Classroom Public page

Lab 8-1: DNS Deep-Dive

514 words

Course: NET-101, Week 8 Time: ~90 minutes Tools: Academy pcap-tools workbench at /pcap-tools/; terminal for dig Captures: fundamentals-dns-query.pcap, dns-lookup.pcap

Part 1: Dig trace -- the full delegation chain (~30 minutes)

In your terminal, run:

dig +trace A virtuscyberacademy.org

This sends queries step by step through the DNS hierarchy and prints each one.

Exercise 1.1 -- Record the chain:

Step Server queried Response type What the response said
1 (root) NS records for .org
2 (.org TLD) NS records for virtuscyberacademy.org
3 (authoritative) A record
  1. How many total DNS queries did dig +trace issue to resolve virtuscyberacademy.org?
  2. What are the names of the .org TLD servers that responded?
  3. What is the TTL on the final A record answer?

Exercise 1.2 -- Compare cached vs fresh:

Run dig A virtuscyberacademy.org (without +trace) twice, a few seconds apart.

  1. Does the TTL value change between the first and second query? By how much?
  2. What does the changing TTL tell you about where this answer is coming from?

Run dig +norecurse A virtuscyberacademy.org @a.root-servers.net (queries a root server directly, without recursion).

  1. What does the root server return? Is it an A record or a referral?

Part 2: Read DNS records from captures (~30 minutes)

Load fundamentals-dns-query.pcap in pcap-tools.

Apply dns.

Exercise 2.1 -- Message format deep read:

Click the DNS query packet. Expand "Domain Name System (query)."

  1. Write out the 12-byte DNS header fields: Transaction ID, Flags (as a number), Questions count, Answer RRs count, Authority RRs count, Additional RRs count.
  2. What is the actual structure of the question section? (Name, Type, Class -- write the values.)

Click the DNS response packet.

  1. Expand the "Answers" section. What is the full wire format of the answer? (Name, Type, Class, TTL, Data Length, Address -- write all values.)
  2. Is the answer section compressed using DNS name compression? (Look for a pointer, which appears as c0 0c in the hex.)

Exercise 2.2 -- Multiple record types:

Load dns-lookup.pcap. Apply dns.

  1. What record types appear in the answer sections across all DNS packets in this capture?
  2. Apply dns.qry.type == 28. Are there any AAAA queries?
  3. Apply dns.flags.response == 1 and dns.flags.rcode != 0. Are there any error responses? (rcode != 0 means not NOERROR.)

Part 3: DNS record type survey (~20 minutes)

Using dig from your terminal, look up the following for a domain of your choice (you may use google.com):

dig A google.com
dig AAAA google.com
dig MX google.com
dig NS google.com
dig TXT google.com
dig SOA google.com
  1. For each record type, write: the record type, the value returned, and one sentence explaining what this record is used for.
  2. What is the SOA record's MNAME (master name server) for the domain you chose?
  3. What is the negative TTL value in the SOA record? What does this control?

Part 4: Observation and filter (~10 minutes)

  1. Write a Wireshark display filter that shows only DNS responses where the answer section contains at least one A record: dns.flags.response == 1 and dns.a. Test it on dns-lookup.pcap.
  2. Write a filter that shows only NXDOMAIN responses (non-existent domain): dns.flags.rcode == 3. (You may need to generate one yourself: dig nonexistent.virtuscyberacademy.org to trigger an NXDOMAIN, then check the response.)

Artifact

Create lab-8-1.md in your net-101/ Git repo with:

  • The delegation chain table from Exercise 1.1
  • All dig outputs (copy-paste the terminal output)
  • Answers to all questions
  • Your display filters from Part 4

Commit with a meaningful commit message.