DNS Exercise 1

DIG
---

1. Issue DNS queries using 'dig':

1a. Run each command, look for the ANSWER section and write down the result.
    Make a note the TTL as well.

Repeat the command. Is the TTL the same? Are the responses Authoritative?

                                        RESULT 1            RESULT 2
                                        --------            --------
    $ dig your-favorite-domain a
    $ dig www.google.com. a
    $ dig afnog.org. mx
    $ dig NonExistentDomain.sometld any
    $ dig tiscali.co.uk. txt
    $ dig www.afrinic.net aaaa
    $ dig ipv6.google.com aaaa

1b. Now send some queries to another caching server.

    (Run each of the following twice, and note the time in ms for each attempt)

    $ dig @8.8.8.8 news.bbc.co.uk. a
    $ dig @resolver1.opendns.com yahoo.com. a
    $ dig @<a server of your choice> <domain of your choice> a

    How long did it take each answer to be received? (on the first, and
    on the second lookup)

2. Reverse DNS lookups

    Now try some reverse DNS lookups.

    $ dig -x 10.10.X.1
    $ dig -x 10.10.X.2
    $ dig -x 10.10.X.3

    ... where X is an IP address in the range 1-25

    Repeat for an IP address of your choice, on the Internet

    Now try to lookup:

    $ dig 1.X.10.10.in-addr.arpa. PTR

    ... where X is in the range 1-25.

    What do you notice ?

    Let's try IPv6 now:

    $ dig -x 2001:42d0::200:2:1

    What are the differences you can observe in the results, between reverse
    DNS for IPv6 and IPv4 addresses ?

3. DNSSEC & EDNS0

	Try some of the queries above, this time add the "+edns=0" option.

	For example:

	$ dig @10.10.0.254 www.icann.org +edns=0

	Notice the OPT PSEUDOSECTION, at the top of the output ?

	What do you notice about the flags: section in the OPT section ?

	Let's explicitly enable the BUFSIZE option, but not EDNS0:

	$ dig @10.10.0.254 www.icann.org +bufsize=1024

	Notice that EDNS is set automatically, and notice the udp: size section
	in the OPT pseudosection.

	Now, let's try and retrieve DNSSEC records:

	$ dig @10.10.0.254 isoc.org DNSKEY
	$ dig @10.10.0.254 www.isoc.org RRSIG

	And finally, let's ask the DNS servers to perform DNSSEC validation:

	$ dig @10.10.0.254 www.isoc.org A +dnssec
	$ dig @10.10.0.254 isoc.org NS +dnssec

	Do you notice a new field in the "flags:" section of the answer ?

	$ dig @10.10.0.254 www.isoc.org A
	$ dig @10.10.0.254 isoc.org NS

	Compare with doing dig WITHOUT the +dnssec option:

	What happens if you send DNSSEC queries to your local nameserver:

	$ dig @127.0.0.1 noc.ws.nsrc.org A +dnssec
	$ dig @127.0.0.1 ws.nsrc.org NS +dnssec