module 8 dns tools & diagnostics. dig always available with bind (*nix) and windows nslookup...
TRANSCRIPT
Module 8
DNS Tools & Diagnostics
DNS Tools & Diagnostics Dig always available with BIND (*nix) and
windows Nslookup available on windows and *nix Dig on windows – unpack zip, copy only
dig.exe, libbind9.dll, libdns.dll, libisc.dll, libisccfg.dll, liblwres.dll to portable media
SamSpade.org provides windows GUI utility with dig. Freeware.
DIG Command line tool – tons of options Powerful – gives precise DNS RRs Typically only available with BIND Casual use on Windows
Unpack Windows zip file Copy to portable media dig.exe, libbind9.dll,
libdns.dll, libisc.dll, libisccfg.dll, liblwres.dll Google for SamSpade.org GUI DNS tools
including DIG
Dig Command Format
Tons of options to govern formatting and behavior -x required for reverse lookup
@dns = optionally defines the name or IP of name server to send the query – default is locally defined DNS (typically recursive)
target-name = name required type = RR type (default is A) Additional
pseudo types any and axfr
dig [opts] [@dns] target-name type
Dig Commandsdig www.example.comReturns A RR of www.example.com using local DNS
dig @ns1.example.com www.example.com
Returns A RR of www.example.com using using ns1.example.com authoritative name server for domain
dig www.example.com anyReturns any RRs with label of www.example.com using local DNS
dig –x 192.168.2.5
Returns reverse lookup for 192.168.2.5 using local DNS
DIG command
dig @ns1.example.com www.example.com
DIG Response; <<>> DiG 9.4.1-P1 <<>> ns1.example.com www.example.com
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49319
;; flags: qr rd ra aa; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 2
;; QUESTION SECTION:
;www.example.com. IN A
;; ANSWER SECTION:
www.example.com. 5 IN A 10.10.0.5
www.example.com. 5 IN A 10.10.0.6
;; AUTHORITY SECTION:
example.com. 172800 IN NS ns1.example.com.
example.com. 172800 IN NS ns2.example.com.
;; ADDITIONAL SECTION:
ns1.example.com. 3000 IN A 10.10.0.8
ns2.example.com. 3000 IN A 10.10.0.9
;; SERVER: 192.5.6.30#53(192.5.6.30)
DIG Response May contain up to 5 sections Header – flags, status, id QUESTION SECTION
The query ANSWER SECTION
Present only if successful AUTHORITY SECTION
One or more name servers ADDITIONAL SECTION
Typically A/AAAA RRs of name servers
DNS Flag ValuesQR – Query response received. Indicates direction of query
AA - Authoritative Answer. Set if the response was received from a zone master or slave.
TC - TrunCation - length greater than permitted, set on all truncated messages except the last one.
RD - Recursion Desired - set in a query and copied into the response if recursion supported.
RA - Recursion Available - valid in a response and if set denotes recursive query support is available.
AD - Authenticated Data. DNSSEC only. Indicates that the data was reliably authenticated.
CD - Checking Disabled. DNSSEC only. Disables checking at the receiving server.
DNS Status Values0 = NOERR. No error.
1 = FORMERR. Format error - the server was unable to interpret the query.
2 = SERVFAIL – name server problem or lack of information. Often also returned with the same meaning as REFUSED.
3= NXDOMAIN Name does not exist - meaningful only from an authoritative name server.
4 = NOTIMPL Not Implemented.
5 = REFUSED - typically for policy reasons, for example, a zone transfer request.
DIG Result No errors (NOERROR) Flags query response, recursion desired,
recursion available, authoritative Answer = 2 A RRs for the web server Authority = 2 name servers Additional = 2 A RRs of name servers
DIG commands
dig @a.root-servers.net www.example.com
DIG Response;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15570
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 14
;; WARNING: recursion requested but not available
;; QUESTION SECTION:
;www.example.com. IN A
;; AUTHORITY SECTION:
com. 172800 IN NS A.GTLD-SERVERS.NET.
com 172800 IN NS M.GTLD-SERVERS.NET.
;; ADDITIONAL SECTION:
A.GTLD-SERVERS.NET 172800 IN A 192.5.6.30
A.GTLD-SERVERS.NET. 172800 IN AAAA 2001:503:a83e::2:30
....
;; Query time: 38 msec
;; SERVER: 198.41.0.4#53(198.41.0.4)
DIG Response No error = NOERROR Status = query response, recursion
desired No answer section Authority = multiple Additional = multiple A RRs This is a referral
NSLOOKUP
Available on windows and with BIND (*nix) Command line and interactive mode Default pretty print output Useful quick check depends on mindset
Detailed data or overview Use –d2 option for RRs
nslookup [opts] target [dns]
NSLOOKUP Commands
nslookup -type=MX example.com Gets mail server records for example.com using locally defined name server
nslookup 192.168.2.1 Gets reverse mapped name for 192.168.2.1
nslookup www.example.com ns1.example.comGets A RR for www.example.com using name server ns1.example.com
nslookupEnter interactive mode – exit to terminate
NSLOOKUP# nslookup www.example.com
Server: ns1.example.net
Address: 192.168.6.73
Name: www.example.com
Address: 192.168.2.80
# nslookup www.example.com ns1.example.com
Server: ns1.example.com
Address: 192.168.2.53
Name: www.example.com
Address: 192.168.2.80
Additional Tools - BIND named-checkzone, named-checkconf –
validation utilities Rndc, rndc-confgen – remote control of
name server (optionally secure) nsupdate - Dynamic Update (DDNS) of
DNS RRs dnssec-keygen, dnssec-signzone –
secure DNS cryptographic tools
DNS Logging BIND defaults to syslog (*nix) BIND Controlled by logging clause Windows DNS Event log via DNS
console or Event log (DNS) Debug log default systemroot\
System32\Dns\Dns.log (text file) DNS console Properties->logging
BIND Log Analysis stream log carefully (category) single or multiple logs watch log size! (use version/size) iterate based on experience post processing tools know what a normal log looks like
BIND Log Analysislame-servers: unexpected RCODE (REFUSED) resolving 'mail10fr2.emthtpmy1.net/A/IN': 213.251.188.141#53update-security: client 69.196.169.154#49160: update 'mediazoneplus.com/IN' deniedsecurity: client 93.174.93.72#35411: query (cache) 'doc.gov/ANY/IN' deniedlame-servers: unexpected RCODE (SERVFAIL) resolving 'cns.electro-com.ru/A/IN': 86.110.161.228#53lame-servers: host unreachable resolving 'mumns5.mtnl.net.in/A/IN': 198.32.64.12#53security: client 12.190.240.131#9980: query (cache) 'google.com/A/IN' deniedlame-servers: connection refused resolving 'pdns5.ultradns.info/A/IN': 2001:500:1a::1#53security: client 128.223.8.114#45985: query (cache) 'com/ANY/IN' deniedlame-servers: connection refused resolving '211.142.235.91.in-addr.arpa/PTR/IN': 2001:470:300::2#53
Quick Quiz What is the default RR type for dig? What is the default RR type for nslookup? Name any BIND utility? Can you run dig on windows? Dig command for mx RR for google.com? Nslookup command for mx RR for
google.com?