7.3.1.6 Lab Exploring DNS Traffic
7.3.1.6 Lab Exploring DNS Traffic
Objectives
Part 1: Explore DNS Query Traffic
Part 2: Explore DNS Response Traffic
Background / Scenario
Wireshark is an open source packet capture and analysis tool. Wireshark gives a detailed breakdown of the
network protocol stack. Wireshark allows you to filter traffic for network troubleshooting, investigate security
issues, and analyze network protocols. Because Wireshark allows you to view the packet details, it can be
used as a reconnaissance tool for an attacker.
In this lab, use Wireshark to filter for DNS packets and view the details of both DNS query and response
packets.
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 1 of 8
Lab - Exploring DNS Traffic
f. Minimize the Notepad application and change focus to the Toolbox folder.
g. Launch the Wireshark application. Navigate to File > Open and choose to open the dnstraffic-
cisco.pcap file from the pcaps folder in the Toolbox folder.
h. Observe the traffic captured in the Wireshark Packet List pane. Enter udp.port == 53 in the filter box and
click the arrow (or press enter) to display only DNS packets.
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 2 of 8
Lab - Exploring DNS Traffic
What are the source and destination MAC addresses? Which network interfaces are these MAC
addresses associated with?
l. Expand Internet Protocol Version 4. Observe the source and destination IPv4 addresses.
What are the source and destination IP addresses? W hich network interfaces are these IP addresses
associated with?
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 3 of 8
Lab - Exploring DNS Traffic
m. Expand the User Datagram Protocol. Observe the source and destination ports.
What are the source and destination ports? What is the default DNS port number?
n. Open a Command Prompt and enter arp –a and ipconfig /all to record the MAC and IP addresses of
the PC.
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 4 of 8
Lab - Exploring DNS Traffic
Compare the MAC and IP addresses in the Wireshark results to the results from the ipconfig /all results.
What is your observation?
o. Change focus to the Wireshark application and expand Domain Name System (query) in the Packet
Details pane followed by expanding Flags and Queries.
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 5 of 8
Lab - Exploring DNS Traffic
p. Observe the results. The flag is set to do the query recursively. The query is requesting the
IP address to www.cisco.com.
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 6 of 8
Lab - Exploring DNS Traffic
What are the source and destination MAC and IP addresses and port numbers? How do they compare to
the addresses in the DNS query packets?
b. Expand Domain Name System (response). Then expand the Flags, Queries, and Answers entries.
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 7 of 8
Lab - Exploring DNS Traffic
d. Observe the CNAME and A records in the Answers details. How do the results compare to nslookup
results?
Reflection
1. From the Wireshark results, what else can you learn about the network when you remove the filter?
© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 8 of 8