17.1.7 Lab - Exploring DNS Traffic - ILM
17.1.7 Lab - Exploring DNS Traffic - ILM
Instructor Note: Red font color or gray highlights indicate text that appears in the instructor copy only.
Objectives
Part 1: Capture DNS Traffic
Part 2: Explore DNS Query Traffic
Part 3: Explore DNS Response Traffic
Background / Scenario
Wireshark is an open source packet capture and analysis tool. Wireshark gives a detailed breakdown of the
network protocol stack. Wireshark allows you to filter traffic for network troubleshooting, investigate security
issues, and analyze network protocols. Because Wireshark allows you to view the packet details, it can be
used as a reconnaissance tool for an attacker.
In this lab, you will install Wireshark and use Wireshark to filter for DNS packets and view the details of both
DNS query and response packets.
Required Resources
• 1 PC with internet access and Wireshark installed
Instructor Note: Using a packet sniffer such as Wireshark may be considered a breach of the security policy
of the school. It is recommended that permission is obtained before running Wireshark for this lab. If using a
packet sniffer such as Wireshark is an issue, the instructor may wish to assign the lab as homework or
perform a walk-through demonstration.
Instructions
2017 - 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 1 of 9 www.netacad.com
Lab - Exploring DNS Traffic
b. Select the DNS packet contains Standard query and A www.cisco.com in the Info column.
c. In the Packet Details pane, notice this packet has Ethernet II, Internet Protocol Version 4, User Datagram
Protocol and Domain Name System (query).
2017 - 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 2 of 9 www.netacad.com
Lab - Exploring DNS Traffic
d. Expand Ethernet II to view the details. Observe the source and destination fields.
What are the source and destination MAC addresses? Which network interfaces are these MAC
addresses associated with?
Type your answers here.
In this example, the source MAC address is associated with the NIC on the PC and the destination
MAC address is associated with the default gateway. If there is a local DNS server, the destination
MAC address would be the MAC address of the local DNS server.
2017 - 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 3 of 9 www.netacad.com
Lab - Exploring DNS Traffic
e. Expand Internet Protocol Version 4. Observe the source and destination IPv4 addresses.
Question:
What are the source and destination IP addresses? Which network interfaces are these IP addresses
associated with?
Type your answers here.
In this example, the source IP address is associated with the NIC on the PC and the destination IP
address is associated with the default gateway.
2017 - 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 4 of 9 www.netacad.com
Lab - Exploring DNS Traffic
f. Expand the User Datagram Protocol. Observe the source and destination ports.
Question:
What are the source and destination ports? What is the default DNS port number?
Type your answers here.
The source port number is 577729 and the destination port is 53, which is the default DNS port
number.
g. Determine the IP and MAC address of the PC.
1) In a Windows command prompt, enter arp –a and ipconfig /all to record the MAC and IP addresses
of the PC.
2) For Linux and macOS PC, enter ifconfig or ip address in a terminal.
Question:
Compare the MAC and IP addresses in the Wireshark results to the IP and MAC addresses. What is your
observation?
Type your answers here.
The IP and MAC addresses captured in the Wireshark results are the same as the addresses listed
in ipconfig /all command.
h. Expand Domain Name System (query) in the Packet Details pane. Then expand the Flags and
Queries.
2017 - 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 5 of 9 www.netacad.com
Lab - Exploring DNS Traffic
i. Observe the results. The flag is set to do the query recursively to query for the IP address to
www.cisco.com.
2017 - 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 6 of 9 www.netacad.com
Lab - Exploring DNS Traffic
Question:
What are the source and destination MAC and IP addresses and port numbers? How do they compare to
the addresses in the DNS query packets?
Type your answers here.
The source IP, MAC address, and port number in the query packet are now destination addresses.
The destination IP, MAC address, and port number in the query packet are now source addresses.
b. Expand Domain Name System (response). Then expand the Flags, Queries, and Answers.
c. Observe the results.
Question:
2017 - 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 7 of 9 www.netacad.com
Lab - Exploring DNS Traffic
The results in the Wireshark should be the same as the results from nslookup in the Command
Prompt or terminal.
Reflection
1. From the Wireshark results, what else can you learn about the network when you remove the filter?
Type your answers here.
2017 - 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 8 of 9 www.netacad.com
Lab - Exploring DNS Traffic
Without the filters, the results display other packets, such as DHCP and ARP. From these packets and
the information contained within these packets, you can learn about other devices and their functions
within the LAN.
2. How can an attacker use Wireshark to compromise your network security?
Type your answers here.
An attacker on the LAN can use Wireshark to observe the network traffic and can get sensitive
information in the packet details if the traffic is not encrypted.
End of document
2017 - 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 9 of 9 www.netacad.com