Agenda: dns-dig-hands-on.txt

File dns-dig-hands-on.txt, 3.8 KB (added by admin, 6 years ago)
Line 
1DNS lab: dig, part 1
2
3In the following labs, we'll be using "auth1" as your work machine.
4In reality, this is not very important, as we're only going to be using
5the 'dig' command.
6
7DIG
8---
9
101. Issue DNS queries using 'dig':
11
12Note: make sure you explicitly specify the nameserver to query using the
13"@" syntax in dig:
14
15    $ dig @server_ip ...
16
17If you do not specify the @server_ip, then dig will use the nameserver(s)
18listed in /etc/resolv.conf
19
201a. Run each command, look for the ANSWER section and write down the result.
21    Make a note the TTL as well.
22
23Repeat the command. Is the TTL the same? Are the responses Authoritative?
24
25                                                      RESULT 1        RESULT 2
26                                                      --------        --------
27    $ dig @10.10.0.254  your-favorite-domain a
28    $ dig @10.10.0.254  www.google.com. a
29    $ dig @10.10.0.254  afnog.org. mx
30    $ dig @10.10.0.254  NonExistentDomain.sometld any
31    $ dig @10.10.0.254  tiscali.co.uk. txt
32    $ dig @10.10.0.254  www.afrinic.net aaaa
33    $ dig @10.10.0.254  ipv6.google.com aaaa
34
351b. Now send some queries to another caching server.
36
37    (Run each of the following twice, and note the time in ms for each attempt)
38
39                                                      RESULT 1        RESULT 2
40                                                      --------        --------
41    $ dig @8.8.8.8 news.bbc.co.uk. a
42    $ dig @208.67.222.222 yahoo.com. a
43    $ dig @<a server of your choice> <domain of your choice> a
44
45    How long did it take each answer to be received? (on the first, and
46    on the second lookup)
47
482. Reverse DNS lookups
49
50    Now try some reverse DNS lookups - note here that we do not explicitly
51        specify which nameserver dig should query. Which nameserver will be used ?
52
53    $ dig -x 10.10.X.1
54    $ dig -x 10.10.X.2
55    $ dig -x 10.10.X.3
56
57    ... where X is an IP address in the range 1-25
58
59    Repeat for an IP address of your choice, on the Internet. Remember, you'll
60        have to use 10.10.0.254 to be able to perform DNS queries on the Internet...
61
62    Now try to lookup:
63
64    $ dig 1.X.10.10.in-addr.arpa. PTR
65
66    ... where X is in the range 1-25.
67
68    What do you notice ?
69
70    Let's try IPv6 now:
71
72    $ dig -x 2001:42d0::200:2:1
73
74    What are the differences you can observe in the results, between reverse
75    DNS for IPv6 and IPv4 addresses ?
76
77        Note: you may possibly not get an answer for the v6 address - but compare
78        the question section for the IPv4 and IPv6 reverse addresses.
79
803. DNSSEC & EDNS0
81
82        Try some of the queries above, this time add the "+edns=0" option.
83
84        For example:
85
86        $ dig @10.10.0.254 www.icann.org +edns=0
87
88        (you may want to use "more" to limit the output of the command to
89        one screen at a time)
90
91        $ dig @10.10.0.254 www.icann.org +edns=0 | more
92
93        Notice the OPT PSEUDOSECTION, at the top of the output ?
94
95        What do you notice about the flags: section in the OPT section ?
96
97        Let's explicitly enable the BUFSIZE option, but not EDNS0:
98
99        $ dig @10.10.0.254 www.icann.org +bufsize=1024 | more
100
101        Notice that EDNS is set automatically, and notice the udp: size section
102        in the OPT pseudosection.
103
104        Now, let's try and retrieve DNSSEC records:
105
106        $ dig @10.10.0.254 isoc.org DNSKEY | more
107        $ dig @10.10.0.254 www.isoc.org RRSIG | more
108
109        And finally, let's tell our DNS server that we support DNSSEC:
110
111        $ dig @10.10.0.254 www.isoc.org A +dnssec
112        $ dig @10.10.0.254 isoc.org NS +dnssec
113
114        Do you notice a new field in the "flags:" section of the answer ?
115
116        $ dig @10.10.0.254 www.isoc.org A
117        $ dig @10.10.0.254 isoc.org NS
118
119        Compare with doing dig WITHOUT the +dnssec option:
120
121        If you are alreaady running a nameserver on your local server,
122        What happens if you send DNSSEC enabled queries to it ?
123
124        $ dig @127.0.0.1 noc.ws.nsrc.org A +dnssec
125        $ dig @127.0.0.1 ws.nsrc.org NS +dnssec
126