The following is a description of the fields in the DNS message format. ■■ Identification. The 16-bit identification field allows a host to match DNS questions with responses. ■■ Flags. The Flags field is broken down into several smaller field entries: ■■ QR (Bit 16). A 0 in the question response (QR) field indicates that the DNS message is a question; a 1 indicates it is a response. ■■ Opcode (Bits 17–20). A 0 indicates a standard query, a 1 indicates an inverse query, and a 2 indicates a server status request. ■■ AA (Bit 21). The authoritative answer (AA) field is the DNS authority field. This indicates that the answer is from an authorita- tive server for the particular domain. ■■ TC (Bit 22). The truncated (TC) bit indicates that the reply is trun- cated to 512 bytes. ■■ RD (Bit 23). The Recursion Desired (RD) bit allows two types of DNS questions, recursive and nonrecursive. A recursive question indicates to a name server that it should handle the resolution of the information asked for in the question section of the message. A non- recursive question indicates to the name server that it should only return information to the host about where best to locate an answer for information about the domain in question. ■■ RA (Bit 24). The Recursive Available (RA) bit is set to 1 if a server supports recursion. This bit will be set on all recursive answers. ■■ Zero field (Bits 25–27). These three bits are set to 0. ■■ RC (Bits 28–31). The Return Code (RC) indicates the status of the returned answer from a name server. A 0 indicates no error, and a 3 indicates an error. Name errors are sent only by servers that are authoritative for a domain. They indicate that the name does not exist. ■■ Number of questions. The number of questions is typically only 1. ■■ Number of answers/resource records. This indicates the number of resource records present in the answer. ■■ Number of authoritative resource records. This indicates the number of authoritative resource records present in the answer. ■■ Number of additional resource records. This indicates the number of additional resource records present in the answer. ■■ Questions. This section contains the questions in the message. ■■ Answers. This section contains the answers in the message. Upper-Layer Protocols 245 11 429759 Ch07.qxd 6/26/03 8:58 AM Page 245 ■■ Authoritative resource records. This section contains the authorita- tive resource records in the answer. ■■ Additional resource records. This section contains the additional resource records in the answer. Figure 7-7 shows a DNS question decode. Figure 7-8 shows a DNS answer decode. Figure 7-7 DNS question decode. Figure 7-8 DNS answer decode. 246 Chapter 7 11 429759 Ch07.qxd 6/26/03 8:58 AM Page 246 Using NSLookup There are several different types of questions or queries that a host may ask a name server. There are also different methods of analyzing these messages. While a protocol analyzer easily displays the decoded DNS messages, there is a far simpler method of analyzing these messages. NSLookup, the perfect DNS analysis tool, is included right on your own computer. NSLookup is a tool included with almost all Windows and Unix systems on the market. NSLookup allows a user to query a DNS name server about specific informa- tion it has about a host or a domain. Using NSLookup, I want to analyze the first of several DNS resource records I intend to discuss in this chapter. My first resource record type is called the Start of Authority (SOA). An SOA record indicates where the best source of information about a domain can be found. Figure 7-9 illustrates this example. First, you start the NSLookup program by simply typing nslookup at the Windows command prompt. Next, you need to set the type of resource record you are looking for. You do this by typing set type=SOA. This configures NSLookup to query the default name server for SOA records only. Now, all you have to do is type in the name of the domain for which you want the SOA record. The response from the default name server, home4.bellatlantic .net, shows that the primary name server for the dos.state.pa.us domain is jasper.cmic.state.pa.us. This name server, jasper, contains the best source of information for the dos.state.pa.us domain. You can also see some other records, which I discuss later in this chapter. Now, take a look at the dli.state.pa.us domain. After querying the default name server for its SOA record, you receive a primary name server name of linux1.pal2.state.pa.us. This is interesting because you now have a case of a subdomain under dli.state.pa.us that is managed by a different organization and also has another primary source of name informa- tion for its domain. Although both subdomains fall under the larger domain dli.state.pa.us, they both have different sources of “best” information about the hosts in their domain. NOTE Some domains use what is called a hidden master, which is simply a bogus entry in the SOA record so that it is impossible to determine the real primary name server. Such an entry is used for security reasons, because a denial-of-service attack is best performed on the primary DNS server for the domain. Yahoo!, for example, implements the hidden master by the following SOA entry: Type=SOA, Class=1, TTL=262 (4 Minutes 22 Seconds), RDLENGTH=59 Name Server=hidden-master.yahoo.com, Mailbox=hostmaster.yahoo-inc.com Upper-Layer Protocols 247 11 429759 Ch07.qxd 6/26/03 8:58 AM Page 247 Figure 7-9 NSLookup SOA query. Lookup SOA for domain dos.state.pa.us Microsoft Windows 2000 [Version 5.00.2195] (C) Copyright 1985-1999 Microsoft Corp. C:\>nslookup Default Server: home4.bellatlantic.net Address: 151.197.0.39 > set type=SOA > > dos.state.pa.us. Server: home4.bellatlantic.net Address: 151.197.0.39 state.pa.us primary name server = jasper.cmic.state.pa.us responsible mail addr = security.state.pa.us serial = 971681 refresh = 21600 (6 hours) retry = 1800 (30 mins) expire = 259200 (3 days) default TTL = 3600 (1 hour) > > dli.state.pa.us. Server: home4.bellatlantic.net Address: 151.197.0.39 dli.state.pa.us primary name server = linux1.pal2.state.pa.us responsible mail addr = crenshaw.pal2.state.pa.us serial = 2002100800 refresh = 14400 (4 hours) retry = 3600 (1 hour) expire = 604800 (7 days) default TTL = 86400 (1 day) dli.state.pa.us nameserver = linux1.pal2.state.pa.us dli.state.pa.us nameserver = sunws02.cmic.state.pa.us linux1.pal2.state.pa.us internet address = 164.156.232.37 sunws02.cmic.state.pa.us internet address = 164.156.27.5 > Lookup SOA for domain dli.state.pa.us Set the lookup type to SOA Start of Authority Name Server for dos.state.pa.us Start of Authority Name Server for dli.state.pa.us 248 Chapter 7 11 429759 Ch07.qxd 6/26/03 8:58 AM Page 248 Name Servers Now that you know the process of finding the best source of information about a domain (that is, the SOA record), I can talk more in detail about how name servers function. As I mentioned previously, a zone is the part of a domain’s database for which a name server is authoritative. When you set up a name server, there are two types of zones that must be configured. These are called forward lookup zones and reverse lookup zones. ■■ Forward lookup zones contain information for what is called forward res- olution. Forward resolution is the term for resolving any type of informa- tion for a hostname. For example, a DNS client querying a server for the IP address of www.analysistimes.com is performing a forward lookup. Forward lookup zones are used for finding out the IP address from a hostname. ■■ Reverse lookup zones are zones used to hold a special type of resource record called pointer records. Pointer records point you back to the origi- nal domain name from which the IP address originates. This feature allows you to determine the source from which an IP address originates. So, if you need to find out a hostname for a specific IP address, DNS allows you to do this by using the features of reverse lookup zones. For each host in a forward lookup zone, there also exists a reverse lookup zone for the Class C network where the host is located. For example, the Internet-connected host on which this book is being written resolves to an IP address of 151.197.255.128. The Class C subnet of 151.197.255.0 is represented as a subdomain in a larger domain called in-addr.arpa. The name of the Class C subdomain for this reverse lookup zone would be 255.197.151 .in-addr.arpa. The network address in this case is octet reversed because a lookup of the zone would actually be done from right-to-left (.arpa, in-addr, 151, 197, 255). These entries in the reverse lookup zone are known as reverse mappings. When a Web site or firewall logs activity, it will do reverse lookups on the IP addresses that it sees coming through its network. In Figure 7-10, you can see an NSLookup resolution for the IP address of my workstation. Upper-Layer Protocols 249 11 429759 Ch07.qxd 6/26/03 8:58 AM Page 249 You can see in the figure that it maps to a hostname of pool-151-197 -255-128.phil.east.verizon.net. This simple reverse mapping allows an administrator to review security logs that contain domain names instead of IP addresses. Any issues with access from a particular IP address could easily be taken up with the administrative contact for the domain. How would you find that administrator though? On the Internet, the reverse lookup zone in-addr.arpa is administered by an organization called the American Registry for Internet Numbers (ARIN). By using a utility called Whois, you can look up administrative contact information for any of the Class C networks for which a reverse lookup zone exists. By using ARIN’s online Whois utility, you can find out the administrative contact for hosts on that network. Figure 7-11 shows the output received when I performed a Whois search on my Class C network using ARINs Web site. NOTE ARIN’s WHOIS can be found online at www.arin.net/whois/. ROOT Name Servers Now that you know how to find out what name servers are authoritative for the specific domains, I want to climb back up the ladder and discuss more about top-level domains. Each top-level domain, such as .com, .edu, or .org, also has specific authoritative name servers where its domain information is stored. If you were setting up a new DNS name server, what servers would you use to resolve this top-level domain information? It just so happens that the Internet contains several top-level name servers whose only job is to help other name servers resolve information on these top-level domains. These top- level name servers are called the Internet root name servers, because they are the last resort for resolving the location of domain host information. If you look back to Figure 7-5, you will see that the top-level domain actu- ally begins with a period or dot (.). This dot is the highest level of domain information on the Internet. In order to find the top-level domain name servers on the Internet, all one has to do is search for all name servers authoritative for “.”. In Figure 7-12, I use nslookup to search for all name servers on the “.” domain. First, I set the record type to NS (name server), then I simply type “.” and press enter. The result is a listing of all root name servers on the Internet. As mentioned, these 13 name servers are the last resort for resolution of any domain information on the Internet. If these 13 servers can’t find the informa- tion, chances are nobody can. 250 Chapter 7 11 429759 Ch07.qxd 6/26/03 8:58 AM Page 250 Figure 7-10 IP address lookup. Reverse Lookup Zone Mapping C:\>nslookup Default Server: home4.bellatlantic.net Address: 151.197.0.39 > set type=PTR > 47.99.119.216.in-addr.arpa Server: home4.bellatlantic.net Address: 151.197.0.39 *** home4.bellatlantic.net can't find 47.99.119.216.in- omain > quit Server: home4.bellatlantic.net Address: 151.197.0.39 *** home4.bellatlantic.net can't find quit: Non-existen > exit C:\>nslookup Default Server: home4.bellatlantic.net Address: 151.197.0.39 > 151.197.255.128 Server: home4.bellatlantic.net Address: 151.197.0.39 Name: pool-151-197-255-128.phil.east.verizon.net Address: 151.197.255.128 >set type=PTR > 151.197.255.128 Server: home4.bellatlantic.net Address: 151.197.0.39 128.255.197.151.in-addr.arpa name = pool-151-197-255-128.phil.east.verizon.net 255.197.151.in-addr.arpa nameserver = ns1.bellatlantic.net 255.197.151.in-addr.arpa nameserver = ns2.bellatlantic.net ns1.bellatlantic.net internet address = 199.45.32.40 ns2.bellatlantic.net internet address = 199.45.32.41 > Upper-Layer Protocols 251 11 429759 Ch07.qxd 6/26/03 8:58 AM Page 251 Figure 7-11 WHOIS search. Search results for: 151.197.255.128 Verizon Internet Services VIS-151-196 (NET-151-196-0-0-1) 151.196.0.0 - 151.205.255.255 Verizon Internet Services VZ-DSLDIAL-PHLAPA-5 (NET-151-197-249-0-1) 151.197.249.0 - 151.197.255.255 Search results for: ! NET-151-196-0-0-1 OrgName: Verizon Internet Services OrgID: VRIS NetRange: 151.196.0.0 - 151.205.255.255 CIDR: 151.196.0.0/14, 151.200.0.0/14, 151.204.0.0/15 NetName: VIS-151-196 NetHandle: NET-151-196-0-0-1 Parent: NET-151-0-0-0-0 NetType: Direct Allocation NameServer: NSDC.BA-DSG.NET NameServer: GTEPH.BA-DSG.NET Comment: RegDate: Updated: 2002-08-22 TechHandle: ZV20-ARIN TechName: Verizon Internet Services TechPhone: +1-703-295-4583 TechEmail: noc@gnilink.net OrgAbuseHandle: VISAB-ARIN OrgAbuseName: VIS Abuse OrgAbusePhone: +1-703-295-4583 OrgAbuseEmail: abuse@verizon.net OrgTechHandle: ZV20-ARIN OrgTechName: Verizon Internet Services OrgTechPhone: +1-703-295-4583 OrgTechEmail: noc@gnilink.net # ARIN Whois database, last updated 2002-12-20 20:00 # Enter ? for additional hints on searching ARIN's Whois database. 252 Chapter 7 11 429759 Ch07.qxd 6/26/03 8:58 AM Page 252 Figure 7-12 Root name server lookup. Microsoft Windows 2000 [Version 5.00.2195] (C) Copyright 1985-1999 Microsoft Corp. C:\>nslookup Default Server: home4.bellatlantic.net Address: 151.197.0.39 > > set type=NS > . Server: home4.bellatlantic.net Address: 151.197.0.39 Non-authoritative answer: (root) nameserver = G.ROOT-SERVERS.NET (root) nameserver = H.ROOT-SERVERS.NET (root) nameserver = I.ROOT-SERVERS.NET (root) nameserver = J.ROOT-SERVERS.NET (root) nameserver = K.ROOT-SERVERS.NET (root) nameserver = L.ROOT-SERVERS.NET (root) nameserver = M.ROOT-SERVERS.NET (root) nameserver = A.ROOT-SERVERS.NET (root) nameserver = B.ROOT-SERVERS.NET (root) nameserver = C.ROOT-SERVERS.NET (root) nameserver = D.ROOT-SERVERS.NET (root) nameserver = E.ROOT-SERVERS.NET (root) nameserver = F.ROOT-SERVERS.NET G.ROOT-SERVERS.NET internet address = 192.112.36.4 H.ROOT-SERVERS.NET internet address = 128.63.2.53 I.ROOT-SERVERS.NET internet address = 192.36.148.17 J.ROOT-SERVERS.NET internet address = 192.58.128.30 K.ROOT-SERVERS.NET internet address = 193.0.14.129 L.ROOT-SERVERS.NET internet address = 198.32.64.12 M.ROOT-SERVERS.NET internet address = 202.12.27.33 A.ROOT-SERVERS.NET internet address = 198.41.0.4 B.ROOT-SERVERS.NET internet address = 128.9.0.107 C.ROOT-SERVERS.NET internet address = 192.33.4.12 D.ROOT-SERVERS.NET internet address = 128.8.10.90 E.ROOT-SERVERS.NET internet address = 192.203.230.10 F.ROOT-SERVERS.NET internet address = 192.5.5.241 Name Server Search for “.” All Root Name Servers returned Upper-Layer Protocols 253 11 429759 Ch07.qxd 6/26/03 8:58 AM Page 253 Name Server Caching Name servers perform DNS lookups all day long. A typical ISP name server services thousands, if not millions, of DNS client requests per day. When a name server resolves a piece of information for a host, it keeps this information in its memory for further use. This memory is called the cache. All name servers build up a cache of resolved host information over time. When a duplicate request is made for that data, the name server first searches its local cache for the information instead of forwarding the request on to higher-level name servers. If it finds the information in its cache, it responds to the DNS client with what is called a nonauthoritative request. This means that although it has replied to the query with the information requested, it is not the authoritative DNS server for the domain. In Figure 7-13, I show how a server caches information by exploring the two types of DNS questions, recur- sive and nonrecursive queries. 1. First I set nslookup for no recursion. This tells our local name server to not resolve the information I request, but to simply point me to a name server that can resolve the information. The response I receive is a list- ing of the root Internet name servers. 2. Next, I turn recursion on to force our local name server to resolve the IP information I desire for www.thetechfirm.com. It responds as a name server should with the correct IP address. 3. Then, I turn recursion back off again with the set norecurse com- mand. This time, instead of answering with the list of root Internet name servers, the local name server responds with the IP address I asked for. Notice though that the response is non-authoritative, meaning that the name server responding is not authoritative for the domain. This simple example shows how, after a name server resolves a hosts IP address (or other information), it caches it and uses the cached information to answer future queries. Resource Records DNS name servers contain several types of host information. This information is held in what are called resource records. There are several different types of resource records. Each contains a specific piece of information that is used by DNS clients to utilize Internet resources. Table 7-3 contains the list of DNS resource record types. 254 Chapter 7 11 429759 Ch07.qxd 6/26/03 8:58 AM Page 254 [...]... SSRS 79 8 79 5 SEQ=1223 277 472 ACK= 173 7668269 From: ftp.microsoft.com Len= 1460 SEQ=1223 277 472 Len= 972 SEQ=1223 278 932 To: Firewall ACK= 673 27 From: ftp.microsoft.com Len= 1460 To: S SRS 79 9 79 6 SEQ=1223 278 932 ACK= 173 7668269 To: ftp.microsoft.com From: Firewall ACK= 673 27 To: ftp.microsoft.com Len= 972 From: SSRS 79 7 800 SEQ= 173 7668269 ACK=1223 279 904 From: ftp.microsoft.com Len= 0 To: Firewall SEQ= 673 27 ACK=1223 279 904... ACK= 173 7668269 To: ftp.microsoft.com From: Firewall ACK= 673 27 Len= 1460 From: SSRS To: ftp.microsoft.com 804 8 07 SEQ= 173 7668269 ACK=122328 574 4 From: ftp.microsoft.com Len= 0 SEQ= 673 27 ACK=122328 574 4 Len= 0 To: Firewall 808 SEQ=1223 277 472 ACK= 173 7668269 From: ftp.microsoft.com Len= 1460 To: Firewall 809 SEQ=1223 277 472 ACK= 173 7668269 From: ftp.microsoft.com Len= 1460 To: Firewall 810 SEQ=1223 277 472 ACK= 173 7668269... ACK= 173 7668269 From: ftp.microsoft.com Len= 1460 To: Firewall Retransmissions of segment 1223 277 472 811 SEQ=1223 277 472 ACK= 173 7668269 From: ftp.microsoft.com Len= 1460 To: Firewall 812 SEQ= 1223 277 472 ACK= 173 7668269 From: ftp.microsoft.com Len: 1460 To: Firewall From: ftp.microsoft.com 813 To: SSRS 805 Connection Closed Figure 7- 24 TCP connection flow diagram Connection Closed 275 276 Chapter 7 By adding... SEQ= 673 27 ACK=1223 279 904 From: ftp.microsoft.com Len= 0 To: S SRS 79 8 801 SEQ=1223 279 904 ACK= 173 7668269 From: ftp.microsoft.com Len= 1460 SEQ=1223 279 904 Len= 1460 SEQ=1223281364 ACK= 673 27 From: ftp.microsoft.com To: Firewall Len= 1460 To: SSRS 79 9 802 SEQ=1223281364 ACK= 173 7668269 To: ftp.microsoft.com From: Firewall ACK= 673 27 To: ftp.microsoft.com Len= 1460 From: SSRS 800 803 SEQ= 173 7668269 ACK=1223282824... of their first and second digits FTP reply code categories from RFC 959 are listed in Table 7- 5 265 266 Chapter 7 Table 7- 4 FTP Command Code Descriptions COMMAND DESCRIPTION ABOR Abort previous FTP command LIST List files or directories PASS Send password to server PORT Specify client IP address and port QUIT Log off from FTP server RETR Retrieve file command STOR Store (transmit) command SYST Request... ACK=1223282824 From: ftp.microsoft.com Len= 0 SEQ= 673 27 ACK=1223282824 From: ftp.microsoft.com To: Firewall Len= 0 To: SSRS 804 801 SEQ=1223282824 ACK= 173 7668269 To: ftp.microsoft.com Len= 1460 From: Firewall SEQ=1223282824 ACK= 673 27 To: ftp.microsoft.com Len= 1460 From: SSRS 802 805 SEQ= 173 7668269 ACK=1223284284 From: ftp.microsoft.com Len= 0 SEQ= 673 27 Len= 1460 SEQ=1223284284 To: ACK=1223284284 From:... command, which disconnects the FTP session and closes the port 21 connection Case Study: Active Transfer Failure Figure 7- 19 illustrates a common problem with FTP file transfers Figure 7- 18 FTP data connection active open 269 270 Chapter 7 Figure 7- 19 FTP active transfer failure The figure shows the following: 1 In Frames 1 to 9, you see the normal FTP command and reply activity, with the last command... ASCII mode and binary mode FTP Commands and Responses FTP uses what are known as Network Virtual Terminal (NVT) ASCII codes to send commands between two hosts The NVT commands allow the configuration of FTP file transfer options Each NVT command is followed by the ASCII carriage return and line feed character pairs (CR, LF) Table 7- 4 contains a listing of commonly used FTP commands Each FTP command is... a load-balancing switch The switch then handles redirection of the Web site traffic to multiple servers behind the load balancer Figure 7- 16 illustrates this type of architecture 263 264 Chapter 7 Internet 216.250.119.105 Load Balancing Switch Web Server 172 .16.15.1 Web Server 172 .16.15.2 Web Server 172 .16.15.3 Web Server 172 .16.15.4 Figure 7- 16 Web Server 172 .16.15.5 Application load-balancing architecture... example, the following MX records from the Men and Mice Corporation indicate which mail servers can receive mail for menandmice.com > set type=MX > menandmice.com Server: home4.bellatlantic.net Address: 151.1 97. 0.39 menandmice.com MX preference = 10, mail exchanger = mail.menandmice.is menandmice.com MX preference = 20, mail exchanger = mx1.mmedia.is menandmice.com MX preference = 30, mail exchanger . answer. Figure 7- 7 shows a DNS question decode. Figure 7- 8 shows a DNS answer decode. Figure 7- 7 DNS question decode. Figure 7- 8 DNS answer decode. 246 Chapter 7 11 42 975 9 Ch 07. qxd 6/26/03 8:58. Switch Internet 216.250.119.105 Web Server 172 .16.15.1 Web Server 172 .16.15.2 Web Server 172 .16.15.3 Web Server 172 .16.15.4 Web Server 172 .16.15.5 264 Chapter 7 11 42 975 9 Ch 07. qxd 6/26/03 8:58 AM Page 264 . = mail.menandmice.is menandmice.com MX preference = 20, mail exchanger = mx1.mmedia.is menandmice.com MX preference = 30, mail exchanger = mx2.mmedia.is 262 Chapter 7 11 42 975 9 Ch 07. qxd 6/26/03