Internet Protocol Analysis/Name Resolution

This lesson introduces name resolution and looks at hosts files, the Domain Name System (DNS), and NetBIOS over TCP/IP (NetBT). Activities include editing the hosts file and using Wireshark to examine DNS network traffic.

Readings

edit
  1. Wikipedia: Hosts (file)
  2. Wikipedia: Domain Name System
  3. Wikipedia: Multicast DNS
  4. Wikipedia: Link-local Multicast Name Resolution
  5. Wikipedia: NetBIOS over TCP/IP

Multimedia

edit
  1. YouTube: An Overview of DNS - CompTIA Network+ N10-005: 1.7
  2. YouTube: DNS Records - CompTIA Network+ N10-005: 1.7
  3. YouTube: Dynamic DNS - CompTIA Network+ N10-005: 1.7
  4. YouTube: Basics of ipconfig, ping, tracert, nslookup and netstat
  5. YouTube: Using nslookup to Resolve Domain Names to IP Addresses
  6. YouTube: The Nbtstat Command - CompTIA Network+ N10-005: 4.3

Activities

edit
  1. View the Hosts file.
  2. Edit the Hosts file.
  3. Use nslookup to display host addresses.
  4. Use nslookup to display other record types.
  5. Review the current DNS root zone settings file.
  6. Use nslookup to simulate a recursive query.
  7. Review Wireshark: DNS.
  8. Use Wireshark to capture and analyze Domain Name System (DNS) traffic.
  9. Use Wireshark to capture and analyze Link Local Multicast Name Resolution (LLNMR) traffic.
  10. Use nbtstat to display NetBIOS over TCP/IP statistics.
  11. Consider situations in which a packet analyzer might be used to troubleshoot name resolution traffic.

Lesson Summary

edit
  • The hosts file is a computer file used in an operating system to map hostnames to IP addresses.[1]
  • The hosts file contains lines of text consisting of an IP address in the first text field followed by one or more host names.[2]
  • Comments in the hosts file are indicated by a hash character (#) in the first position of such lines.[3]
  • The location of the hosts file on Windows systems is %SystemRoot%\system32\drivers\etc\hosts.[4]
  • The hosts file may be used to define any hostname or domain name for use by the local system.[5]
  • The hosts file represents an attack vector for malicious software, because the hosts file is queried before DNS.[6]
  • The Domain Name System (DNS) is a hierarchical distributed naming system for computers, services, or any resource connected to the Internet or a private network.[7]
  • The Domain Name System distributes the responsibility of assigning domain names and mapping those names to IP addresses. Authoritative name servers are assigned to be responsible for their particular domains, and in turn can assign other authoritative name servers for their sub-domains.[8]
  • A domain name consists of one or more parts, technically called labels, that are concatenated and delimited by dots (.).[9]
  • The hierarchy of domains within a domain name descends from right to left.[10]
  • Each label in a domain name may contain up to 63 characters. The full domain name may not exceed a total length of 253 characters.[11]
  • Common DNS record types include A (address), AAAA (IPv6 address), CNAME (canonical or alias name), MX (mail exchange), NS (name server), PTR (pointer), SOA (start of authority), and TXT (text).[12]
  • A non-recursive query is one in which the DNS server provides a record for a domain for which it is authoritative itself, or it provides a partial result without querying other servers.[13]
  • A recursive query is one for which the DNS server will fully answer the query (or give an error) by querying other name servers as needed.[14]
  • Caching DNS servers cache DNS queries and perform recursive queries to improve efficiency, reduce DNS traffic across the Internet, and increase performance in end-user applications.[15]
  • A reverse lookup is a query of the DNS for domain names when the IP address is known using the IPv4 domain in-addr.arpa or the IPv6 domain ip6.arpa, and reverse lookup IP addresses are specified in reverse order.[16]
  • Link Local Multicast Name Resolution (LLMNR) is a protocol based on the Domain Name System (DNS) packet format that allows both IPv4 and IPv6 hosts to perform name resolution for hosts on the same local link.[17]
  • LLMNR responders listen on UDP port 5355 on IPv4 address 224.0.0.252 (MAC address 01-00-5E-00-00-FC) and IPv6 address FF02::1:3 (MAC address 33-33-00-01-00-03).[18]
  • NetBIOS over TCP/IP (NBT) is a networking protocol that allows legacy computer applications relying on the NetBIOS API to be used on modern TCP/IP networks.[19]
  • NetBIOS provides three distinct services: Name service for name registration and resolution on port 137, Datagram distribution service for connectionless communication on port 138, and Session service for connection-oriented communication on port 139.[20]
  • NetBIOS is a legacy protocol used to support computers and applications that predate Windows 2000 and do not support host names. It is enabled by default, though most Windows 2000 and later networks and applications no longer require it.[21]

Key Terms

edit
American Standard Code for Information Interchange (ASCII)
A character-encoding scheme originally based on the English alphabet.[22]
authoritative name server
A name server that gives answers that have been configured by an original source rather than answers that were obtained via a DNS query to another name server.[23]
Berkley Internet Name Domain (BIND)
The DNS server service (daemon) included in most Unix and Unix-like operating systems.[24]
dig (domain information groper)
A network administration command-line tool for querying Domain Name System (DNS) name servers used on Unix-like systems.[25]
DNS root zone
The top-level DNS zone in a hierarchical namespace using the Domain Name System (DNS).[26]
DNS spoofing
A computer hacking attack, whereby data is introduced into a Domain Name System (DNS) name server's cache database, causing the name server to return an incorrect IP address and diverting traffic to another computer (often the attacker's).[27]
DNS zone
A portion of a domain name space using the Domain Name System (DNS) for which administrative responsibility has been delegated.[28]
DomainKeys Identified Mail (DKIM)
A method for associating a domain name to an email message, thereby allowing a person, role, or organization to claim some responsibility for the message and a recipient to validate that the message was not modified in transit.[29]
domain name registrar
An organization or commercial entity that manages the reservation of Internet domain names.[30]
Dynamic DNS (DDNS)
A method of updating, in real time, a Domain Name System (DNS) to point to a changing IP address on a network or on the Internet.[31]
Fully Qualified Domain Name (FQDN)
A domain name that specifies its exact location in the tree hierarchy of the Domain Name System (DNS), including the top-level domain and the root zone.[32]
Internationalizing Domain Names in Applications (IDNA)
A mechanism for converting domain names containing non-ASCII characters to an ASCII-coded equivalent.[33]
Letters Digits Hyphen (LDH) rule
The guideline for characters allowed in a domain name, which include letters, digits, and the hyphen.[34]
NetBIOS Frames (NBF)
A non-routable transport-level data protocol most commonly used as one of the layers of Microsoft Windows networking in the 1990s.[35]
nslookup
A network administration command-line tool for querying Domain Name System (DNS) name servers used on Windows systems.[36]
Phishing
The act of attempting to acquire information such as usernames, passwords, and credit card details (and sometimes, indirectly, money) by masquerading as a trustworthy entity.[37]
Punycode
An instance of a general encoding syntax by which a string of Unicode characters is transformed uniquely and reversibly into a smaller, restricted character set.[38]
root name server
A name server for the Domain Name System's root zone.[39]
Sender Policy Framework (SPF)
An email validation system designed to prevent email spam by verifying sender IP addresses using the Domain Name System (DNS) and TXT records.[40]
Server Message Block (SMB)
An application-layer protocol mainly used for providing shared access to files, printers, serial ports, and miscellaneous communications between nodes on a network, as well as providing an authenticated inter-process communication mechanism.[41]
top-level domain (TLD)
One of the domains at the highest level in the hierarchical Domain Name System of the Internet.[42]
Unicode
A computing industry standard for the consistent encoding, representation and handling of text expressed in most of the world's writing systems.[43]
Uniform resource locator (URL)
A specific character string that constitutes a reference to an Internet resource.[44]
WHOIS
A query and response protocol that is widely used for querying databases that store the registered users or assignees of an Internet resource, such as a domain name, an IP address block, or an autonomous system, but is also used for a wider range of other information.[45]
Windows Internet Name Service (WINS)
Microsoft's implementation of NetBIOS Name Service (NBNS), a name server and service for NetBIOS computer names.[46]

Review Questions

edit
Enable JavaScript to hide answers.

Click on a question to see the answer.

  1. The _____ file is a computer file used in an operating system to map hostnames to IP addresses.
    The hosts file is a computer file used in an operating system to map hostnames to IP addresses.
  2. The hosts file contains lines of text consisting of _____.
    The hosts file contains lines of text consisting of an IP address in the first text field followed by one or more host names.
  3. Comments in the hosts file are indicated by _____.
    Comments in the hosts file are indicated by a hash character (#) in the first position of such lines.
  4. The location of the hosts file on Windows systems is _____.
    The location of the hosts file on Windows systems is %SystemRoot%\system32\drivers\etc\hosts.
  5. The _____ file may be used to define any hostname or domain name for use by the local system.
    The hosts file may be used to define any hostname or domain name for use by the local system.
  6. The hosts file represents _____ for malicious software.
    The hosts file represents an attack vector for malicious software.
  7. The Domain Name System (DNS) is a _____ for computers, services, or any resource connected to the Internet or a private network.
    The Domain Name System (DNS) is a hierarchical distributed naming system for computers, services, or any resource connected to the Internet or a private network.
  8. The Domain Name System _____ the responsibility of assigning domain names and mapping those names to IP addresses. _____ name servers are assigned to be responsible for their particular domains, and in turn can assign other _____ name servers for their sub-domains.
    The Domain Name System distributes the responsibility of assigning domain names and mapping those names to IP addresses. Authoritative name servers are assigned to be responsible for their particular domains, and in turn can assign other authoritative name servers for their sub-domains.
  9. A domain name consists of one or more parts, technically called _____, that are concatenated and delimited by _____.
    A domain name consists of one or more parts, technically called labels, that are concatenated and delimited by dots (.).
  10. The hierarchy of domains within a domain name descends from _____ to _____.
    The hierarchy of domains within a domain name descends from right to left.
  11. Each label in a domain name may contain up to _____ characters. The full domain name may not exceed a total length of _____ characters.
    Each label in a domain name may contain up to 63 characters. The full domain name may not exceed a total length of 253 characters.
  12. Common DNS record types include _____ (address), _____ (IPv6 address), _____ (canonical or alias name), _____ (mail exchange), _____ (name server), _____ (pointer), _____ (start of authority), and _____ (text).
    Common DNS record types include A (address), AAAA (IPv6 address), CNAME (canonical or alias name), MX (mail exchange), NS (name server), PTR (pointer), SOA (start of authority), and TXT (text).
  13. A _____ query is one in which the DNS server provides a record for a domain for which it is authoritative itself, or it provides a partial result without querying other servers.
    A non-recursive query is one in which the DNS server provides a record for a domain for which it is authoritative itself, or it provides a partial result without querying other servers.
  14. A _____ query is one for which the DNS server will fully answer the query (or give an error) by querying other name servers as needed.
    A recursive query is one for which the DNS server will fully answer the query (or give an error) by querying other name servers as needed.
  15. Caching DNS servers cache DNS queries and perform recursive queries to _____.
    Caching DNS servers cache DNS queries and perform recursive queries to improve efficiency, reduce DNS traffic across the Internet, and increase performance in end-user applications.
  16. A reverse lookup is a query of the DNS for _____ using the IPv4 domain _____ or the IPv6 domain _____, and reverse lookup IP addresses are specified in _____ order.
    A reverse lookup is a query of the DNS for domain names when the IP address is known using the IPv4 domain in-addr.arpa or the IPv6 domain ip6.arpa, and reverse lookup IP addresses are specified in reverse order.
  17. Link Local Multicast Name Resolution (LLMNR) is a protocol based on the Domain Name System (DNS) packet format that allows both IPv4 and IPv6 hosts to _____.
    Link Local Multicast Name Resolution (LLMNR) is a protocol based on the Domain Name System (DNS) packet format that allows both IPv4 and IPv6 hosts to perform name resolution for hosts on the same local link.
  18. LLMNR responders listen on UDP port _____ on IPv4 address _____ and IPv6 address _____.
    LLMNR responders listen on UDP port 5355 on IPv4 address 224.0.0.252 (MAC address 01-00-5E-00-00-FC) and IPv6 address FF02::1:3 (MAC address 33-33-00-01-00-03).
  19. NetBIOS over TCP/IP (NBT) is a networking protocol that allows _____.
    NetBIOS over TCP/IP (NBT) is a networking protocol that allows legacy computer applications relying on the NetBIOS API to be used on modern TCP/IP networks.
  20. NetBIOS provides three distinct services: _____, _____, and _____.
    NetBIOS provides three distinct services: Name service for name registration and resolution on port 137, Datagram distribution service for connectionless communication on port 138, and Session service for connection-oriented communication on port 139.
  21. NetBIOS is a legacy protocol used to support computers and applications that predate _____ and do not support _____.
    NetBIOS is a legacy protocol used to support computers and applications that predate Windows 2000 and do not support host names.

Assessments

edit

See Also

edit

References

edit
  Type classification: this is a lesson resource.
  Completion status: this resource is considered to be complete.
  1. Wikipedia: Hosts (file)
  2. Wikipedia: Hosts (file)#File content
  3. Wikipedia: Hosts (file)#File content
  4. Wikipedia: Hosts (file)#Location in the file system
  5. Wikipedia: Hosts (file)#Extended applications
  6. Wikipedia: Hosts (file)#Security issues
  7. Wikipedia: Domain Name System
  8. Wikipedia: Domain Name System
  9. Wikipedia: Domain Name System#Domain name syntax
  10. Wikipedia: Domain Name System#Domain name syntax
  11. Wikipedia: Domain Name System#Domain name syntax
  12. Wikipedia: List of DNS record types
  13. Wikipedia: Domain Name System#DNS resolvers
  14. Wikipedia: Domain Name System#DNS resolvers
  15. Wikipedia: Domain Name System#Recursive and caching name server
  16. Wikipedia: Domain Name System#Reverse lookup
  17. Wikipedia: Link-local Multicast Name Resolution
  18. Wikipedia: Link-local Multicast Name Resolution
  19. Wikipedia: NetBIOS over TCP/IP
  20. http://en.wikipedia.org/wiki/NetBIOS_over_TCP/IP#Services
  21. Wikipedia: NetBIOS over TCP/IP#Decreasing relevance in post-NT Client-Server Networks
  22. Wikipedia: ASCII
  23. Wikipedia: Domain Name System#Authoritative name server
  24. Wikipedia: BIND
  25. Wikipedia: Domain Information Groper
  26. Wikipedia: DNS root zone
  27. Wikipedia: DNS spoofing
  28. Wikipedia: DNS zone
  29. Wikipedia: DomainKeys Identified Mail
  30. Wikipedia: Domain name registrar
  31. Wikipedia: Dynamic DNS
  32. Wikipedia: Fully qualified domain name
  33. Wikipedia: Internationalized domain name
  34. Wikipedia: Domain Name System#Domain name syntax
  35. Wikipedia: NetBIOS Frames protocol
  36. Wikipedia: Nslookup
  37. Wikipedia: Phishing
  38. Wikipedia: Punycode
  39. Wikipedia: Root nameserver
  40. Wikipedia: Sender Policy Framework
  41. Wikipedia: Server Message Block
  42. Wikipedia: Top-level domain
  43. Wikipedia: Unicode
  44. Wikipedia: Uniform Resource Locator
  45. Wikipedia: WHOIS
  46. Wikipedia: Windows Internet Name Service