HA NOI UNIVERSITY OF SCIENCE AND TECHNOLOGY COMPUTER NETWORK REPORT Find out how to operate and install DNS services Information technology industry Instructor: Trần Nguyên Ngọc Subject: Computer network Member: + Nguyễn Quang Ninh – 20198321 + Nguyễn Minh Nghĩa – 20198318 + Lê Văn Vỹ - 20198344 HA NOI Contents Freface .3 I WHAT IS A DNS ? DNS Propagation DNS Resolution Uses of DNS What is DNS Used For? II HOW TO OPERATE DNS SERVICES & Building Blocks of DNS DNS Resolver DNS Root Server TLD Name Server Authoritative Name Server Summary of the DNS Process - a DNS Example How DNS Works DNS Types - Types of DNS Queries DNS Record Types The DNS Protocol III HOW TO INSTALL AND CONFIGURATION DNS SERVICES? 10 HOW TO INSTALL DNS SERVER? ( In windown server 2019) .10 How to configuration DNS Server? .12 + TEST NEW DNS SERVER ON WINDOWS 10 18 IV PACKET ANALYSIS WITH WIRESHARK? 20 Packets .20 Packet analysis 21 What is Wireshark? 24 # DNS - PACKET ANALYSIS WITH WIRESHAK? .24 Conclude 33 Work assignment 33 References .33 Freface Have you ever thought that all computers on the Internet, from smart phones, laptops, PCs to servers serving services such as websites, mail, all communicate with each other through IP addresses But this IP address for websites may be different and difficult to remember for users, so how to solve this problem It is the DNS system (domain name resolution system) that will help people solve the above problem I WHAT IS A DNS ? The Domain Name System (DNS) is the phonebook of the Internet Humans access information online through domain names, like nytimes.com or espn.com Web browsers interact through Internet Protocol (IP) addresses DNS translates domain names to IP addresses so browsers can load Internet resources Each device connected to the Internet has a unique IP address which other machines use to find the device DNS servers eliminate the need for humans to memorize IP addresses such as 192.168.1.1 (in IPv4), or more complex newer alphanumeric IP addresses such as 2400:cb00:2048:1::c629:d7a2 (in IPv6) DNS Propagation Unlike a phone book, DNS records are commonly updated, meaning that a server’s IP address can change without affecting end users Users continue to use the same domain name, and are automatically redirected to the new address A DNS A or AAAA Record points a domain or subdomain to an IP, and a CNAME record points a domain or subdomain to another domain name After you register a new domain name or when you update DNS servers on your domain name, it usually takes about 12-36 hours for the domain name servers world-wide to be updated and able to access the information This period is referred to as propagation With next-generation DNS technology propagation can be reduced to minutes or seconds DNS allows for multiple hostnames to correspond to a single IP address - this can be used for virtual hosting, when many websites are served from a single host A single hostname can also resolve to many IP addresses, in order to distribute load to multiple servers DNS Resolution Typically, when you connect to a local network, Internet service provider (ISP) or WiFi network, the modem or router sends network configuration information to your local device, including one or more DNS servers These are the initial DNS servers your device will use to translate host names to IP addresses A component called a DNS Resolver is responsible for checking if the host name is available in local cache, and if not, contacts a series of DNS Name Servers, until eventually it receives the IP of the website or service you are trying to reach If everything is working well, this can take less than a second The process is known as DNS resolution of a hostname to IP address Uses of DNS The classic use of DNS is to translate the domain name in a URL into a corresponding IP address But DNS has many more uses - it underlies many other forms of Internet communication What is DNS Used For?  Resolving names of World Wide Web (WWW) sites  Routing messages to email servers and webmail services  Connecting app servers, databases and middleware within a web application  Virtual Private Networks (VPN)  Peer-to-peer sharing programs  Multiplayer games  Instant messaging and online meeting services  Communication between IoT devices, gateways and servers II HOW TO OPERATE DNS SERVICES & Building Blocks of DNS There are four main building blocks that enable DNS to function: DNS Resolver A DNS resolver, also called a recursive resolver, is a server designed to receive DNS queries from web browsers and other applications The resolver receives a hostname - for example, www.example.com - and is responsible for tracking down the IP address for that hostname The DNS resolver might be operated by the local network, an Internet Service Provider (IP), a mobile carrier, a WIFI network, or other third party The resolver starts by looking in its local cache or that of the operating system on the local device - if the hostname is found, it is resolved immediately If not found, the resolver contacts a DNS Root Server and receives details of a TLD Name Server Via the TLD Name Server, it receives details of an Authoritative Name Server, and asks it for the IP that matches the requested hostname When it receives the IP, the query is resolved DNS Root Server The root server is the first step in translating human readable host names into IP addresses The Top Level Domain (TLD) takes the TLD provided in the user’s query - for example, www.example.com - and provides details for the com TLD Name Server There are 13 logical root servers worldwide, indicated by the letters A through M, operated by organizations such as Verisign, Cogent, the University of Maryland and the U.S Army Research Lab TLD Name Server The TLD Name Server takes the domain name provided in the query - for example www.example.com - and provides the IP of an Authoritative Name Server This is a DNS server that contains DNS records for the specific domain There is a Name Server for each Top Level Domain (TLD) - there are currently over 1500 valid top level domains, including the original TLDs like com and org, country codes such as co.uk and co.fr, and new TLDs such as biz Authoritative Name Server The Authoritative Name Server is the last stop in the name server query The Authoritative Name Server takes the domain name and subdomain, and if it has access to the DNS records, it returns the correct IP address to the DNS Resolver As the Internet grows, the original IP address standard, IPv4 (which only allowed up to 4.3 billion IP addresses) is being replaced with IPv6 (which supports as many as 3.4×10^38 IP addresses) Increasingly, DNS servers return IPs using the IPv6 format In some cases, the Authoritative Name Server will route the DNS Resolver to another Name Server that contains specific records for a subdomain, for example, support.example.com Authoritative Name Servers are organized using DNS Zones Each DNS zone has a closed set of Authoritative Name Servers They are called “authoritative” because they can provide an authoritative, correct response as to what is the current IP for a specific domain Summary of the DNS Process - a DNS Example DNS Query - a web browser or other application requests a human readable hostname such as “www.example.com” The query is handled by the DNS Resolver, which is responsible for finding the IP matching the hostname DNS Root Servers - the Resolver talks to a Root Server and is referred to a Top Level Domain (TLD) Name Server, corresponding to the TLD in the query, such as com TLD Name Server - the Resolver contacts the relevant TLD Name Server and is referred to an Authoritative Name Server that holds the current details for the domain name Authoritative Name Server - finally, the Resolver sends the query to the Authoritative Name Server which is is responsible for that domain (as indicated in a Zone File on the TLD Name Server) This DNS server knows the IP address for the full domain, www.example.com, and returns that answer to the DNS Resolver DNS Query Resolved - now that the DNS Resolver knows the IP address for the domain name, it returns it to the browser or other application on the client side The client can then connect to the server using the IP address, and start communicating with it Client Can Communicate with Server - If the client is a browser, and the user typed in a domain, the website at that domain can now be displayed If the client is a messaging app, the user can now send messages to other users via the server How DNS Works In this section we provide some more details about how DNS works behind the scenes DNS Types - Types of DNS Queries Recursive query - In a recursive query, a DNS client requires that a DNS server (typically a DNS recursive resolver) respond to the client with either the requested resource record or an error message if it can't find the record Iterative query - the DNS client allows a DNS server to return the best answer it can If the queried DNS server does not have a match for the hostname, it returns a referral to an Authoritative DNS Server at a lower level of the DNS hierarchy The DNS client then makes a query to the referral address This process continues with additional DNS servers down the query chain until either an error or timeout occurs Non-recursive query - this occurs when a DNS Resolver queries a DNS Name Server for a record, either because the Name Server is authoritative for the record, or the record exists in its cache DNS servers typically cache DNS records to conserve bandwidth and reduce load on servers further up the hierarchy DNS Record Types DNS resource records (RR) are the basic information elements of the Domain Name System They are entries in the DNS database which provide information about hosts The records are physically stored in the Zone Files on the DNS server The following are common DNS records:  Address Mapping records (A) - records that hold a hostname and its corresponding IPv4 address  IP Version Address records (AAAA) - records that hold a hostname and its corresponding IPv6 address  Canonical Name records (CNAME) - used to create aliases of domain names Can be used to alias a domain to another domain  Mail exchanger record (MX) - specifies a mail exchange server for the domain name, used in the SMTP protocol to route emails to the correct email server  Name Server records (NS) - delegates a DNS Zone to use a specific Authoritative Name Server  Reverse-lookup Pointer records (PTR) - used to look up domain names based on an IP address  Certificate record (CERT) - stores encryption certificates such as PKIX, SPKI, PGP, etc  Service Location (SRV) - service location record, like MX but for other, newer protocols The DNS Protocol The DNS protocol uses two types of DNS messages, queries and replies Both queries and replies consist of a header and four sections: question, answer, authority, and an additional space:  The header section contains Identification, used to match responses with queries; Flags; Number of questions; Number of answers; Number of authority resource records (RRs); and Number of additional resource records  The flag field contains sections of one or four bits, indicating if the message is a query or a reply; if the present packet is a reply, a status, or a request; whether the DNS server is authoritative; whether the client wants to send a recursive query ("RD"); whether the DNS server supports recursion; whether the request was truncated ("TC"); and four bits at the end indicating status  The question section contains the domain name and type of record (A, AAAA, MX, TXT, etc.) being resolved The domain name is broken into labels, each label prefixed by the length of that label  The answer section has the resource records of the queried name A domain name may occur in multiple records if it has multiple IP addresses associated with it Protocol Transport DNS primarily uses the User Datagram Protocol (UDP) on port number 53 to serve requests DNS queries consist of a single UDP request from the client followed by a single UDP reply from the server The Transmission Control Protocol (TCP) is used when the response data size exceeds 512 bytes, or for zone transfers Some DNS resolvers use TCP for all communication III HOW TO INSTALL AND CONFIGURATION DNS SERVICES? HOW TO INSTALL DNS SERVER? ( In windown server 2019) At the Server Manager window  select item Manage  click Add roles and Features Select DNS Server  click Next 10 IV PACKET ANALYSIS WITH WIRESHARK? Packets When data is transferred from one computer to another, the data stream consists of smaller units called packets When you download a file from the internet, the data is sent from the server as packets These packets are re-assembled by your computer to give you the original file  IPV4 Packet A packet can contain the following data:  source and destination IP addresses  protocol  source and destination ports  data  length, flags, TTL, and so on Each packet contains valuable information about the devices involved in a packet transfer Each data transfer involves thousands or even millions of these packets of data being sent between the source and the destination devices Now you can understand the importance of Wireshark Wireshark lets you capture each of these packets and inspect them for data 20 Wireshark, to a network engineer, is similar to a microscope for a biologist Wireshark lets you ‘listen’ to a live network (after you establish a connection to it), and capture and inspect packets on the fly As a network engineer or ethical hacker, you can use Wireshark to debug and secure your networks As a malicious hacker (which I don’t recommend), you can "sniff" packets in the network and capture information like credit card transactions This is why it is unwise to connect to a public network like Starbucks and perform financial transactions or access private data Even though sites with HTTPS can encrypt your packets, it is still visible over the network If someone really wants to crack it, they can Packet analysis (also known as packet sniffing or protocol analyzing) is used to intercept and capture live data as it travels over the network (Ethernet or Wi-Fi) in order to understand what is happening in the network Packet analysis is done by protocol analyzers such as Wireshark available on the Internet Some of these are free and some are paid for commercial use In this report, we will use Wireshark to perform network analysis, which is an open source software and the best free-network analyzer available on the Internet Numerous problems can happen in today's world of networking; for this, we need to be geared up all the time with the latest set of tools that can avail us of the ease of troubleshooting in any situation Each of these problems will start from the packet level and can gradually grow up to a high network downtime Even the best of protocols and services running on a system can go bad and behave maliciously To get to the root of the problem, we need to look into the packet level to understand it better If you need to maintain your network, then you definitely need to look into the packet level Packet analysis can be used for the following aspects: 21  To analyze network problems by looking into the packets and their specific details so that you can get a better hold over your network  To detect network intrusion attempts and whether there are any malicious users who are trying to get into your network, or they have alredy got access to something in your network  To detect network misuse by internal or external users by establishing firewall rules in your security appliance and then monitoring each of these rules through Wireshark  To isolate exploited systems so that the affected system doesn't become a pivot point for your network for malicious users  To monitor data in motion once it travels live in your network to have better control over the allowed and restricted categories of data For instance, say you want to create a rule for your firewall that will block the access to Bit Torrent sites Blocking access to them can be done from your manageable router, but knowing from where the request was originated can be easily audited through Wireshark  To gather and report network statistics by filtering the most specific packets as per your requirements and then creating specific capture filters for your perusal that can help you in the long run  Learning who is on the network and what they are doing, is there something they are not allowed to do, and is there anyone who is trying to bypass the network restrictions All of these simple day-to-day tasks can be achieved easily through Wireshark 22  To debug client/server communications so that all the request and replies communicated between the peers on our network can be audited to maintain the integrity of your network  To look for applications that are sitting in the corner of your own network and eating the bandwidth They might be making your network insecure or making it visible to the public network Through this unnoticed application, different forms of network traffic can enter without any restrictions  To debug network protocol implementations and any kind of anomalies present due to various misconfigurations in the current running devices To identify possible or malicious attacks that your network can be a victim of, to analyze them, control/supervise them, and make yourself ready for any possible malicious activity When performing a packet analysis, you should take care of things such as which protocols can be interpreted, which is the best software you can use according to your expertise, which protocol analyzer will best suit your network requirement Experience does count in this field; once you start working with Wireshark, gradually you will come up with new ideas to troubleshoot and analyze your packets in a much more advanced way Packet sniffers can interpret common network protocols (such as IP and ICMP), transport layers (such as TCP and UDP), and application protocols (such as DNS and HTTP) Due to the overwhelming amount of information presented by Wireshark's GUI, it might seem complex to some users and might be considered as one of its demerits There are a few CUI/GUI tools that can solve this purpose They are pretty simple touse and also present a simpler interface, for example, TShark, tcpdump, Fiddler, and so on 23 What is Wireshark? Wireshark is a network protocol analyzer, or an application that captures packets from a network connection, such as from your computer to your home office or the internet Packet is the name given to a discrete unit of data in a typical Ethernet network Wireshark is the most often-used packet sniffer in the world Like any other packet sniffer, Wireshark does three things: Packet Capture: Wireshark listens to a network connection in real time and then grabs entire streams of traffic – quite possibly tens of thousands of packets at a time Filtering: Wireshark is capable of slicing and dicing all of this random live data using filters By applying a filter, you can obtain just the information you need to see Visualization: Wireshark, like any good packet sniffer, allows you to dive right into the very middle of a network packet It also allows you to visualize entire conversations and network streams # DNS - PACKET ANALYSIS WITH WIRESHAK? Part 1: Record a PC’s IP Co Information In Part 1, you will use the ipconfig /all command on your local PC to find and record the MAC and IP addresses of your PC’s network interface card (NIC), the IP address of the specified default gateway, and the DNS server IP address specified for the PC Record this information in the table provided The information will be used in the following parts of this lab with packet analysis IP address MAC address Default gateway IP address 24 DNS server IP address Part 2: Use Wireshark to Capture DNS Queries and Responses In Part 2, you will set up Wireshark to capture DNS query and response packets to demonstrate the use of UDP transport protocol while communicating with a DNS server a Click the Windows Start button and navigate to the Wireshark program Note: If Wireshark is not yet installed, it can be downloadehttp://www.wireshark.org/download.html b Select an interface for Wireshark for capturing packets Use the Interface List to choose the interface that is associated with the recorded PC’s IP and Media Access Control (MAC) addresses in Part c After selecting the desired interface, click Start to capture the packets d Open a web browser and type self.events.data.microsoft.com Press Enter to continue e Click Stop to stop the Wireshark capture when you see Google’s home page Part 3: Analyze Captured DNS or UDP Packets In Part 3, you will examine the UDP packets that were generated when communicating with a DNS server for the IP addresses for self.events.data.microsoft.com Step 1: Filter DNS packets a In the Wireshark main window, type dns in the entry area of the Filter toolbar Click Apply or press Enter Note: If you not see any results after the 25 ... How DNS Works DNS Types - Types of DNS Queries DNS Record Types The DNS Protocol III HOW TO INSTALL AND CONFIGURATION DNS SERVICES? ... WHAT IS A DNS ? DNS Propagation DNS Resolution Uses of DNS What is DNS Used For? II HOW TO OPERATE DNS SERVICES &... and online meeting services  Communication between IoT devices, gateways and servers II HOW TO OPERATE DNS SERVICES & Building Blocks of DNS There are four main building blocks that enable DNS