_________________________________________________________
GUIDE TO (mostly) HARMLESS HACKING
Vol. 3 No. 9
Domain Name Service for Newbies
____________________________________________________________
by keydet89@yahoo.com
What is DNS?
[What is it?]
[Web-based Tools]
[nslookup]
[Final words]
[Resources]
This is a question that has likely popped up over
and over...what is DNS? Oh, and why should I care?
[What is it?]
Well, the Domain Name System (DNS) is nothing more than
a resource for translating human-readable URLs and host
names into machine-readable IP addresses. Really. That's
it.
The current DNS that is used on the Internet is the direct
result of the incredible growth of the Internet. Back in
the early days of the Internet, when the network was in it's
infancy and called "ARPANet", the network itself was fairly
small; ie, a hundred or so hosts. At this point, it was very
simple to keep track of hosts, and the hostname and address
information was maintained on the computers themselves in a
host table. The main host table was maintained at Stanford,
and as updates were made, the file was sent out to the various
servers on the network. But as the network grew, this method
of keeping track of hosts became unmanageable.
**************************************************************
NEWBIE NOTE: For more information on the history of the Internet
from the Happy Hacker herself (Carolyn), check out:
http://www.techbroker.com/test/gtmhh/vol2.htm
**************************************************************
A new method of managing this information was needed, and Paul
Mockapetris came up with DNS in 1984. DNS is a distributed system,
making it easier to update. The DNS system in a hierarchical
tree system...that is, it starts at the "root", and then the
"leaves" proceed down the "tree" from there. See the below
"graphic" for an example of this tree hierarchy:
.(root)
|
---------------------------------
| | | |
.com .edu .net .org
|
---------------------------
| |
.target1.com .target.com
|
-------------
| |
host1 host2
You can see the nameservers for target.com at the bottom of the
"tree", and how to trace down to those servers from the
"root" of the tree.
**************************************************************
NEWBIE NOTE: You may have heard of InterNIC, which is responsible
for domain name registration services for the .com, .edu, .net,
and .org domains. This means that they register domains ending
in those extensions. So if you want to register your own domain
name, you can go to their site at http://www.internic.net and
see if the name is already taken, and see what information you need
in order to register your own domain. InterNIC is run by a
company known as Network Solutions, which is a subsidiary of
SAIC.
This site also has a web-based whois lookup function. Whois
is used to provide information on a domain...lots of really
interesting information, such as who registered the domain,
the technical and billing contacts for the domain, addresses
and telephone numbers, and even the name servers that point
to the domain.
**************************************************************
Now, you wonder, how does DNS work? Well, when you type
"http://www.target.com" into the location bar of your
Netscape browser, a lookup of the hostname needs to be performed
in order to obtain the IP address. This is needed so that the
browser has an IP address to which to send the request. So the
browser will send the request for the name lookup (ie, the name-
to-address translation) to the closest DNS nameserver, which is
nothing more than a computer running DNS software. If that
nameserver has recently responded to a request for the same
hostname, it will retrieve the response from it's cache, and
send that back to the browser. If the nameserver doesn't have
the answer available, something called the "resolver" will
attempt to get the answer by asking a server furhter up the
"tree", until it gets a response.
This has been a very basic explanation of DNS. For a more detailed
explanation, check out an excerpt for the O'Reilly book "DNS and
BIND, 2d Edition":
http://www.oreilly.com/publishing/sysadmin/excerpts/dns2/ch02.htm
[Web-based Tools]
Now lets play with some DNS tools.
**************************************************************
NEWBIE NOTE: Win95 doesn't come with the necessary tools that
you need to really get a good look at available DNS information.
NT and Linux come with programs such as nslookup, which is
pretty much "THE" DNS tool...there is a lot you can do with
nslookup. To remedy that situation, we will use web-based tools,
that you can bookmark for later use. Refer to the [Resource]
section below for the listing of tools. Nslookup will be
dealt with in a later section of this text.
**************************************************************
This example will look at the information available from the
domain "foobar.edu", so depending upon the domains you try
these exercises on, your results may vary.
**NOTE: A ficticious domain name will be used for the
exercises. All responses are obfuscated so that no
particular domain or IP address is indicated.
The first step is to perform a whois lookup on the domain.
We can do this by going to:
http://www.internic.net
and entering "foobar.edu" in the entry box.
**************************************************************
NEWBIE NOTE: If you are using Linux, or have a whois tool on
your computer, type:
$whois foobar.edu
Or you can use Sam Spade (http://www.blighty.com), a portscanner
that also provides finger, nslookup, dig, and ping functions,
among others.
**************************************************************
The response that comes back states that John Doe is the
administrative contact for the domain, and registrant is located
in Alaska. Now, InterNIC requires that a valid domain have
at least two nameservers pointing to the domain, and we can
see the nameservers listed in the response...
NS.NAMESERVER.ORG 287.128.192.4
NS2.NAMESERVER.ORG 289.41.341.143
Now let's look up some IP addresses. Go to:
http://jos.net/projects/nslookup4WWW/nslookup4WWW.html
Select a Query Type of "A - host address", and enter
"foobar.edu" in the Query box, and press "Submit Query>>".
The response should contain:
Name: foobar.edu
Address: 289.13.266.37
**************************************************************
NEWBIE NOTE: Remember what was decribed earlier about your
browser having to perform a name lookup and getting the IP
address? Well, now that you have the IP address, try typing it
into the location bar of your browser, and see what happens...
**************************************************************
The query type indicates the type of resource record (RR) that
we are interested in. In this case, we are interested in the
address, or "A", record. Other resource records we can look
for include mail exchanger (MX), pointer (PTR), or canonical
name (CNAME) records. Each of these records has a particular
purpose.
RR Meaning
***** ***************
A a host address
CNAME canonical name for an alias
PTR a domain name pointer
MX mail exchanger
HINFO host information
For a complete list of the various resource records, and the
pertinent RFCs, see:
http://www.dns.net/dnsrd/rr.html
Try looking at the information available for the techbroker.com
domain using the other Query Types, and see what's available.
Then try seeing what's available for other domains.
**************************************************************
YOU COULD GET PUNCHED IN THE NOSE WARNING: Be very, very
careful when you are using these tools, or using nslookup
(described later). If you choose a Query Type of "ANY", this
is refered to as a zone transfer, as all available information
regarding the domain in question is returned. This puts a load
on the nameserver, and is considered impolite...as well as the
precursor to an attack. If you do a zone tranfer on a domain,
then save the information you receive to a text file...that way,
if you want to show someone the neat things you can do, you
won't subject the nameserver to an additional load.
There is a program called "dig" that returns similar results
as the "ANY" query. Dig is available for Linux, and is part of
Sam Spade (http://www.blighty.com) for win95/NT.
**************************************************************
**************************************************************
NEWBIE NOTE: You need to be a little careful with the domains
that you pick. Foreign or overseas domains may not be easily
located...so if you don't get a response back from one of these
web-based tools, don't worry. Try doing a whois lookup, or
check at the AllDomains web page for the particular domain.
For example, if you are looking for information regarding a
domain that ends in ".uk" (for United Kingdom), go to
http://www.alldomains.com, and click on "United Kingdom(uk)"
in the left-hand frame. Then in the right-hand frame, click
on "whois", and you can perform a whois query on the domain in
question.
**************************************************************
[nslookup]
Nslookup is a great little tool for making DNS queries that comes
with NT, Linux, etc. The easiest way to use nslookup is in non-
interactive mode. This means that you submit a request at the
command line, and you get a response back with no other input.
For example, from the command prompt, type:
$nslookup foobar.edu
Server: localhost
Address: 127.0.0.1
Name: foobar.edu
Address: 289.13.266.37
The Server and Address response you see above will vary depending
upon your operating system, and how it's set up. But you can see
that this is a quick and easy way to look up the IP address of
a host given the name...we have performed a query for the "A"
resource record. We can do a "reverse lookup" by entering the
IP address at the command prompt, rather than the host name:
$nslookup 289.13.266.37
Server: localhost
Address: 127.0.0.1
Name: www.foobar.edu
Address: 289.13.266.37
Wait a minute! What's this "www.foobar.edu" stuff? Well,
what we've found is an alias for the host "foobar.edu". A
single host can have multiple host names that all point to
the same IP address.
The other way to play with nslookup is to enter interactive mode
by typing "nslookup" (with no arguments) at the command prompt,
and then hitting <Enter>. You will get a prompt back that looks
like:
>
>From here you can enter commands. For example, type:
>foobar.edu
Wow! We get the same information back as we did for the non-
interactive mode query. To look up specific resource records
for the foobar.edu domain, all we need to do is tell nslookup
which RR type we want:
>set type=<RR>
where <RR> refers to the resource record type, as we saw listed
above (A, PTR, MX, CNAME, etc). This way you can look up just
those records you are interested in. Note: If you enter "ANY"
in place of "<RR>", you are doing a zone transfer. Read the
above warning, and use caution and restraint. After you change
the RR type that you want, enter the name of the domain that
you want that information from...in this case, foobar.edu.
Now, let's try one more little trick. This involves listing hosts
within the domain we are interested in...it doesn't mean _all_ of
the hosts, though. We already know the names and IP addresses of
the nameservers that point to foobar.edu, so start nslookup in
interactive mode. Then change the nameserver used to resolve
queries to the nameserver that points to the foobar.edu domain:
$nslookup
Once you're in interactive mode, change the default nameserver
that is used to resolve your queries to a nameserver that points
to the foobar.edu domain...this information was retrieved using
the whois query above:
>server 287.128.192.4
Now we want to list the hosts in the domain that have records
available, so type:
>ls foobar.edu
You will see something similar to:
[ns01.nameserver.org]
foobar.edu. server = ns.nameserver.org
foobar.edu. server = ns2.nameserver.org
foobar.edu. server = ns3.nameserver.org
foobar.edu. 289.13.266.37
ftp 289.13.266.37
smtp 289.13.266.37
www 289.13.266.37
In the real world (vice the "example" world) you will likely
get a lot more hosts back than this...in fact, you may get
upwards to 500 or more hosts! However, what this tells us is
that the host "foobar.edu" has the same IP address as the hosts
listed as "ftp", "smtp", and "www". This means that these are
services aliased to the host...performing a lookup on
"ftp.foobar.edu" or trying to connect to "ftp.foobar.edu" will
point or connect you to the host "foobar.edu".
If you do list the hosts in the domain, you may want to use
redirection to save this information in a file, so that you can
read over it:
>ls foobar.edu > foobar.txt
[Final words]
You may be asking yourself at this point...now what? Well, there
has been quite a bit of information presented here, and the bad
news is that it is by no means complete. However, the good news
is, now you should understand how the "/dns" command works on
IRC, or how to track down IP addresses and hosts.
This information is also useful if you want to track down
spammers.
[Resources]
DNS Resource Directory
http://www.dns.net/dnsrd/
NsInfo - DNS browser
http://nsinfo.coven.ml.org/
**this is an interesting little tool...performs a zone transfer
for you, as if you were executing "ls domain.com" in nslookup
interactive mode.
Nameserver Lookup...another web-based lookup tool
http://jos.net/projects/nslookup4WWW/nslookup4WWW.html
Texts for setting up a basic DNS server
http://www.ludd.luth.se/~kavli/BIND-FAQ.html
http://www.verinet.com/dns/
http://web.syr.edu/~jmwobus/comfaqs/faq-dns
Linux DNS-HOWTO
http://sunsite.unc.edu/LDP/HOWTO/DNS-HOWTO.html
(from the Linux Documentation Project @
http://sunsite.unc.edu/LDP/index.html)
AllDomains...contains listing of all domains, with
valuable links
http://www.alldomains.com
_______________________________________________________________________
Where are those back issues of GTMHHs and Happy Hacker Digests? Check out
the official Happy Hacker Web page at http://www.happyhacker.org.
We are against computer crime. We support good, old-fashioned hacking of the
kind that led to the creation of the Internet and a new era of freedom of
information. But we hate computer crime. So don't email us about any crimes
you have committed!
To subscribe to Happy Hacker and receive the Guides to (mostly) Harmless
Hacking, please email hacker@techbroker.com with message "subscribe
happy-hacker" in the body of your message.
Copyright 1998 keydet89. You may forward, print out or post this
GUIDE TO (mostly) HARMLESS HACKING on your Web site as long as you leave
this notice at the end.
_________________________________________________________
Carolyn Meinel
M/B Research -- The Technology Brokers
http://techbroker.com
|
