CIS-2151 Lab Assignment #8: DNS

Reading: Chapter 24 covers SMTP, DNS, and HTTP.

In this lab you will look at how name resolution works on the Internet and in the process investigate an important UDP protocol.

1. In a PuTTY session, run the nslookup program and configure it to use the name server at 155.43.16.31. That is the IP address of the server VTC campus machines use to resolve external (outside of VTC) names. Use a command such as this:

           $ nslookup
           > server 155.42.16.31
       

Note that if this DNS server doesn't appear to work, you can try the one at 155.42.16.32.

2. Run tshark in a separate session and use a capture filter of 'host 155.42.16.31' to only capture traffic going to/from that name server. Now in the original session look up the IP address associated with the host www.google.com. You can do this be just typing the name at nslookup's prompt:

           > www.google.com
       

   After you receive a result, stop the tshark capture to avoid cluttering it with queries made by other users. You should have four frames from two queries. Each pair of frames consists of a DNS datagram from lemuria to the name server and a DNS reply from the name server.

3. Dissect the first frame and answer the following questions:

   1. Looking at the UDP header, what are the source and destination ports?
   2. The tshark program knows how to dissect the DNS application protocol. Verify that the frame you are looking at contains a DNS query. What is the Transaction ID. This is a number created by the client that is copied into the corresponding reply by the server. It is used to link replies to their queries.
   3. Verify that the name www.google.com appears in the query itself. What is the Type and Class of the query?

4. Next dissect the second frame (the response). Is the Transaction ID the same as for the query? In the "Answer" section, what is the Time to Live value? What is the address?

5. You captured two other frames as a result of what nslookup did. How are the second pair of frames different? I'm looking for a general answer here. Why did nslookup issue a second query to figure out what you wanted?

6. Change the server setting in nslookup to 155.42.16.2 (a nonexistent name server) and do another capture when you attempt to look up the name www.google.com. You should see three frames after a delay of about 15 seconds. What are these frames? How much time elapsed between each (note the relative times of each frame). Notice the lack of a "connection" because UDP does not make connections.

7. What happens when you try to send a query to vtcdns.vtc.edu? (change the server setting in nslookup). To fully answer this question you should capture the traffic while making a query and see what the server sends back to the client.

Submit a document to Canvas (PDF preferred, but Word, text, or ODF are all acceptable) containing your answers to the questions above. Be sure to include your name in the file This lab is worth 20 points.

Last Revised: 2023-03-14
© Copyright 2023 by Peter C. Chapin <pchapin@vtc.edu>