1
00:00:00,000 --> 00:00:08,137


2
00:00:08,137 --> 00:00:11,556
In our next module, we will be discussing

3
00:00:11,556 --> 00:00:15,476
the capturing and analyzing of DNS.

4
00:00:15,476 --> 00:00:20,469
So, DNS, the domain name system is a 

5
00:00:20,469 --> 00:00:24,727
hierarchal system used to help you to use 

6
00:00:24,727 --> 00:00:28,283
common friendly names instead of memorizing

7
00:00:28,283 --> 00:00:33,969
dozens of IP addresses to get to resources.

8
00:00:33,968 --> 00:00:36,413
It also allows for easy configuration.

9
00:00:36,413 --> 00:00:40,991
So if you always have a resource record or any record

10
00:00:40,991 --> 00:00:45,380
where you have a host name defined

11
00:00:45,380 --> 00:00:49,971
you can change the IP address and refresh your record

12
00:00:49,971 --> 00:00:55,562
and it allows you to be able to reconfigure 
things on your network pretty easily.

13
00:00:55,576 --> 00:00:59,826
However, a lot of things can go wrong with DNS.

14
00:00:59,834 --> 00:01:03,733
And since the system is quite complex,

15
00:01:03,733 --> 00:01:07,171
been around for a long time, UNIX based bind.

16
00:01:07,171 --> 00:01:11,753
Microsoft has its own version of DNS, 
very commonly used.

17
00:01:11,753 --> 00:01:16,110
There's a lot of configuration, there's a lot of things

18
00:01:16,110 --> 00:01:18,531
that could happen from one point to another.

19
00:01:18,531 --> 00:01:23,063
For example, a DNS server sending 
its information 

20
00:01:23,063 --> 00:01:26,782
using it as a forwarder, forwarder to another DNS server.

21
00:01:26,782 --> 00:01:31,500
These types of things could cause issues.

22
00:01:31,500 --> 00:01:35,496
If you had problems with the transferring of zones,

23
00:01:35,496 --> 00:01:41,994
if you had stale records, 
there's just so many things that could take place.

24
00:01:41,994 --> 00:01:50,466
Whereas we can use Wireshark to start isolating
and troubleshooting these issues.

25
00:01:50,466 --> 00:01:56,637
So, DNS, the domain name system,

26
00:01:56,636 --> 00:01:59,203
sometimes you see it as the domain name servers

27
00:01:59,203 --> 00:02:03,639
that's generally, if it's the domain name server's
on a Window system.

28
00:02:03,639 --> 00:02:12,654
Again, it will allow you to resolve 
IP addresses to host names.

29
00:02:12,654 --> 00:02:15,192
Friendly, fully qualified domain names

30
00:02:15,192 --> 00:02:18,318
so that you can access a website by

31
00:02:18,326 --> 00:02:21,300
saying, INE.com instead of memorizing

32
00:02:21,300 --> 00:02:25,302
and having to use the IP address.

33
00:02:25,302 --> 00:02:31,560
So, very commonly used. 
We can use Wireshark to filter the data

34
00:02:31,560 --> 00:02:35,257
via IP address or domain name.

35
00:02:35,257 --> 00:02:39,436
And or port, UDP 53 for queries and 

36
00:02:39,436 --> 00:02:42,337
TCP 53 for zone transfers.

37
00:02:42,337 --> 00:02:44,978
And you can also review the stream

38
00:02:44,978 --> 00:02:49,469
which we will look at to be able to 
ascertain any problems within it.

39
00:02:49,469 --> 00:02:52,858
And see if there's anything that is not working correctly.

40
00:02:52,858 --> 00:02:56,952
We'll talk about recursive queries and 

41
00:02:56,952 --> 00:03:00,011
how that can be an issue,
how to find that in Wireshark,

42
00:03:00,011 --> 00:03:06,224
and some other information that may be helpful to you.

43
00:03:06,224 --> 00:03:09,867
So that being said, one of the most common things here,

44
00:03:09,867 --> 00:03:14,569
in here we have a simple Linux dig query.

45
00:03:14,569 --> 00:03:18,070
Essentially, if you did a DNS look up on Windows

46
00:03:18,078 --> 00:03:21,238
or you did a dig on a Unix or Linux box,

47
00:03:21,238 --> 00:03:29,621
you're going to get your DNS server to respond
to you so that you know you can use DNS.

48
00:03:29,614 --> 00:03:33,395
It doesn't mean that DNS,
 the DNS server is configured correctly,

49
00:03:33,395 --> 00:03:36,063
it'll give the information that you needed.

50
00:03:36,063 --> 00:03:42,686
It just means that you are configured to
and can use specifically a DNS server.

51
00:03:42,686 --> 00:03:51,164
You can use tshark to run by the command-line.

52
00:03:51,164 --> 00:03:55,484
And you can do a dig and then you can run 
a tshark and you can capture the DNS query.

53
00:03:55,484 --> 00:03:58,990
We look at tshark in an earlier module.

54
00:03:58,990 --> 00:04:04,076
And by doing so, we were able to see some packets

55
00:04:04,076 --> 00:04:09,907
transfer over the network, and we actually 
did a dig at that time to generate the traffic.

56
00:04:09,907 --> 00:04:13,095
But this is a way that you can do it within tshark.

57
00:04:13,095 --> 00:04:18,292
And or if you're looking at the Wireshark GUI
which we will do momentarily.

58
00:04:18,292 --> 00:04:22,471
Regardless of tshark or Wireshark in GUI form,

59
00:04:22,479 --> 00:04:24,479
you could find quite a few things like

60
00:04:24,471 --> 00:04:30,356
a problem with a failed DNS server,
maybe there's a problem where 

61
00:04:30,369 --> 00:04:34,457
the information is stale or poisoned and 
is giving you incorrect information

62
00:04:34,457 --> 00:04:37,727
or the wrong DNS server is replying.

63
00:04:37,727 --> 00:04:40,672
So there's quite a few things that we can see here.

64
00:04:40,672 --> 00:04:49,055
And when we open up a capture,
we can see specifically how DNS operates.

65
00:04:49,055 --> 00:04:54,457
So in this capture, we just did some simple requests

66
00:04:54,457 --> 00:05:00,026
and we wanted to find a website. 
Here we look for google.com,

67
00:05:00,026 --> 00:05:03,395
and by doing so, we got the response.

68
00:05:03,395 --> 00:05:10,354
And if we drill down, we can see specifically,
here, that it was a recursive request.

69
00:05:10,354 --> 00:05:15,963
And by looking at the recursion,
let's explain what that means really quick.

70
00:05:15,963 --> 00:05:18,941
When you do a recursive name query,

71
00:05:18,941 --> 00:05:23,559
the client will ask the DNS server to respond

72
00:05:23,559 --> 00:05:27,935
and it will ask the resource record,
the resource record,

73
00:05:27,935 --> 00:05:31,136
the RR or it will get an error message

74
00:05:31,136 --> 00:05:35,350
that the record and or that domain may not exist.

75
00:05:35,350 --> 00:05:40,801
So, it's basically the client asking for information

76
00:05:40,801 --> 00:05:46,215
and we can see that in the capture here
as a recursion desired.

77
00:05:46,215 --> 00:05:50,480
We saw that the server here did respond

78
00:05:50,514 --> 00:05:59,213
and gave it the information and was able to allow
this SNTP to send email.

79
00:05:59,213 --> 00:06:05,093

So as we can see, we continuously see that
 the recursions take place.

80
00:06:05,093 --> 00:06:10,626
And the, here we could see that the recursion
was available and the server did reply.

81
00:06:10,626 --> 00:06:16,625
So that is the quick way to find
if your DNS server is actually responding

82
00:06:16,625 --> 00:06:20,575
to the clients as, by looking into the capture.

83
00:06:20,575 --> 00:06:27,808
Capture DNS queries, we could see it's using UDP 453.

84
00:06:27,810 --> 00:06:32,482
And we could see from inside the flags of the capture

85
00:06:32,482 --> 00:06:36,288
that's specifically, it was doing a recursive query.

86
00:06:36,288 --> 00:06:39,031
And it got the response it needed.

87
00:06:39,031 --> 00:06:42,643
So as an example, if it wasn't responding 

88
00:06:42,643 --> 00:06:45,488
then you would continuously see the queries

89
00:06:45,488 --> 00:06:47,085
but you would never see the answer back.

90
00:06:47,085 --> 00:06:50,892
So that's one way to see that you have possibly

91
00:06:50,892 --> 00:06:55,405
a problem with the server itself
or the information on the server

92
00:06:55,413 --> 00:06:59,999
that it's not able to respond to your request.

93
00:06:59,999 --> 00:07:06,236
And here, as you could see, 
we did the same thing with tshark.

94
00:07:06,236 --> 00:07:10,561
And we were looking and we saw the, 
the recursive queries.

95
00:07:10,554 --> 00:07:13,071
We were not seeing an answer back

96
00:07:13,071 --> 00:07:18,939
and that's how we found that we were 
having some type of client to DNS server issue

97
00:07:18,939 --> 00:07:23,203
through it not getting information back that it needed.

98
00:07:23,193 --> 00:07:25,083
It did not have the record and therefore,

99
00:07:25,083 --> 00:07:29,065
it was not able to communicate on the network.

100
00:07:29,065 --> 00:07:35,470