Add to collection(s) Add to saved
  1. No category

basic-dns-mod8-tools

advertisement 
Module 8
DNS Tools & Diagnostics
DNS Tools & Diagnostics




Dig always available with BIND (*nix) and
windows
Nslookup available on windows and *nix
Dig on windows – unpack zip, copy only
dig.exe, libbind9.dll, libdns.dll, libisc.dll,
libisccfg.dll, liblwres.dll to portable media
SamSpade.org provides windows GUI
utility with dig. Freeware.
DIG




Command line tool – tons of options
Powerful – gives precise DNS RRs
Typically only available with BIND
Casual use on Windows



Unpack Windows zip file
Copy to portable media dig.exe, libbind9.dll,
libdns.dll, libisc.dll, libisccfg.dll, liblwres.dll
Google for SamSpade.org GUI DNS tools
including DIG
Dig Command Format
dig [opts] [@dns] target-name type

Tons of options to govern formatting and
behavior




-x required for reverse lookup
@dns = optionally defines the name or IP
of name server to send the query –
default is locally defined DNS (typically
recursive)
target-name = name required
type = RR type (default is A) Additional
pseudo types any and axfr
Dig Commands
dig www.example.com
Returns A RR of www.example.com using local DNS
dig @ns1.example.com www.example.com
Returns A RR of www.example.com using using
ns1.example.com authoritative name server for
domain
dig www.example.com any
Returns any RRs with label of www.example.com
using local DNS
dig –x 192.168.2.5
Returns reverse lookup for 192.168.2.5 using local
DNS
DIG command
dig @ns1.example.com www.example.com
DIG Response
; <<>> DiG 9.4.1-P1 <<>> ns1.example.com www.example.com
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49319
;; flags: qr rd ra aa; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 2
;; QUESTION SECTION:
;www.example.com. IN A
;; ANSWER SECTION:
www.example.com. 5 IN A 10.10.0.5
www.example.com. 5 IN A 10.10.0.6
;; AUTHORITY SECTION:
example.com. 172800 IN NS ns1.example.com.
example.com. 172800 IN NS ns2.example.com.
;; ADDITIONAL SECTION:
ns1.example.com. 3000 IN A 10.10.0.8
ns2.example.com. 3000 IN A 10.10.0.9
;; SERVER: 192.5.6.30#53(192.5.6.30)
DIG Response



May contain up to 5 sections
Header – flags, status, id
QUESTION SECTION


ANSWER SECTION


Present only if successful
AUTHORITY SECTION


The query
One or more name servers
ADDITIONAL SECTION

Typically A/AAAA RRs of name servers
DNS Flag Values
QR – Query response received. Indicates direction of query
AA - Authoritative Answer. Set if the response was received from a
zone master or slave.
TC - TrunCation - length greater than permitted, set on all
truncated messages except the last one.
RD - Recursion Desired - set in a query and copied into the
response if recursion supported.
RA - Recursion Available - valid in a response and if set denotes
recursive query support is available.
AD - Authenticated Data. DNSSEC only. Indicates that the data was
reliably authenticated.
CD - Checking Disabled. DNSSEC only. Disables checking at the
receiving server.
DNS Status Values
0 = NOERR. No error.
1 = FORMERR. Format error - the server was unable to interpret the
query.
2 = SERVFAIL – name server problem or lack of information. Often
also returned with the same meaning as REFUSED.
3= NXDOMAIN Name does not exist - meaningful only from an
authoritative name server.
4 = NOTIMPL Not Implemented.
5 = REFUSED - typically for policy reasons, for example, a zone
transfer request.
DIG Result





No errors (NOERROR)
Flags query response, recursion desired,
recursion available, authoritative
Answer = 2 A RRs for the web server
Authority = 2 name servers
Additional = 2 A RRs of name servers
DIG commands
dig @a.root-servers.net www.example.com
DIG Response
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15570
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL:
14
;; WARNING: recursion requested but not available
;; QUESTION SECTION:
;www.example.com. IN A
;; AUTHORITY SECTION:
com. 172800 IN NS A.GTLD-SERVERS.NET.
com 172800 IN NS M.GTLD-SERVERS.NET.
;; ADDITIONAL SECTION:
A.GTLD-SERVERS.NET 172800 IN A 192.5.6.30
A.GTLD-SERVERS.NET. 172800 IN AAAA 2001:503:a83e::2:30
....
;; Query time: 38 msec
;; SERVER: 198.41.0.4#53(198.41.0.4)
DIG Response
No error = NOERROR
 Status = query response, recursion
desired
 No answer section
 Authority = multiple
 Additional = multiple A RRs
 This is a referral

NSLOOKUP
nslookup [opts] target [dns]





Available on windows and with BIND
(*nix)
Command line and interactive mode
Default pretty print output
Useful quick check
depends on mindset


Detailed data or overview
Use –d2 option for RRs
NSLOOKUP Commands
nslookup -type=MX example.com
Gets mail server records for example.com using locally
defined name server
nslookup 192.168.2.1
Gets reverse mapped name for 192.168.2.1
nslookup www.example.com ns1.example.com
Gets A RR for www.example.com using name server
ns1.example.com
nslookup
Enter interactive mode – exit to terminate
NSLOOKUP
# nslookup www.example.com
Server: ns1.example.net
Address: 192.168.6.73
Name: www.example.com
Address: 192.168.2.80
# nslookup www.example.com ns1.example.com
Server: ns1.example.com
Address: 192.168.2.53
Name: www.example.com
Address: 192.168.2.80
Additional Tools - BIND




named-checkzone, named-checkconf –
validation utilities
Rndc, rndc-confgen – remote control of
name server (optionally secure)
nsupdate - Dynamic Update (DDNS) of
DNS RRs
dnssec-keygen, dnssec-signzone –
secure DNS cryptographic tools
DNS Logging
BIND defaults to syslog (*nix)
 BIND Controlled by logging clause


Windows DNS Event log via DNS
console or Event log (DNS)

Debug log default
systemroot\System32\Dns\Dns.log
(text file) DNS console Properties>logging
BIND Log Analysis
stream log carefully (category)
 single or multiple logs
 watch log size! (use version/size)
 iterate based on experience
 post processing tools
 know what a normal log looks like

BIND Log Analysis
lame-servers: unexpected RCODE (REFUSED)
resolving 'mail10fr2.emthtpmy1.net/A/IN': 213.251.188.141#53
update-security: client 69.196.169.154#49160:
update 'mediazoneplus.com/IN' denied
security: client 93.174.93.72#35411: query (cache)
'doc.gov/ANY/IN' denied
lame-servers: unexpected RCODE (SERVFAIL) resolving
'cns.electro-com.ru/A/IN': 86.110.161.228#53
lame-servers: host unreachable resolving
'mumns5.mtnl.net.in/A/IN': 198.32.64.12#53
security: client 12.190.240.131#9980: query (cache)
'google.com/A/IN' denied
lame-servers: connection refused resolving
'pdns5.ultradns.info/A/IN': 2001:500:1a::1#53
security: client 128.223.8.114#45985: query (cache)
'com/ANY/IN' denied
lame-servers: connection refused resolving
'211.142.235.91.in-addr.arpa/PTR/IN': 2001:470:300::2#53
Quick Quiz






What is the default RR type for dig?
What is the default RR type for nslookup?
Name any BIND utility?
Can you run dig on windows?
Dig command for mx RR for google.com?
Nslookup command for mx RR for
google.com?
Related documents
DOC
DOC
Noni Vardi: “Physically strenuous and painstaking, the joy and
Noni Vardi: “Physically strenuous and painstaking, the joy and
Data Integrity Group (DIG)
Data Integrity Group (DIG)
Questions for Unit-7
Questions for Unit-7
list of questions
list of questions
HOMEWORK 1 • DNS stands for do not submit (1) DNS Make up a
HOMEWORK 1 • DNS stands for do not submit (1) DNS Make up a
Database Overview Worksheet
Database Overview Worksheet
Information Gathering
Information Gathering
Dig and Excavating Permit
Dig and Excavating Permit
Download
advertisement