1
00:00:00,000 --> 00:00:07,694



2
00:00:07,694 --> 00:00:12,327
In this segment, we're going to talk a little 
bit more about the domain name system.

3
00:00:12,327 --> 00:00:20,048
And we're going to look at some, 
some other ways to analyze the DNS process

4
00:00:20,048 --> 00:00:25,325
so that we can troubleshoot for problems.

5
00:00:25,325 --> 00:00:35,192
So, one of the key concepts with looking at 
DNS is that understanding how it resolves is key

6
00:00:35,204 --> 00:00:39,217
and if you understand how the client resolves the DNS,

7
00:00:39,225 --> 00:00:44,817
and how it provides its host information 
or domain information,

8
00:00:44,817 --> 00:00:49,132
you're starting in a place where you can now

9
00:00:49,132 --> 00:00:52,848
work out into the hierarchy of DNS and understand

10
00:00:52,848 --> 00:00:55,429
more concepts of how it works.

11
00:00:55,429 --> 00:00:58,069
So as an example, as you can see here

12
00:00:58,069 --> 00:01:02,558
clients make a request by using a DNS name.

13
00:01:02,558 --> 00:01:08,354
So, quite simply if I wanted to get to the INE website,

14
00:01:08,354 --> 00:01:14,640
I could put in www.ine.com into a web browser.

15
00:01:14,640 --> 00:01:22,107
However, what that's really doing is it's resolving 
that and it's really telling the machine that it's

16
00:01:22,107 --> 00:01:30,999
75.140.41.225 and to go to that public
IP address to access that website.

17
00:01:30,999 --> 00:01:37,743
So again, we can do a couple of different things
from the client if the DNS server does not

18
00:01:37,762 --> 00:01:41,605
work correctly or you suspect 
there's a problem with the DNS server.

19
00:01:41,602 --> 00:01:46,236
You could go into the local host file of your system.

20
00:01:46,236 --> 00:01:52,064
And you can add that IP address to, 
to domain name resolution

21
00:01:52,058 --> 00:01:57,071
and it will look at that host file
as well as the DNS server

22
00:01:57,071 --> 00:02:03,271
to try to figure out that resolution
or resolve it and will send you there.

23
00:02:03,271 --> 00:02:06,677
So that's a quick way to find if you have a problem

24
00:02:06,677 --> 00:02:10,544
with DNS on your network is to just 
quickly add that information.

25
00:02:10,544 --> 00:02:16,151
That information is also in what's 
called an A record on your DNS server.

26
00:02:16,146 --> 00:02:22,158
That A record could have an issue where 
it's not configured correctly or it's just not there,

27
00:02:22,176 --> 00:02:25,186
or it was configured in one zone

28
00:02:25,199 --> 00:02:29,540
and it had not yet replicated to the zone that you're using.

29
00:02:29,540 --> 00:02:33,129
And therefore, you're not able to resolve.

30
00:02:33,127 --> 00:02:37,526
So, there's quite a few reasons why DNS 
will not work for you

31
00:02:37,526 --> 00:02:40,878
but you have to remember 
what the DNS resolution process is

32
00:02:40,878 --> 00:02:43,525
so that you can start to troubleshoot with it.

33
00:02:43,525 --> 00:02:49,711
Know where to put your analyzer and really see 
what it is that you're trying to find because

34
00:02:49,711 --> 00:02:55,521
you have to know what the query looks like and 
you have to know, for example, point the records.

35
00:02:55,529 --> 00:03:00,060
What is it pointing at, if you have a reversed 
zone look-up, what does that mean?

36
00:03:00,060 --> 00:03:05,188
And you could see all that stuff within 
the capture. And we will look at that.

37
00:03:05,188 --> 00:03:10,334
So also, when the client uses FQDN 
which is a fully qualified domain name,

38
00:03:10,334 --> 00:03:13,827
the resource can be found in excess.

39
00:03:13,827 --> 00:03:17,858
So, it's not just necessarily the host name.

40
00:03:17,858 --> 00:03:27,273
If your machine 1 at a domain, you would want 
the full domain name to be able to resolve.

41
00:03:27,273 --> 00:03:30,359
So, there'll be times where 
you're trying to log in to something 

42
00:03:30,364 --> 00:03:33,434
and it'll tell you, you have incorrect information

43
00:03:33,439 --> 00:03:39,151
you might have to add the entire fully qualified 
domain name to be able to access that resource.

44
00:03:39,151 --> 00:03:43,712
So, these are some client related issues 
that you may come across.

45
00:03:43,712 --> 00:03:46,519
What can you see in Wireshark?

46
00:03:46,517 --> 00:03:50,518
Very easily you could see the failures that are taking place

47
00:03:50,519 --> 00:03:54,861
from the client to the server, as well 
as from server to other servers.

48
00:03:54,861 --> 00:03:58,335
So, one of the things that you want to consider here,

49
00:03:58,344 --> 00:04:02,006
it's been the mantras of the entire course is placement.

50
00:04:02,006 --> 00:04:06,256
You want to make that if you're looking to place your

51
00:04:06,256 --> 00:04:11,675
Wireshark analyzer on the network 
to be able to capture this traffic

52
00:04:11,680 --> 00:04:14,563
 where exactly are you going to place it.

53
00:04:14,563 --> 00:04:18,283
So for this example, we placed it on a machine

54
00:04:18,283 --> 00:04:21,025
that was trying to make a simple web query.

55
00:04:21,025 --> 00:04:24,223
And when we did this, we were able to see

56
00:04:24,223 --> 00:04:28,900
specifics on the client trying to access the server,

57
00:04:28,920 --> 00:04:32,277
and the whole process of taking, you know,

58
00:04:32,279 --> 00:04:36,049
the query and trying to resolve the, the domain name

59
00:04:36,049 --> 00:04:40,424
to the IP address and back and forth,
so that we can access the resource.

60
00:04:40,424 --> 00:04:43,297
But as you could see, there's a lot of packets here and

61
00:04:43,297 --> 00:04:48,705
we're not quite sure what's taking place 
in this entire, this entire stream here.

62
00:04:48,705 --> 00:04:51,469
So let's take a look at something 
a little bit more in depth.

63
00:04:51,469 --> 00:04:55,555
Let's take a look at the stream.

64
00:04:55,555 --> 00:04:58,229
So we learned this in a, in earlier module 

65
00:04:58,229 --> 00:05:01,332
where we took a look at TCP and UDP streams,

66
00:05:01,341 --> 00:05:05,675
and if you recall, what we were able to find from this

67
00:05:05,675 --> 00:05:09,827
is if we look at the entire stream from start 
to finish of a conversation,

68
00:05:09,827 --> 00:05:14,652
we were able to see packet by packet 
what was really taking place

69
00:05:14,652 --> 00:05:18,550
and by doing so, we were able to pull
 some information out of it.

70
00:05:18,550 --> 00:05:22,670
So some of the information that we were 
able to pull from the stream,

71
00:05:22,670 --> 00:05:26,430
was a - we were able to see the entire conversation,

72
00:05:26,438 --> 00:05:29,087
to be able to see if there's anything inside it.

73
00:05:29,087 --> 00:05:32,328
For example, any anomalies that might have popped-up

74
00:05:32,342 --> 00:05:37,676
that may have flagged an issue for you
to look at further.

75
00:05:37,670 --> 00:05:41,287
 You could have seen false record information.

76
00:05:41,287 --> 00:05:46,736
You can see the zone information. Maybe you're 
getting information from the incorrect zone.

77
00:05:46,736 --> 00:05:50,390
Maybe you have an incorrect name server configured.

78
00:05:50,397 --> 00:05:54,950
Sometimes there's multiples, there's a primary,
a secondary, a tertiary.

79
00:05:54,950 --> 00:06:00,109
Maybe you want to see which ones were 
configured and which ones were answering.

80
00:06:00,109 --> 00:06:05,010
So there's a lot of information 
that you can pull from the stream.

81
00:06:05,010 --> 00:06:08,959
We will do this live so that you can see specifically

82
00:06:08,959 --> 00:06:16,660
how to do the stream but here,
if you go into the configuration,

83
00:06:16,660 --> 00:06:22,386
and you look at follow UDP stream,

84
00:06:22,386 --> 00:06:27,231
we were able to see the entire conversation 
as it took place from start to finish,

85
00:06:27,231 --> 00:06:32,650
where we were trying to get in this instance,
we were trying to get to google.com.

86
00:06:32,650 --> 00:06:42,451
We had some information return from us 
from 104.9.192.66.in-addr.arpa

87
00:06:42,452 --> 00:06:44,424
and that is a reversed zone.

88
00:06:44,424 --> 00:06:47,846
We were able to then further look up other queries

89
00:06:47,846 --> 00:06:52,049
and see that it was answering back 
based on that reversed look-up.

90
00:06:52,049 --> 00:06:56,058
So, there's a lot of information
that you can pull from the stream.

91
00:06:56,058 --> 00:06:59,174
Remember what we learned in the last module.

92
00:06:59,174 --> 00:07:03,144
How to go into the details to see 
if it's responding from the client.

93
00:07:03,144 --> 00:07:04,998
You were getting recursive queries.

94
00:07:04,998 --> 00:07:08,051
And or you can look at the entire segment as a whole,

95
00:07:08,051 --> 00:07:14,864
and see specifically what the entire conversation
or the communication was showing you.

96
00:07:14,864 --> 00:07:22,317