Domain Name Service for Newbies

Published: Oct 16, 2002
Updated: Oct 16, 2002
Section: Network Security Library :: Harmless hacking book
Author:
Company: WindowSecurity.com
Printable Version
Adjust font size:

__________________________________________________________ GUIDE TO (mostly) HARMLESS HACKING Vol. 3 No. 9 Domain Name Service for Newbies ____________________________________________________________ by keydet89@yahoo.com What is DNS? [What is it?] [Web-based Tools] [nslookup] [Final words] [Resources] This is a question that has likely popped up over and over...what is DNS? Oh, and why should I care? [What is it?] Well, the Domain Name System (DNS) is nothing more than a resource for translating human-readable URLs and host names into machine-readable IP addresses. Really. That's it. The current DNS that is used on the Internet is the direct result of the incredible growth of the Internet. Back in the early days of the Internet, when the network was in it's infancy and called "ARPANet", the network itself was fairly small; ie, a hundred or so hosts. At this point, it was very simple to keep track of hosts, and the hostname and address information was maintained on the computers themselves in a host table. The main host table was maintained at Stanford, and as updates were made, the file was sent out to the various servers on the network. But as the network grew, this method of keeping track of hosts became unmanageable. ************************************************************** NEWBIE NOTE: For more information on the history of the Internet from the Happy Hacker herself (Carolyn), check out: http://www.techbroker.com/test/gtmhh/vol2.htm ************************************************************** A new method of managing this information was needed, and Paul Mockapetris came up with DNS in 1984. DNS is a distributed system, making it easier to update. The DNS system in a hierarchical tree system...that is, it starts at the "root", and then the "leaves" proceed down the "tree" from there. See the below "graphic" for an example of this tree hierarchy: .(root) | --------------------------------- | | | | .com .edu .net .org | --------------------------- | | .target1.com .target.com | ------------- | | host1 host2 You can see the nameservers for target.com at the bottom of the "tree", and how to trace down to those servers from the "root" of the tree. ************************************************************** NEWBIE NOTE: You may have heard of InterNIC, which is responsible for domain name registration services for the .com, .edu, .net, and .org domains. This means that they register domains ending in those extensions. So if you want to register your own domain name, you can go to their site at http://www.internic.net and see if the name is already taken, and see what information you need in order to register your own domain. InterNIC is run by a company known as Network Solutions, which is a subsidiary of SAIC. This site also has a web-based whois lookup function. Whois is used to provide information on a domain...lots of really interesting information, such as who registered the domain, the technical and billing contacts for the domain, addresses and telephone numbers, and even the name servers that point to the domain. ************************************************************** Now, you wonder, how does DNS work? Well, when you type "http://www.target.com" into the location bar of your Netscape browser, a lookup of the hostname needs to be performed in order to obtain the IP address. This is needed so that the browser has an IP address to which to send the request. So the browser will send the request for the name lookup (ie, the name- to-address translation) to the closest DNS nameserver, which is nothing more than a computer running DNS software. If that nameserver has recently responded to a request for the same hostname, it will retrieve the response from it's cache, and send that back to the browser. If the nameserver doesn't have the answer available, something called the "resolver" will attempt to get the answer by asking a server furhter up the "tree", until it gets a response. This has been a very basic explanation of DNS. For a more detailed explanation, check out an excerpt for the O'Reilly book "DNS and BIND, 2d Edition": http://www.oreilly.com/publishing/sysadmin/excerpts/dns2/ch02.htm [Web-based Tools] Now lets play with some DNS tools. ************************************************************** NEWBIE NOTE: Win95 doesn't come with the necessary tools that you need to really get a good look at available DNS information. NT and Linux come with programs such as nslookup, which is pretty much "THE" DNS tool...there is a lot you can do with nslookup. To remedy that situation, we will use web-based tools, that you can bookmark for later use. Refer to the [Resource] section below for the listing of tools. Nslookup will be dealt with in a later section of this text. ************************************************************** This example will look at the information available from the domain "foobar.edu", so depending upon the domains you try these exercises on, your results may vary. **NOTE: A ficticious domain name will be used for the exercises. All responses are obfuscated so that no particular domain or IP address is indicated. The first step is to perform a whois lookup on the domain. We can do this by going to: http://www.internic.net and entering "foobar.edu" in the entry box. ************************************************************** NEWBIE NOTE: If you are using Linux, or have a whois tool on your computer, type: $whois foobar.edu Or you can use Sam Spade (http://www.blighty.com), a portscanner that also provides finger, nslookup, dig, and ping functions, among others. ************************************************************** The response that comes back states that John Doe is the administrative contact for the domain, and registrant is located in Alaska. Now, InterNIC requires that a valid domain have at least two nameservers pointing to the domain, and we can see the nameservers listed in the response... NS.NAMESERVER.ORG 287.128.192.4 NS2.NAMESERVER.ORG 289.41.341.143 Now let's look up some IP addresses. Go to: http://jos.net/projects/nslookup4WWW/nslookup4WWW.html Select a Query Type of "A - host address", and enter "foobar.edu" in the Query box, and press "Submit Query>>". The response should contain: Name: foobar.edu Address: 289.13.266.37 ************************************************************** NEWBIE NOTE: Remember what was decribed earlier about your browser having to perform a name lookup and getting the IP address? Well, now that you have the IP address, try typing it into the location bar of your browser, and see what happens... ************************************************************** The query type indicates the type of resource record (RR) that we are interested in. In this case, we are interested in the address, or "A", record. Other resource records we can look for include mail exchanger (MX), pointer (PTR), or canonical name (CNAME) records. Each of these records has a particular purpose. RR Meaning ***** *************** A a host address CNAME canonical name for an alias PTR a domain name pointer MX mail exchanger HINFO host information For a complete list of the various resource records, and the pertinent RFCs, see: http://www.dns.net/dnsrd/rr.html Try looking at the information available for the techbroker.com domain using the other Query Types, and see what's available. Then try seeing what's available for other domains. ************************************************************** YOU COULD GET PUNCHED IN THE NOSE WARNING: Be very, very careful when you are using these tools, or using nslookup (described later). If you choose a Query Type of "ANY", this is refered to as a zone transfer, as all available information regarding the domain in question is returned. This puts a load on the nameserver, and is considered impolite...as well as the precursor to an attack. If you do a zone tranfer on a domain, then save the information you receive to a text file...that way, if you want to show someone the neat things you can do, you won't subject the nameserver to an additional load. There is a program called "dig" that returns similar results as the "ANY" query. Dig is available for Linux, and is part of Sam Spade (http://www.blighty.com) for win95/NT. ************************************************************** ************************************************************** NEWBIE NOTE: You need to be a little careful with the domains that you pick. Foreign or overseas domains may not be easily located...so if you don't get a response back from one of these web-based tools, don't worry. Try doing a whois lookup, or check at the AllDomains web page for the particular domain. For example, if you are looking for information regarding a domain that ends in ".uk" (for United Kingdom), go to http://www.alldomains.com, and click on "United Kingdom(uk)" in the left-hand frame. Then in the right-hand frame, click on "whois", and you can perform a whois query on the domain in question. ************************************************************** [nslookup] Nslookup is a great little tool for making DNS queries that comes with NT, Linux, etc. The easiest way to use nslookup is in non- interactive mode. This means that you submit a request at the command line, and you get a response back with no other input. For example, from the command prompt, type: $nslookup foobar.edu Server: localhost Address: 127.0.0.1 Name: foobar.edu Address: 289.13.266.37 The Server and Address response you see above will vary depending upon your operating system, and how it's set up. But you can see that this is a quick and easy way to look up the IP address of a host given the name...we have performed a query for the "A" resource record. We can do a "reverse lookup" by entering the IP address at the command prompt, rather than the host name: $nslookup 289.13.266.37 Server: localhost Address: 127.0.0.1 Name: www.foobar.edu Address: 289.13.266.37 Wait a minute! What's this "www.foobar.edu" stuff? Well, what we've found is an alias for the host "foobar.edu". A single host can have multiple host names that all point to the same IP address. The other way to play with nslookup is to enter interactive mode by typing "nslookup" (with no arguments) at the command prompt, and then hitting . You will get a prompt back that looks like: > >From here you can enter commands. For example, type: >foobar.edu Wow! We get the same information back as we did for the non- interactive mode query. To look up specific resource records for the foobar.edu domain, all we need to do is tell nslookup which RR type we want: >set type= where refers to the resource record type, as we saw listed above (A, PTR, MX, CNAME, etc). This way you can look up just those records you are interested in. Note: If you enter "ANY" in place of "", you are doing a zone transfer. Read the above warning, and use caution and restraint. After you change the RR type that you want, enter the name of the domain that you want that information from...in this case, foobar.edu. Now, let's try one more little trick. This involves listing hosts within the domain we are interested in...it doesn't mean _all_ of the hosts, though. We already know the names and IP addresses of the nameservers that point to foobar.edu, so start nslookup in interactive mode. Then change the nameserver used to resolve queries to the nameserver that points to the foobar.edu domain: $nslookup Once you're in interactive mode, change the default nameserver that is used to resolve your queries to a nameserver that points to the foobar.edu domain...this information was retrieved using the whois query above: >server 287.128.192.4 Now we want to list the hosts in the domain that have records available, so type: >ls foobar.edu You will see something similar to: [ns01.nameserver.org] foobar.edu. server = ns.nameserver.org foobar.edu. server = ns2.nameserver.org foobar.edu. server = ns3.nameserver.org foobar.edu. 289.13.266.37 ftp 289.13.266.37 smtp 289.13.266.37 www 289.13.266.37 In the real world (vice the "example" world) you will likely get a lot more hosts back than this...in fact, you may get upwards to 500 or more hosts! However, what this tells us is that the host "foobar.edu" has the same IP address as the hosts listed as "ftp", "smtp", and "www". This means that these are services aliased to the host...performing a lookup on "ftp.foobar.edu" or trying to connect to "ftp.foobar.edu" will point or connect you to the host "foobar.edu". If you do list the hosts in the domain, you may want to use redirection to save this information in a file, so that you can read over it: >ls foobar.edu > foobar.txt [Final words] You may be asking yourself at this point...now what? Well, there has been quite a bit of information presented here, and the bad news is that it is by no means complete. However, the good news is, now you should understand how the "/dns" command works on IRC, or how to track down IP addresses and hosts. This information is also useful if you want to track down spammers. [Resources] DNS Resource Directory http://www.dns.net/dnsrd/ NsInfo - DNS browser http://nsinfo.coven.ml.org/ **this is an interesting little tool...performs a zone transfer for you, as if you were executing "ls domain.com" in nslookup interactive mode. Nameserver Lookup...another web-based lookup tool http://jos.net/projects/nslookup4WWW/nslookup4WWW.html Texts for setting up a basic DNS server http://www.ludd.luth.se/~kavli/BIND-FAQ.html http://www.verinet.com/dns/ http://web.syr.edu/~jmwobus/comfaqs/faq-dns Linux DNS-HOWTO http://sunsite.unc.edu/LDP/HOWTO/DNS-HOWTO.html (from the Linux Documentation Project @ http://sunsite.unc.edu/LDP/index.html) AllDomains...contains listing of all domains, with valuable links http://www.alldomains.com _______________________________________________________________________ Where are those back issues of GTMHHs and Happy Hacker Digests? Check out the official Happy Hacker Web page at http://www.happyhacker.org. We are against computer crime. We support good, old-fashioned hacking of the kind that led to the creation of the Internet and a new era of freedom of information. But we hate computer crime. So don't email us about any crimes you have committed! To subscribe to Happy Hacker and receive the Guides to (mostly) Harmless Hacking, please email hacker@techbroker.com with message "subscribe happy-hacker" in the body of your message. Copyright 1998 keydet89. You may forward, print out or post this GUIDE TO (mostly) HARMLESS HACKING on your Web site as long as you leave this notice at the end. _________________________________________________________ Carolyn Meinel M/B Research -- The Technology Brokers http://techbroker.com Carolyn Meinel M/B Research -- The Technology Brokers http://techbroker.com