Internet Protocol Analysis/Name Resolution

This lesson introduces name resolution and looks at hosts files, the Domain Name System (DNS), and NetBIOS over TCP/IP (NetBT). Activities include editing the hosts file and using Wireshark to examine DNS network traffic.

Readings

 * 1)  Hosts (file)
 * 2)  Domain Name System
 * 3)  Multicast DNS
 * 4)  Link-local Multicast Name Resolution
 * 5)  NetBIOS over TCP/IP

Multimedia

 * 1) YouTube: An Overview of DNS - CompTIA Network+ N10-005: 1.7
 * 2) YouTube: DNS Records - CompTIA Network+ N10-005: 1.7
 * 3) YouTube: Dynamic DNS - CompTIA Network+ N10-005: 1.7
 * 4) YouTube: Basics of ipconfig, ping, tracert, nslookup and netstat
 * 5) YouTube: Using nslookup to Resolve Domain Names to IP Addresses
 * 6) YouTube: The Nbtstat Command - CompTIA Network+ N10-005: 4.3

Activities

 * 1)  View the Hosts file.
 * 2)  Edit the Hosts file.
 * 3) Use nslookup to  display host addresses.
 * 4) Use nslookup to  display other record types.
 * 5) Review the current DNS root zone settings file.
 * 6) Use nslookup to  simulate a recursive query.
 * 7) Review Wireshark: DNS.
 * 8) Use Wireshark to  capture and analyze Domain Name System (DNS) traffic.
 * 9) Use Wireshark to  capture and analyze Link Local Multicast Name Resolution (LLNMR) traffic.
 * 10) Use nbtstat to  display NetBIOS over TCP/IP statistics.
 * 11) Consider situations in which a packet analyzer might be used to troubleshoot name resolution traffic.

Lesson Summary

 * The hosts file is a computer file used in an operating system to map hostnames to IP addresses.
 * The hosts file contains lines of text consisting of an IP address in the first text field followed by one or more host names.
 * Comments in the hosts file are indicated by a hash character (#) in the first position of such lines.
 * The location of the hosts file on Windows systems is %SystemRoot%\system32\drivers\etc\hosts.
 * The hosts file may be used to define any hostname or domain name for use by the local system.
 * The hosts file represents an attack vector for malicious software, because the hosts file is queried before DNS.
 * The Domain Name System (DNS) is a hierarchical distributed naming system for computers, services, or any resource connected to the Internet or a private network.
 * The Domain Name System distributes the responsibility of assigning domain names and mapping those names to IP addresses. Authoritative name servers are assigned to be responsible for their particular domains, and in turn can assign other authoritative name servers for their sub-domains.
 * A domain name consists of one or more parts, technically called labels, that are concatenated and delimited by dots (.).
 * The hierarchy of domains within a domain name descends from right to left.
 * Each label in a domain name may contain up to 63 characters. The full domain name may not exceed a total length of 253 characters.
 * Common DNS record types include A (address), AAAA (IPv6 address), CNAME (canonical or alias name), MX (mail exchange), NS (name server), PTR (pointer), SOA (start of authority), and TXT (text).
 * A non-recursive query is one in which the DNS server provides a record for a domain for which it is authoritative itself, or it provides a partial result without querying other servers.
 * A recursive query is one for which the DNS server will fully answer the query (or give an error) by querying other name servers as needed.
 * Caching DNS servers cache DNS queries and perform recursive queries to improve efficiency, reduce DNS traffic across the Internet, and increase performance in end-user applications.
 * A reverse lookup is a query of the DNS for domain names when the IP address is known using the IPv4 domain in-addr.arpa or the IPv6 domain ip6.arpa, and reverse lookup IP addresses are specified in reverse order.
 * Link Local Multicast Name Resolution (LLMNR) is a protocol based on the Domain Name System (DNS) packet format that allows both IPv4 and IPv6 hosts to perform name resolution for hosts on the same local link.
 * LLMNR responders listen on UDP port 5355 on IPv4 address 224.0.0.252 (MAC address 01-00-5E-00-00-FC) and IPv6 address FF02::1:3 (MAC address 33-33-00-01-00-03).
 * NetBIOS over TCP/IP (NBT) is a networking protocol that allows legacy computer applications relying on the NetBIOS API to be used on modern TCP/IP networks.
 * NetBIOS provides three distinct services: Name service for name registration and resolution on port 137, Datagram distribution service for connectionless communication on port 138, and Session service for connection-oriented communication on port 139.
 * NetBIOS is a legacy protocol used to support computers and applications that predate Windows 2000 and do not support host names. It is enabled by default, though most Windows 2000 and later networks and applications no longer require it.

Key Terms

 * American Standard Code for Information Interchange (ASCII)
 * A character-encoding scheme originally based on the English alphabet.


 * authoritative name server
 * A name server that gives answers that have been configured by an original source rather than answers that were obtained via a DNS query to another name server.


 * Berkley Internet Name Domain (BIND)
 * The DNS server service (daemon) included in most Unix and Unix-like operating systems.


 * dig (domain information groper)
 * A network administration command-line tool for querying Domain Name System (DNS) name servers used on Unix-like systems.


 * DNS root zone
 * The top-level DNS zone in a hierarchical namespace using the Domain Name System (DNS).


 * DNS spoofing
 * A computer hacking attack, whereby data is introduced into a Domain Name System (DNS) name server's cache database, causing the name server to return an incorrect IP address and diverting traffic to another computer (often the attacker's).


 * DNS zone
 * A portion of a domain name space using the Domain Name System (DNS) for which administrative responsibility has been delegated.


 * DomainKeys Identified Mail (DKIM)
 * A method for associating a domain name to an email message, thereby allowing a person, role, or organization to claim some responsibility for the message and a recipient to validate that the message was not modified in transit.


 * domain name registrar
 * An organization or commercial entity that manages the reservation of Internet domain names.


 * Dynamic DNS (DDNS)
 * A method of updating, in real time, a Domain Name System (DNS) to point to a changing IP address on a network or on the Internet.


 * Fully Qualified Domain Name (FQDN)
 * A domain name that specifies its exact location in the tree hierarchy of the Domain Name System (DNS), including the top-level domain and the root zone.


 * Internationalizing Domain Names in Applications (IDNA)
 * A mechanism for converting domain names containing non-ASCII characters to an ASCII-coded equivalent.


 * Letters Digits Hyphen (LDH) rule
 * The guideline for characters allowed in a domain name, which include letters, digits, and the hyphen.


 * NetBIOS Frames (NBF)
 * A non-routable transport-level data protocol most commonly used as one of the layers of Microsoft Windows networking in the 1990s.


 * nslookup
 * A network administration command-line tool for querying Domain Name System (DNS) name servers used on Windows systems.


 * Phishing
 * The act of attempting to acquire information such as usernames, passwords, and credit card details (and sometimes, indirectly, money) by masquerading as a trustworthy entity.


 * Punycode
 * An instance of a general encoding syntax by which a string of Unicode characters is transformed uniquely and reversibly into a smaller, restricted character set.


 * root name server
 * A name server for the Domain Name System's root zone.


 * Sender Policy Framework (SPF)
 * An email validation system designed to prevent email spam by verifying sender IP addresses using the Domain Name System (DNS) and TXT records.


 * Server Message Block (SMB)
 * An application-layer protocol mainly used for providing shared access to files, printers, serial ports, and miscellaneous communications between nodes on a network, as well as providing an authenticated inter-process communication mechanism.


 * top-level domain (TLD)
 * One of the domains at the highest level in the hierarchical Domain Name System of the Internet.


 * Unicode
 * A computing industry standard for the consistent encoding, representation and handling of text expressed in most of the world's writing systems.


 * Uniform resource locator (URL)
 * A specific character string that constitutes a reference to an Internet resource.


 * WHOIS
 * A query and response protocol that is widely used for querying databases that store the registered users or assignees of an Internet resource, such as a domain name, an IP address block, or an autonomous system, but is also used for a wider range of other information.


 * Windows Internet Name Service (WINS)
 * Microsoft's implementation of NetBIOS Name Service (NBNS), a name server and service for NetBIOS computer names.

Assessments

 * /Lesson Flashcards/
 * /Terms Flashcards/
 * /Quiz/