2. cnp3-ebook
3. exercises/dns
4. English
5. Browse

1 / 2

/ 2

All strings

• Untranslated strings • state:empty
• Unfinished strings • state:<translated
• Translated strings • state:>=translated
• Strings marked for edit • state:needs-editing
• Strings with suggestions • has:suggestion
• Strings with variants • has:variant
• Strings with labels • has:label
• Strings with context • has:context
• Unfinished strings without suggestions • state:<translated AND NOT has:suggestion
• Strings with comments • has:comment
• Strings with any failing checks • has:check
• Approved strings • state:approved
• Strings waiting for review • state:translated

Target string

• Position and priority
• Position
• Priority
• Labels
• Source string
• Target string
• String age
• Number of words
• Number of comments
• Number of failing checks
• Key

	English
	A DNS implementation such as `dig`, and more importantly a name resolver such as bind_ or unbound_, always checks that the received DNS reply contains the same identifier as the DNS request that it sent. Why is this so important ?
	Application layer
	Assume now that you are residing in a network where there is no DNS resolver and that you need to perform your query manually starting from the DNS root.
	A typical usage of dig is as follows:
	Besides `dig`, another way to analyze the DNS is to look at packet traces with tools such as `wireshark <https://www.wireshark.org>`_ or `tcpdump <https://www.tcpdump.org>`_ These tools can capture packets in a network and also display and analyze their content. `Wireshark <https://www.wireshark.org>`_ provides a flexible Graphical User Interface that eases the analysis of the captured packets. The three questions below should help you to better understand the important fields of DNS messages.
	Continue until you find the server responsible for `www.root-servers.org`
	dig_ also contains some additional parameters and flags that are described in the man page. Among these, the `+trace` flag allows to trace all requests that are sent when recursively contacting DNS servers.
	Footnotes
	`fqdn` is the fully qualified domain name being queried
	Imagine an attacker who is able to send forged DNS replies to, for example, associate `www.bigbank.com` to his own IP address. How could he attack a DNS implementation that
	On a Linux machine, the *Description* section of the `dig` man page tells you where `dig` finds the list of nameservers to query.
	Perform the same analysis for a popular website such as `www.google.com`. What is the lifetime associated to the corresponding IPv6 address ? If you perform the same request several times, do you always receive the same answer ? Can you explain why a lifetime is associated to the DNS replies ?
	sends DNS requests containing always the same identifier
	sends DNS requests containing identifiers that are incremented by one after each request
	sends DNS requests containing random identifiers
	`server` is the IP address or the name of a DNS server or resolver
	Several software tools can be used to send queries to DNS servers. For this exercise, we use dig_ which is installed on most Unix/Linux systems.
	The DNS
	The DNS protocol can run over UDP and over TCP. Most DNS servers prefer to use UDP because it consumes fewer resources on the server. However, TCP is useful when a large answer is expected. Compare `time dig +tcp` and `time dig` to query a root DNS server. Is it faster to receive an answer via TCP or via UDP ?
	The Domain Name System (DNS) plays a key role in the Internet today as it allows applications to use fully qualified domain names (FQDN) instead of IPv4 or IPv6 addresses. When using the DNS, it is important to remember the role of the different types of DNS records.