Tracing DNS with Wireshark

Now that we are familiar with nslookup and ipconfig, were ready to get down to some serious business.

Lets first capture the DNS packets that are generated by ordinary web-surfing activity.

• Use ipconfig to empty the DNS cache in your host.
• Open your browser and empty your browser cache.
• Open Wireshark and start a packet capture.
• Enter dns (without the quotes) into the Filter prompt.
• With your browser, visit the website: http://www.ietf.org

Stop the packet capture.

Answer the following questions:

Locate the DNS query and response messages for www.ietf.org.

1. Are the packets sent over UDP or TCP? (5 pts)
   1. ________________

2. What are the Source and Destination ports for this DNS query message? (10 pts)
   1. Source: ________________
   2. Destination: ________________

3. To what IP address is the DNS query message sent? (10 pts)
   1. ____________________

Use ipconfig to determine the IP address of your local DNS server.

Are these two IP addresses the same? (5 pts)

2. _______

Examine the DNS query message. (10 pts)

4. What Type of DNS query is it, and does the query message contain any answers?
   1. Type: ________________
   2. Answers: ________________

Examine the DNS response message:

5. How many answers are provided, and what do these answers contain? (5 pts)
   1. ______________________
   2. ______________________

Consider the subsequent TCP SYN packet sent by your host.

6. Does the destination IP address of the SYN packet correspond to any of the IP addresses provided in the DNS response message? (5 pts)
   1. __________

7. The ietf.org web page contains images. Before retrieving each image, does your host issue any new DNS queries? (5 pts)
   1. __________