DNS Auditing Tools

DNS consists of two parts: a resolver (the client part) and Internet name server hierarchies. Consult the manual pages for operation details as well as the man page for resolver(3) or resolv.conf(5). The most widespread package is the Berkeley Internet Name Domain (BIND) toolset; however, there are alternatives and new approaches for securing name server communications and signing/hashing information exchange (DNSsec). Discussion of these tools goes beyond the scope of this book. We will use them in a limited way when discussing DNS round-robin (DNS RR) as a load-balancing approach. The standard query tools are nslookup, dig, and host (see Example 6-4).

Example 6-4. DNS Toolbox?dig, nslookup, and host

[root@callisto:~#] dig www.cisco.com



; <<>> DiG 9.2.2 <<>> www.cisco.com

;; global options:  printcmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61084

;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0



;; QUESTION SECTION:

;www.cisco.com.                 IN      A



;; ANSWER SECTION:

www.cisco.com.          36356   IN      A       198.133.219.25



;; AUTHORITY SECTION:

cisco.com.              38430   IN      NS      ns1.cisco.com.

cisco.com.              38430   IN      NS      ns2.cisco.com.



;; Query time: 9 msec

;; SERVER: 195.34.133.10#53(195.34.133.10)

;; WHEN: Sat Jan 31 10:31:42 2004

;; MSG SIZE  rcvd: 83



[root@callisto:~#] nslookup www.cisco.com

Note:  nslookup is deprecated and may be removed from future releases.

Consider using the `dig' or `host' programs instead.  Run nslookup with

the `-sil[ent]' option to prevent this message from appearing.

Server:         195.34.133.10

Address:        195.34.133.10#53



Non-authoritative answer:

Name:   www.cisco.com

Address: 198.133.219.25



[root@callisto:~#] host www.cisco.com

www.cisco.com has address 198.133.219.25

In addition, it is worth mentioning another useful tool, dnstracer; Example 6-5 shows it in use.

Example 6-5. dnstracer Example Output

[root@callisto:~#] dnstracer -s . www.cisco.com -o

Tracing to www.cisco.com via A.ROOT-SERVERS.NET, timeout 15 seconds

A.ROOT-SERVERS.NET [.] (198.41.0.4)

 |\___ M.GTLD-SERVERS.NET [com] (192.55.83.30)

 |     |\___ NS2.cisco.com [cisco.com] (192.135.250.69) Got authoritative answer

 |      \___ NS1.cisco.com [cisco.com] (128.107.241.185) Got authoritative answer

 |\___ E.GTLD-SERVERS.NET [com] (192.12.94.30)

 |     |\___ NS2.cisco.com [cisco.com] (192.135.250.69) (cached)

 |      \___ NS1.cisco.com [cisco.com] (128.107.241.185) (cached)

 |\___ K.GTLD-SERVERS.NET [com] (192.52.178.30)

 |     |\___ NS2.cisco.com [cisco.com] (192.135.250.69) (cached)

 |      \___ NS1.cisco.com [cisco.com] (128.107.241.185) (cached)

 |\___ J.GTLD-SERVERS.NET [com] (192.48.79.30)

 |     |\___ NS2.cisco.com [cisco.com] (192.135.250.69) (cached)

 |      \___ NS1.cisco.com [cisco.com] (128.107.241.185) (cached)

 |\___ F.GTLD-SERVERS.NET [com] (192.35.51.30)

 |     |\___ NS2.cisco.com [cisco.com] (192.135.250.69) (cached)

 |      \___ NS1.cisco.com [cisco.com] (128.107.241.185) (cached)

 |\___ L.GTLD-SERVERS.NET [com] (192.41.162.30)

 |     |\___ NS2.cisco.com [cisco.com] (192.135.250.69) (cached)

 |      \___ NS1.cisco.com [cisco.com] (128.107.241.185) (cached)

 |\___ D.GTLD-SERVERS.NET [com] (192.31.80.30)

 |     |\___ NS2.cisco.com [cisco.com] (192.135.250.69) (cached)

 |      \___ NS1.cisco.com [cisco.com] (128.107.241.185) (cached)

 |\___ B.GTLD-SERVERS.NET [com] (192.33.14.30)

 |     |\___ NS2.cisco.com [cisco.com] (192.135.250.69) (cached)

 |      \___ NS1.cisco.com [cisco.com] (128.107.241.185) (cached)

 |\___ I.GTLD-SERVERS.NET [com] (192.43.172.30)

 |     |\___ NS2.cisco.com [cisco.com] (192.135.250.69) (cached)

 |      \___ NS1.cisco.com [cisco.com] (128.107.241.185) (cached)

 |\___ C.GTLD-SERVERS.NET [com] (192.26.92.30)

 |     |\___ NS2.cisco.com [cisco.com] (192.135.250.69) (cached)

 |      \___ NS1.cisco.com [cisco.com] (128.107.241.185) (cached)

 |\___ H.GTLD-SERVERS.NET [com] (192.54.112.30)

 |     |\___ NS2.cisco.com [cisco.com] (192.135.250.69) (cached)

 |      \___ NS1.cisco.com [cisco.com] (128.107.241.185) (cached)

 |\___ G.GTLD-SERVERS.NET [com] (192.42.93.30)

 |     |\___ ns2.cisco.com [cisco.com] (192.135.250.69) (cached)

 |      \___ ns1.cisco.com [cisco.com] (128.107.241.185) (cached)

  \___ A.GTLD-SERVERS.NET [com] (192.5.6.30)

       |\___ ns2.cisco.com [cisco.com] (192.135.250.69) (cached)

        \___ ns1.cisco.com [cisco.com] (128.107.241.185) (cached)



NS1.cisco.com (128.107.241.185)         www.cisco.com -> 198.133.219.25

NS2.cisco.com (192.135.250.69)          www.cisco.com -> 198.133.219.25

The Windows Sam Spade freeware toolbox contains all of these tools and more, as shown in Figure 6-13.

Figure 6-13. Windows Sam Spade Toolbox

[View full size image]