Track3Sec: 1.4_dns-dig-hands-on.txt

File 1.4_dns-dig-hands-on.txt, 4.4 KB (added by Fakrul Alam, 6 years ago)
Line 
1DNS lab: dig, part 1
2
3In the following labs, we'll be using "auth1" as your work machine.
4In reality, this is not very important, as we're only going to be using
5the 'dig' command.
6
7DIG
8---
9
101. Issue DNS queries using 'dig':
11
12Note: make sure you explicitly specify the nameserver to query using the
13"@" syntax in dig:
14
15    $ dig @server_ip ...
16
17If you do not specify the @server_ip, then dig will use the nameserver(s)
18listed in /etc/resolv.conf
19
201a. Run each command, look for the ANSWER section and write down the result.
21    Make note of the TTL as well.
22
23Repeat the command. Is the TTL the same? Are the responses Authoritative?
24
25                                                      RESULT 1        RESULT 2
26                                                      --------        --------
27    $ dig @10.10.0.1  your-favorite-domain a
28    $ dig @10.10.0.1  www.google.com. a
29    $ dig @10.10.0.1  afnog.org. mx
30    $ dig @10.10.0.1  NonExistentDomain.sometld any
31    $ dig @10.10.0.1  tiscali.co.uk. txt
32    $ dig @10.10.0.1  www.afrinic.net aaaa
33    $ dig @10.10.0.1  www.google.com aaaa
34
351b. Now send some queries to another caching server.
36
37    (Run each of the following twice, and note the time in ms for each attempt)
38
39                                                      RESULT 1        RESULT 2
40                                                      --------        --------
41    $ dig @8.8.8.8 news.bbc.co.uk. a
42    $ dig @208.67.222.222 yahoo.com. a
43    $ dig @<a server of your choice> <domain of your choice> a
44
45    How long did it take each answer to be received? (on the first, and
46    on the second lookup)
47
48    Some public servers or "open resolvers":
49       217.31.204.130, 193.29.206.206, 149.20.64.20, 149.20.64.21
50
512. Reverse DNS lookups
52
53    Now try some reverse DNS lookups - note here that we do not explicitly
54        specify which nameserver dig should query. Which nameserver will be used ?
55
56    $ dig -x 10.10.X.1
57    $ dig -x 10.10.X.2
58    $ dig -x 10.10.X.3
59
60    ... where X is an IP address in the range 1-25
61
62    Repeat for an IP address of your choice, on the Internet. Remember, you'll
63    have to use 10.10.0.1 to be able to perform DNS queries on the Internet...
64
65    Now try to lookup:
66
67    $ dig 1.X.10.10.in-addr.arpa. PTR
68
69    ... where X is in the range 1-25.
70
71    What do you notice ?
72
73    Let's try IPv6 now:
74
75    $ dig @10.10.0.1 -x 2001:42d0::200:2:1
76
77    What are the differences you can observe in the results, between reverse
78    DNS for IPv6 and IPv4 addresses ?
79
80        Note: you may possibly not get an answer for the v6 address - but compare
81        the question section for the IPv4 and IPv6 reverse addresses.
82
833. DNSSEC & EDNS0
84
85        Try some of the queries above, this time add the "+edns=0" option.
86
87        For example:
88
89        $ dig @10.10.0.1 www.icann.org +edns=0
90
91        (you may want to use "more" to limit the output of the command to
92        one screen at a time)
93
94        $ dig @10.10.0.1 www.icann.org +edns=0 | more
95
96        Notice the OPT PSEUDOSECTION, at the top of the output ?
97
98        What do you notice about the flags: section in the OPT section ?
99
100        Let's explicitly enable the BUFSIZE option, but not EDNS0:
101
102        $ dig @10.10.0.1 www.icann.org +noedns +bufsize=1024 | more
103
104        Notice that EDNS is set automatically, and notice the udp: size section
105        in the OPT pseudosection.
106
107        Now, let's try and retrieve DNSSEC records:
108
109        $ dig @10.10.0.1 isoc.org DNSKEY | more
110        $ dig @10.10.0.1 www.isoc.org RRSIG | more
111
112        And finally, let's tell our DNS server that we support DNSSEC:
113
114        $ dig @10.10.0.1 www.isoc.org A +dnssec
115        $ dig @10.10.0.1 isoc.org NS +dnssec
116        $ dig @10.10.0.1 google.com NS +dnssec
117
118        Do you notice a new field in the "flags:" section of the answer
119        in the HEADER and OPT PSEUDOSECTION ?
120
121        $ dig @10.10.0.1 www.isoc.org A
122        $ dig @10.10.0.1 isoc.org NS
123        $ dig @10.10.0.1 google.com NS
124
125        Compare with doing dig WITHOUT the +dnssec option and for a
126        domain without DNSSEC:
127
128        Now look at a large response:
129
130        $ dig @10.10.0.1 isoc.org DNSKEY +dnssec
131
132        And limit our buffersize:
133
134        $ dig @10.10.0.1 isoc.org DNSKEY +dnssec +bufsize=512
135
136        What do you notice at the begining of the response?
137
138        Why does DNS default to UDP?
139
140        If you are alreaady running a nameserver on your local server,
141        What happens if you send DNSSEC enabled queries to it ?
142
143        $ dig @127.0.0.1 noc.ws.nsrc.org A +dnssec
144        $ dig @127.0.0.1 ws.nsrc.org NS +dnssec
145
146Other Tricks:
147
148    Extra credit: Try
149
150    $ dig chaos txt version.bind @10.10.0.1
151
152    $ dig chaos txt hostname.bind @199.7.83.42