $ dig -x 10.10.X.3 |
|---|
| 41 | |
|---|
| 42 | ... where X is an IP address in the range 1-25 |
|---|
| 43 | |
|---|
| 44 | Repeat for an IP address of your choice, on the Internet |
|---|
| 45 | |
|---|
| 46 | Now try to lookup: |
|---|
| 47 | |
|---|
| 48 | $ dig 1.X.10.10.in-addr.arpa. PTR |
|---|
| 49 | |
|---|
| 50 | ... where X is in the range 1-25. |
|---|
| 51 | |
|---|
| 52 | What do you notice ? |
|---|
| 53 | |
|---|
| 54 | Let's try IPv6 now: |
|---|
| 55 | |
|---|
| 56 | $ dig -x 2001:42d0::200:2:1 |
|---|
| 57 | |
|---|
| 58 | What are the differences you can observe in the results, between reverse |
|---|
| 59 | DNS for IPv6 and IPv4 addresses ? |
|---|
| 60 | |
|---|
| 61 | 3. DNSSEC & EDNS0 |
|---|
| 62 | |
|---|
| 63 | Try some of the queries above, this time add the "+edns=0" option. |
|---|
| 64 | |
|---|
| 65 | For example: |
|---|
| 66 | |
|---|
| 67 | $ dig @10.10.0.254 www.icann.org +edns=0 |
|---|
| 68 | |
|---|
| 69 | Notice the OPT PSEUDOSECTION, at the top of the output ? |
|---|
| 70 | |
|---|
| 71 | What do you notice about the flags: section in the OPT section ? |
|---|
| 72 | |
|---|
| 73 | Let's explicitly enable the BUFSIZE option, but not EDNS0: |
|---|
| 74 | |
|---|
| 75 | $ dig @10.10.0.254 www.icann.org +bufsize=1024 |
|---|
| 76 | |
|---|
| 77 | Notice that EDNS is set automatically, and notice the udp: size section |
|---|
| 78 | in the OPT pseudosection. |
|---|
| 79 | |
|---|
| 80 | Now, let's try and retrieve DNSSEC records: |
|---|
| 81 | |
|---|
| 82 | $ dig @10.10.0.254 isoc.org DNSKEY |
|---|
| 83 | $ dig @10.10.0.254 www.isoc.org RRSIG |
|---|
| 84 | |
|---|
| 85 | And finally, let's ask the DNS servers to perform DNSSEC validation: |
|---|
| 86 | |
|---|
| 87 | $ dig @10.10.0.254 www.isoc.org A +dnssec |
|---|
| 88 | $ dig @10.10.0.254 isoc.org NS +dnssec |
|---|
| 89 | |
|---|
| 90 | Do you notice a new field in the "flags:" section of the answer ? |
|---|
| 91 | |
|---|
| 92 | $ dig @10.10.0.254 www.isoc.org A |
|---|
| 93 | $ dig @10.10.0.254 isoc.org NS |
|---|
| 94 | |
|---|
| 95 | Compare with doing dig WITHOUT the +dnssec option: |
|---|
| 96 | |
|---|
| 97 | What happens if you send DNSSEC queries to your local nameserver: |
|---|
| 98 | |
|---|
| 99 | $ dig @127.0.0.1 noc.ws.nsrc.org A +dnssec |
|---|
| 100 | $ dig @127.0.0.1 ws.nsrc.org NS +dnssec |
|---|
| 101 | |
|---|
| 102 | |
|---|
| 103 | |
|---|
| 104 | |
|---|
