DNS lab: dig, part 1 In the following labs, we'll be using "auth1" as your work machine. In reality, this is not very important, as we're only going to be using the 'dig' command. DIG --- 1. Issue DNS queries using 'dig': Note: make sure you explicitly specify the nameserver to query using the "@" syntax in dig: $ dig @server_ip ... If you do not specify the @server_ip, then dig will use the nameserver(s) listed in /etc/resolv.conf 1a. Run each command, look for the ANSWER section and write down the result. Make note of the TTL as well. Repeat the command. Is the TTL the same? Are the responses Authoritative? RESULT 1 RESULT 2 -------- -------- $ dig @10.192.0.231 your-favorite-domain a $ dig @10.192.0.231 www.google.com. a $ dig @10.192.0.231 afnog.org. mx $ dig @10.192.0.231 NonExistentDomain.sometld any $ dig @10.192.0.231 tiscali.co.uk. txt $ dig @10.192.0.231 www.afrinic.net aaaa $ dig @10.192.0.231 www.google.com aaaa 1b. Now send some queries to another caching server. (Run each of the following twice, and note the time in ms for each attempt) RESULT 1 RESULT 2 -------- -------- $ dig @8.8.8.8 news.bbc.co.uk. a $ dig @208.67.222.222 yahoo.com. a $ dig @222.31.0.1 fb.com a How long did it take each answer to be received? (on the first, and on the second lookup) Some public servers or "open resolvers": 217.31.204.130, 193.29.206.206, 149.20.64.20, 159.226.168.30, 222.31.0.1 2. Reverse DNS lookups Now try some reverse DNS lookups - note here that we do not explicitly specify which nameserver dig should query. Which nameserver will be used ? $ dig -x 10.192.X.1 $ dig -x 10.192.X.2 $ dig -x 10.192.X.3 ... where X is an IP address is your group number Repeat for an IP address of your choice, on the Internet. Remember, you'll have to use @10.192.0.231 to be able to perform DNS queries on the Internet... Now try to lookup: $ dig 1.X.192.10.in-addr.arpa. PTR ... where X is your group number. What do you notice ? Let's try IPv6 now: $ dig @10.192.0.231 -x 2001:42d0::200:2:1 What are the differences you can observe in the results, between reverse DNS for IPv6 and IPv4 addresses ? Note: you may possibly not get an answer for the v6 address - but compare the question section for the IPv4 and IPv6 reverse addresses. 3. DNSSEC & EDNS0 Try some of the queries above, this time add the "+edns=0" option. For example: $ dig @10.192.0.231 www.icann.org +edns=0 Notice the OPT PSEUDOSECTION, at the top of the output ? What do you notice about the flags: section in the OPT section ? Let's explicitly enable the BUFSIZE option, but not EDNS0: $ dig @10.192.0.231 www.icann.org +noedns +bufsize=1024 Notice that EDNS is set automatically, and notice the udp: size section in the OPT pseudosection. Now, let's try and retrieve DNSSEC records: $ dig @10.192.0.231 isoc.org DNSKEY | more $ dig @10.192.0.231 www.isoc.org RRSIG | more And finally, let's tell our DNS server that we support DNSSEC: $ dig @10.192.0.231 www.isoc.org A +dnssec $ dig @10.192.0.231 isoc.org NS +dnssec $ dig @10.192.0.231 google.com NS +dnssec Do you notice a new field in the "flags:" section of the answer in the HEADER and OPT PSEUDOSECTION ? $ dig @10.192.0.231 www.isoc.org A $ dig @10.192.0.231 isoc.org NS $ dig @10.192.0.231 google.com NS Compare with doing dig WITHOUT the +dnssec option and for a domain without DNSSEC: Now look at a large response: $ dig @10.192.0.231 isoc.org DNSKEY +dnssec And limit our buffersize: $ dig @10.192.0.231 isoc.org DNSKEY +dnssec +bufsize=512 What do you notice at the begining of the response? Why does DNS default to UDP? If you are alreaady running a nameserver on your local server, What happens if you send DNSSEC enabled queries to it ? $ dig @127.0.0.1 noc.ws.nsrc.org A +dnssec $ dig @127.0.0.1 ws.nsrc.org NS +dnssec Other Tricks: Extra credit: Try $ dig chaos txt version.bind @10.192.0.231 $ dig chaos txt hostname.bind @199.7.83.42 $ dig chaos txt version.bind @10.192.0.232