0% found this document useful (0 votes)
143 views8 pages

7.3.1.6 Lab Exploring DNS Traffic

This document describes exploring DNS query and response traffic using Wireshark. The objectives are to explore DNS query traffic, DNS response traffic, and learn about DNS. The lab has students open DNS query files, capture DNS traffic with Wireshark, and analyze the packet details to observe source/destination addresses, ports, DNS record types in responses.
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
143 views8 pages

7.3.1.6 Lab Exploring DNS Traffic

This document describes exploring DNS query and response traffic using Wireshark. The objectives are to explore DNS query traffic, DNS response traffic, and learn about DNS. The lab has students open DNS query files, capture DNS traffic with Wireshark, and analyze the packet details to observe source/destination addresses, ports, DNS record types in responses.
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 8

Lab - Exploring DNS Traffic

Lab 7.3.1.6 – Exploring DNS Traffic


This lab has been updated for use on NETLAB+.
www.netdevgroup.com

Objectives
Part 1: Explore DNS Query Traffic
Part 2: Explore DNS Response Traffic

Background / Scenario
Wireshark is an open source packet capture and analysis tool. Wireshark gives a detailed breakdown of the
network protocol stack. Wireshark allows you to filter traffic for network troubleshooting, investigate security
issues, and analyze network protocols. Because Wireshark allows you to view the packet details, it can be
used as a reconnaissance tool for an attacker.
In this lab, use Wireshark to filter for DNS packets and view the details of both DNS query and response
packets.

Part 1: Explore DNS Query Traffic


a. Access the WinClient machine. Unlock the machine by clicking on the drop-down arrow for that specific
machine’s tab and select Send CTRL+ALT+DEL.
b. Login as the CyberOpsUser using cyberops as the password.
c. On the Desktop, navigate to the Toolbox folder and open the dns_query_files folder.
d. Open the dnsquery-cisco.txt file.
e. Notice the DNS query information from the www.cisco.com domain.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 1 of 8
Lab - Exploring DNS Traffic

f. Minimize the Notepad application and change focus to the Toolbox folder.
g. Launch the Wireshark application. Navigate to File > Open and choose to open the dnstraffic-
cisco.pcap file from the pcaps folder in the Toolbox folder.
h. Observe the traffic captured in the Wireshark Packet List pane. Enter udp.port == 53 in the filter box and
click the arrow (or press enter) to display only DNS packets.

i. Select the DNS packet labeled Standard query 0x0002 A www.cisco.com.


j. In the Packet Details pane, notice this packet has Ethernet II, Internet Protocol Version 4, User Datagram
Protocol and Domain Name System (query).
k. Expand Ethernet II to view the details. Observe the source and destination fields.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 2 of 8
Lab - Exploring DNS Traffic

What are the source and destination MAC addresses? Which network interfaces are these MAC
addresses associated with?

l. Expand Internet Protocol Version 4. Observe the source and destination IPv4 addresses.

What are the source and destination IP addresses? W hich network interfaces are these IP addresses
associated with?

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 3 of 8
Lab - Exploring DNS Traffic

m. Expand the User Datagram Protocol. Observe the source and destination ports.

What are the source and destination ports? What is the default DNS port number?

n. Open a Command Prompt and enter arp –a and ipconfig /all to record the MAC and IP addresses of
the PC.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 4 of 8
Lab - Exploring DNS Traffic

Compare the MAC and IP addresses in the Wireshark results to the results from the ipconfig /all results.
What is your observation?

o. Change focus to the Wireshark application and expand Domain Name System (query) in the Packet
Details pane followed by expanding Flags and Queries.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 5 of 8
Lab - Exploring DNS Traffic

p. Observe the results. The flag is set to do the query recursively. The query is requesting the
IP address to www.cisco.com.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 6 of 8
Lab - Exploring DNS Traffic

Part 2: Explore DNS Response Traffic


a. Select the corresponding response DNS packet labeled Standard query response 0x0002 A
www.cisco.com.

What are the source and destination MAC and IP addresses and port numbers? How do they compare to
the addresses in the DNS query packets?

b. Expand Domain Name System (response). Then expand the Flags, Queries, and Answers entries.

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 7 of 8
Lab - Exploring DNS Traffic

c. Observe the results. Can the DNS server do recursive queries?

d. Observe the CNAME and A records in the Answers details. How do the results compare to nslookup
results?

Reflection
1. From the Wireshark results, what else can you learn about the network when you remove the filter?

2. How can an attacker use Wireshark to compromise your network security?

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 8 of 8

You might also like