Wireshark/DNS

Wireshark is a free and open source packet analyzer used for network troubleshooting and analysis. These activities will show you how to use Wireshark to capture and analyze Domain Name System (DNS) traffic.

Readings

 * Domain Name System

Multimedia

 * YouTube: Wireshark 101: The Domain Name System, HakTip 129

Preparation
To prepare for this activity:
 * 1) Start Windows.
 * 2) Log in if necessary.
 * 3)  Install Wireshark.

Activity 1 - Capture DNS Traffic
To capture DNS traffic:
 * 1)  Start a Wireshark capture.
 * 2)  Open a command prompt.
 * 3) Type ipconfig /flushdns and press Enter to clear the DNS cache.
 * 4) Type ipconfig /displaydns and press Enter to display the DNS cache.
 * 5) Observe the results.  Notice the only records currently displayed come from the hosts file.
 * 6) Type nslookup en.wikiversity.org and press Enter.
 * 7) Observe the results.  Notice there is an entry in the cache for en.wikiversity.org.
 * 8) Close the command prompt.
 * 9)  Stop the Wireshark capture.

Activity 2 - Analyze DNS Query Traffic
To analyze DNS query traffic:
 * 1) Observe the traffic captured in the top Wireshark packet list pane.  To view only DNS traffic, type udp.port == 53 (lower case) in the Filter box and press Enter.
 * 2) Select the DNS packet labeled Standard query A en.wikiversity.org.
 * 3) Observe the packet details in the middle Wireshark packet details pane.  Notice that it is an Ethernet II / Internet Protocol Version 4 / User Datagram Protocol / Domain Name System (query) frame.
 * 4) Expand Ethernet II to view Ethernet details.
 * 5) Observe the Destination and Source fields.  The destination should be either your local DNS server's MAC address or your default gateway's MAC address and the source should be your MAC address.  You can use  ipconfig /all and  arp -a to confirm.
 * 6) Expand Internet Protocol Version 4 to view IP details.
 * 7) Observe the Source address.  Notice that the source address is your IP address.
 * 8) Observe the Destination address.  Notice that the destination address is the IP address of the DNS server.
 * 9) Expand User Datagram Protocol to view UDP details.
 * 10) Observe the Source port.  Notice that it is a dynamic port selected for this DNS query.
 * 11) Observe the Destination port.  Notice that it is domain (53), the DNS server port.
 * 12) Expand Domain Name System (query) to view DNS details.
 * 13) Expand Flags to view flags details.
 * 14) Observe the Recursion desired field.  Notice that a recursive query is requested.
 * 15) Expand Queries to view query details.
 * 16) Observe the query for en.wikiversity.org.

Activity 3 - Analyze DNS Response Traffic
To analyze DNS response traffic:
 * 1) In the top Wireshark packet list pane, select the next DNS packet, labeled Standard query response CNAME wikiversity....
 * 2) Observe the packet details in the middle Wireshark packet details pane.  Notice that it is an Ethernet II / Internet Protocol Version 4 / User Datagram Protocol / Domain Name System (response) frame.
 * 3) Expand Ethernet II to view Ethernet details.
 * 4) Observe the Destination and Source fields.  The destination should be your MAC address and the source should be your local DNS server's MAC address or your default gateway's MAC address.
 * 5) Expand Internet Protocol Version 4 to view IP details.
 * 6) Observe the Source address.  Notice that the source address is the DNS server IP address.
 * 7) Observe the Destination address.  Notice that the destination address is your IP address.
 * 8) Expand User Datagram Protocol to view UDP details.
 * 9) Observe the Source port.  Notice that it is domain (53), the DNS server port.
 * 10) Observe the Destination port.  Notice that it is the same dynamic port used to make the DNS query in the first packet.
 * 11) Expand Domain Name System (query) to view DNS details.
 * 12) Expand Flags to view flags details.
 * 13) Observe the flags.  Notice that this is a recursive response.
 * 14) Expand Queries to view query details.
 * 15) Observe the query for en.wikiversity.org.
 * 16) Expand Answers to view answer details.
 * 17) Observe the CNAME and A records returned in response to this DNS query.
 * 18) Close Wireshark to complete this activity.  Quit without Saving to discard the captured traffic.