Classroom Public page

Lab 5-2: DNS Query and Response

398 words

Course: NET-101, Week 5 Time: ~45 minutes (paired with lab-5-1-dhcp.md for one 90-minute session) Tools: Academy pcap-tools workbench at /pcap-tools/; terminal for dig Captures: fundamentals-dns-query.pcap, dns-lookup.pcap

Part 1: Trace a DNS query in the fundamentals capture (~25 minutes)

Load fundamentals-dns-query.pcap in pcap-tools. This capture contains two packets: a DNS A-record query and its response.

Apply the display filter dns to confirm only DNS packets are visible.

Packet 1 -- DNS Query:

Click the query packet. Expand "Domain Name System (query)."

  1. What is the Transaction ID?
  2. What are the flag values? Is the QR bit 0 (query) or 1 (response)?
  3. How many questions are in the question count?
  4. What is the queried name?
  5. What is the query type? (A = 1, AAAA = 28, MX = 15, etc.)
  6. At the UDP layer: what is the destination port? Source port?

Packet 2 -- DNS Response:

Click the response packet. Expand "Domain Name System (response)."

  1. What is the Transaction ID? Does it match the query?
  2. What are the flag values now? Is the QR bit different?
  3. How many answers are in the answer count?
  4. Expand the "Answers" section. What IP address is returned for example.com?
  5. What is the TTL for the A record? Express it in human-readable units.

Part 2: Compare to the mirrored sample capture (~15 minutes)

Load dns-lookup.pcap (the Wireshark wiki sample, mirrored in the academy catalog).

Apply the display filter dns.

  1. How many packets are in this capture? Is it also a single query/response pair, or does it contain multiple exchanges?
  2. What is the first queried domain name?
  3. Are there any AAAA queries (IPv6 address lookups) in this capture? Apply dns.qry.type == 28 to check.

Part 3: Live dig comparison (~10 minutes)

In your terminal, run:

dig A example.com
  1. What is the transaction ID in the dig output? (Look for ";; ID:" in the dig output.)
  2. What IP address does dig return for example.com? Does it match what the pcap shows?
  3. What is the TTL in the dig output? Is it the same as in the pcap? Why might it be different? (Hint: the pcap was captured at a specific moment; your dig runs now.)

Run:

dig +short MX example.com
  1. What MX records does example.com have?

Artifact

Create lab-5-2.md in your net-101/ Git repo with:

  • Answers to all questions
  • The dig output from both commands

Commit with a meaningful commit message (can be combined with the lab-5-1 commit).