StudentName: Nguyễn Nguyên Toàn Khoa

StudentID: 22110044

Lab 08: DNS

1. Overview
In this lab, students will explore several aspects of DNS by doing some experiments with nslookup,
exploring the DNS request/response messages with scapy and coding to spoof DNS queries. Students
will dig deeply into the configuration of DNS server with zone files, resource record declarations and at
last, configuration at the client side make the resolver use the local DNS correctly.
2. Objectives
This lab aims to provide students with ability:
a) To use nslookup to check various DNS record types.
b) To explore DNS Query & Response messages with scapy.
c) To write python program demonstrating DNS spoofing.
d) Config to run a docker container as a DNS server which enables access by name to any other
container in the docker-container set.
3. Lab Environment preparation
a) The nslookup tasks can be conducted on the host machine with Wireshark installed.
b) Task to explore the DNS Query and Response messages can be conducted with the Hftpd-
slim docker container set.
Important notes:
On some systems the apache-server container might fail to start because of different ways that newline
character is encoded in script file. When that happen, please follow the steps below to fix:
o Open file run.sh in folder apache\Dockerfiles in VSCode.
o Click CRLF on the status bar, choose LF to change the way newline is encoded.
o Save file.
o Rebuilt the new image with docker-compose build.
To enable sniffing then to display the packet fields, remember to modify the iface parameter with correct
interface name in sniffer-host
4. Tasks
4.1. nslookup
Refer to this link for checking various DNS record types with examples:

How to Use Nslookup Windows Command (11 Examples) - Active Directory Pro
And this link for 10 popular nslookup uses:

https://www.cloudns.net/blog/10-most-used-nslookup-commands/
a) On your host machine, start nslookup, what is the IP address of the default
DNS server? At nslookup prompt, get the ip address of Microsoft.com,
google.com, hcmute.edu.v n, . . .

Default server: vnpt.vn

Address: 2001:ee0:23::23
- Microsoft.com
 - IP address of microsoft.com are:
o 2603:1030:b:3::152
o 2603:1030:20e:3::23c
o 2603:1030:c02:8::14
o 2603:1020:201:10::10f
o 2603:1010:3:3::5b
o 20.112.250.133
o 20.231.239.246
o 20.76.201.171
o 20.70.246.20
o 20.236.44.162
- HCMUTE.EDU.VN:

- IP address of hcmute.edu.vn are:

o 203.113.147.181
-DNS.GOOGLE:

- IP address of Dns.google are:

o 2001:4860:4860::8844
o 2001:4860:4860::8888
o 8.8.8.8
 o 8.8.4.4
b) Command nslookup -type= get the information about a particular domain. Where
can be replaced with MX (email exchange server), NS (name server), SOA (Start of
Authority), Any (Everything) … Make use of the above nslookup command, get
information about the name server (NS), mail server (MX), SOA of domain
hcmute.edu.vn, hcmut.edu.vn. Give your comments about what you have observed.
o nslookup -type=ns hcmute.edu.vn

Answer of hcmute.edu.vn:
hcmute.edu.vn nameserver = ns99.vdc2.vn
hcmute.edu.vn nameserver = ns100.vdc2.vn
o nslookup -type=ns hcmut.edu.vn

 Answer of hcmut.edu.vn:
 hcmut.edu.vn nameserver = dns4.hcmut.edu.vn
 hcmut.edu.vn nameserver = dns1.hcmut.edu.vn
 hcmut.edu.vn nameserver = dns3.hcmut.edu.vn
 hcmut.edu.vn nameserver = dns2.hcmut.edu.vn
o nslookup -type=mx hcmute.edu.vn
  Domain name
 MX preferences or priority to deliver mail
 Mail server responsible for handling email traffic for the domain in
question
 Answer :
 hcmute.edu.vn MX preference = 30, mail exchanger =
aspmx4.googlemail.com
 hcmute.edu.vn MX preference = 20, mail exchanger =
alt2.aspmx.l.google.com
 hcmute.edu.vn MX preference = 10, mail exchanger =
aspmx2.aspmx.googlemail.com
 hcmute.edu.vn MX preference = 20, mail exchanger =
alt1.aspmx.l.google.com
 hcmute.edu.vn MX preference = 30, mail exchanger =
aspmx3.googlemail.com
 hcmute.edu.vn MX preference = 10, mail exchanger =
aspmx.l.google.com
 hcmute.edu.vn MX preference = 30, mail exchanger =
aspmx2.googlemail.com
 hcmute.edu.vn MX preference = 30, mail exchanger =
aspmx5.googlemail.com
o nslookup -type=mx hcmut.edu.vn
o

 Domain name
 MX preferences or priority to deliver mail
 Mail server responsible for handling email traffic for the domain in
question
 Answer :
 hcmut.edu.vn MX preference = 10, mail exchanger =
alt3.aspmx.l.google.com
 hcmut.edu.vn MX preference = 10, mail exchanger =
alt4.aspmx.l.google.com
 hcmut.edu.vn MX preference = 1, mail exchanger =
aspmx.l.google.com
 hcmut.edu.vn MX preference = 5, mail exchanger =
alt1.aspmx.l.google.com
 hcmut.edu.vn MX preference = 5, mail exchanger =
alt2.aspmx.l.google.com
o nslookup -type=soa hcmute.edu.vn

 Domain name
 Authoritative name sever that holds the original and up-to-date DNS
information for the domain
 Email address of the administrator responsible for the domain
  Version number of the DNS zone
 Refresh, retry, expire interval
 Time-to-live
 Answer:
hcmute.edu.vn
primary name server = ns99.vdc2.vn
responsible mail addr = info.vdc2.vn
serial = 2024042005
refresh = 10800 (3 hours)
retry = 3600 (1 hour)
expire = 1209600 (14 days)
default TTL = 10800 (3 hours)

hcmute.edu.vn nameserver = ns99.vdc2.vn

hcmute.edu.vn nameserver = ns100.vdc2.vn
o nslookup -type=soa hcmut.edu.vn

 Domain name
 Authoritative name sever that holds the original and up-to-date DNS
information for the domain
 Email address of the administrator responsible for the domain
 Version number of the DNS zone
 Refresh, retry, expire interval
 Time-to-live
 Answer:
hcmut.edu.vn
primary name server = dns1.hcmut.edu.vn
responsible mail addr = webmaster.hcmut.edu.vn
serial = 2024042502
refresh = 1200 (20 mins)
retry = 600 (10 mins)
expire = 1209600 (14 days)
 default TTL = 3600 (1 hour)

- By using the nslookup command with the "-type=MX" argument, we can retrieve the
Mail Exchange records for the "hcmute.edu.vn" domain, which indicate the mail servers
responsible for handling email traffic for the domain. The MX preference value specifies
the priority of each server, lower values indicating higher priority. MX preference value
of 10 will be given higher priority than one with a higher value.

- With "-type=NS" argument, we obtain the authoritative name servers for the
"hcmute.edu.vn" domain. These servers maintain the domain's DNS records and provide
DNS resolution services to clients. The result of the command will contain one or more
NS records, each indicating the hostname of an authoritative name server for the domain.
The domain's server is identified as VDC2.

- With "-type=SOA" argument will retrieve the Start of Authority record for the
"hcmute.edu.vn" domain. This record includes many details, such as the primary
authoritative name server for the domain, the email address of the domain administrator,
a serial number and various time intervals that determine how often and for how long
secondary name servers should cache and retry DNS responses.

c) Try nslookup -type=any vietnamnet.vn, explain what you have observed.

 Explain:
 When you run the command nslookup -type=any vietnamnet.vn, you are requesting a
DNS query of type "any" for the domain "vietnamnet.vn". In theory, this query
should return all types of DNS records available for that domain, including A records
(IP addresses), NS records (name servers), MX records (mail servers), and various
other types.
 When you run the command nslookup -type=any vietnamnet.vn, you are requesting a
DNS query of type "any" for the domain "vietnamnet.vn". In theory, this query
should return all types of DNS records available for that domain, including A records
(IP addresses), NS records (name servers), MX records (mail servers), and various
other types.
 Therefore, in this case, the result only shows the A records (IP addresses) of the
domain "vietnamnet.vn", and there is no information about NS or MX records.

 Answer is ( IP4v address) :

 vietnamnet.vn internet address = 202.134.19.181
  vietnamnet.vn internet address = 202.134.19.135
 vietnamnet.vn internet address = 202.134.19.64
 vietnamnet.vn internet address = 202.134.19.38
 vietnamnet.vn internet address = 202.134.19.16

4.2 Examine DNS Query and Response message:

To do this task, students must read the document that came along with this lab “DNS message – How
to read query and response message” or follow this link.
a. Attach to the console of client-host container.

b. Install scapy:
# apk add scapy

c. Start scapy.
d. Execute ls(DNS), ls(DNSQR), ls(DNSRR) to identify fields of DNS, DNSQR (DNS Query
Record), DNSRR (DNS Resource Record) packets.

 Ls(DNS)

 Identify fileds:
o length: Length of the DNS packet.
o id: Identification number of the DNS packet.
o qr: Query/Response flag (0 for query, 1 for response).
 o opcode: Operation code.
o aa: Authoritative Answer flag.
o tc: Truncation flag.
o rd: Recursion Desired flag.
o ra: Recursion Available flag.
o z: Reserved for future use.
o ad: Authentic Data flag.
o cd: Checking Disabled flag.
o rcode: Response code.
o qdcount: Number of entries in the question section.
o ancount: Number of resource records in the answer section.
o nscount: Number of name server resource records in the authority records section.
o arcount: Number of resource records in the additional records section.
o qd: DNS Question Record.

- ls(DNSQR)

 Identify fields
o qname: Name being queried.
o qtype: Type of query (e.g., A, AAAA, MX, NS).
o qclass: Query class (usually IN for internet).
- ls(DNSRR)

 -Identify fields
o rrname: Name of the resource record.
o type: Type of resource record (e.g., A, AAAA, MX, NS).
o rclass: Class of the resource record (usually IN for internet).
o ttl: Time to Live value.
o rdlen: Length of the resource data.
o rdata: Resource data, which can be of various types (e.g., IP address, domain
name).
e. We will pack a DNS query to google for the Resource Records belonging to a particular
domain, namely www.google.com (you are free to choose any other domain name for the
query)
>>> ip = IP(dst=‘8.8.8.8’)
>>> udp = UDP(dport=53)
>>> dns=DNS(rd=1,qd=DNSQR(qname="www.google.com"))
>>> qry=ip/udp/dns
>>> qry
<IP frag=0 proto=udp dst=8.8.8.8 |<UDP sport=domain dport=domain |<DNS rd=1 qd=<DNSQR
qname='www.google.com' |> |>>>

The Query then being sent with sr1 function (send/receive one)
>>> an=sr1(qry)
Begin emission:
Finished sending 1 packets.
..*

Received 3 packets, got 1 answers, remaining 0 packets

Print out Response message:

>>> an
<IP version=4 ihl=5 tos=0x0 len=76 id=58717 flags=DF frag=0 ttl=63 proto=udp chksum=0x8fbf
src=8.8.8.8 dst=172.16.10.100 |<UDP sport=domain dport=domain len=56 chksum=0xc6cd |<DNS
id=0 qr=1 opcode=QUERY aa=0 tc=0 rd=1 ra=1 z=0 ad=0 cd=0 rcode=ok qdcount=1 ancount=1
nscount=0 arcount=0 qd=<DNSQR qname='www.google.com.' qtype=A qclass=IN |> an=<DNSRR
rrname='www.google.com.' type=A rclass=IN ttl=231 rdlen=None rdata=142.251.42.228 |> ns=None
ar=None |>>>
-> The DNS query packet contains:
- IP header that has "fraq=0" to show that the packet isn't fragmented
- "proto=udp" to indicate the use of UDP as the transport protocol
- "dst=8.8.8.8" as the destination IP address. The UDP layer's source and destination port are set to 53
(DNS). The DNS layer has a query section that includes a DNS question record, with the qname field set
to "www.google.com" and the recursion desired flag set to 1.
When responding to the DNS query packet, the IP layer specifies various details such as IP version
(IPv4), Internet Header Length (IHL), Type of Service (TOS), total length (76 bytes), identification
number, flags, fragmentation offset, Time to Live (TTL), protocol used (UDP), checksum, source IP
address (8.8.8.8), and destination IP address (172.16.10.10). The UDP layer specifies the source and
destination port numbers (domain), the length of the UDP packet (56 bytes), and checksum. Finally, the
DNS layer specifies all the fields of the DNS query [ls(DNS)].
f. Replace qtype field in DNSQR layer with other resource record, namely NS
>>> qry[DNSQR].qtype=’NS’ then resend the new DNS Query
>>> an = sr1(qry)
What do you observe in the DNS response message? Give your comments.

 This packet represents a DNS query response. Here's a breakdown of its

components:
 IP Header:
 Version: IPv4
 Total Length: 76 bytes
 Identification: 4599
 TTL: 63
 Protocol: UDP
 Source IP: 8.8.8.8
 Destination IP: 172.16.10.10
 UDP Layer:
 Source Port: DNS (domain)
 Destination Port: 15946
 Length: 56 bytes
  DNS Layer:
 ID: 0
 QR (Query/Response): Response (1)
 Opcode: QUERY
 Recursion Desired (RD): Yes (1)
 Recursion Available (RA): Yes (1)
 Question Count (qdcount): 1
 Answer Count (ancount): 1
 Name Server Count (nscount): 0
 Additional Record Count (arcount): 0
 Query Section:
 QNAME: 'www.google.com.'
 QTYPE: A (IPv4 address)
 QCLASS: IN (Internet)
 Answer Section:
 RRName: 'www.google.com.'
 Type: A (IPv4 address)
 Class: IN (Internet)
 TTL: 195 seconds
 RDATA: 142.250.66.100
This packet is a DNS response from 8.8.8.8 to 172.16.10.10, providing the IPv4 address 142.250.66.100
associated with "www.google.com".
The DNS response to the query for the domain 'www.google.com' does not contain an answer section, as
indicated by the value of ancount being 0. However, there is one record in the name server section, with
nscount set to 1.
g. Set qname field in DNSQR layer with other domain values, namely hcmute.edu.vn,
vietnamnet.vn then resend those messages. Give your comment about the response messages.

- Name: hcmute.edu.vn :

- Name: Vietnamnet.vn :
  There are no DNS Resource Records of type SOA (DNSRRSOA) both domains
“hcmute.edu.vn” and “vietnamnet.vn” -> both of them not provide Start of Authority
(SOA) records in their DNS query responses
4.3. Writing code to display the DNS Query, DNS Response
Carefully look at the DNS message fields, add code to the sniff3.py program to print out the DNS
Query as well as DNS Response as below
Before:

After edit:
The code "sniff3.py" has been modified to detect UDP packets that contain a DNS query
(DNSQR) or DNS resource record (DNSRR) layer. If such packets are found, the code
will extract the IP address from the DNS response and display it on the console. If the IP
address is in IPv6 format with the prefix "::ffff:", the code will remove the prefix and
display only the actual IP address. Additionally, the code will go through all the answers
in the DNS response and display their data on the console.

In case of a DNSQR packet with qname='vietnamnet.vn', if the Apache server machine

pings 'vietnamnet.vn', the code will capture the DNS response packet, extract the IP
address from it, and display it on the console. If the DNS server returns an IPv6 address
with the prefix "::ffff:", the code will remove the prefix and display only the actual IP
address. The code will also display all the answers in the DNS response on the console.

Pinging “vietnamnet.vn” in client-host

In sniffer-host machine, we catch the DNS response with sniff3.py, the output is exactly as expected.

4.4. DNS spoofing with scapy

Add a file named RedirectPakage.py in Hftpd_slim/source
Add another file named “dnspoof.py” in Hftpd_slim/apache/source with code:

In docker-compose.yml modify the volumes of apache container. Mount the ./apache/source to the
/var/www/localhost/ to run the dns_spoof.py in apache-server.

Rebuild Hftpd_slim
Run the dns_spoof.py in terminal apache-server

Open another terminal and access to sniffer-host/mdir

Replace 78c94be09f31 at 34: to file redirectPakage

Run redirectPackage.py in sniffer-host terminal

On another terminal access the client-host and tcpdump

4.5. Setup DNS server for the whole docker-container Hftpd-slim domain
Config the file named.conf.options
Config the file named.conf.local

Config db.nees.com

Edit dockerfile
* Running:
+ First, build the docker image

+ Continue, create a network on my Docker environment

+ Then, run a container in background, using the same IP as in the db.nees.com file and the same Docker
network created:
+ Enable the binđ daemon + Run the two hosts using dns-server container as a DNS server
+ Run the two hosts using dns-server container as a DNS server
All 3 container are running now:

Ping to host2.nees.com

Try nslookup