Lab: Domain Name System (DNS)


          Understand the Domain Name System (DNS)

          Learn how to use the nslookup command

          Use the ipconfig command in Windows

          Use the WHOIS protocol

          Use Wireshark to analyze DNS queries and responses



In Chapter 4 we study a variety of network applications to further our understanding of the application layer of the Internet protocol stack. We have looked at, for example, HTTP, DNS, SMTP, and peer-to-peer networks. The purpose of this lab is to get our hands dirty a little bit more with DNS. Please refresh your understanding of DNS by re-reading chapter 4.


In this lab, we will be using Windows Command Prompt. For another part of the lab we will be using the Virtual Hands-On Lab environment and Wireshark, like we did with Lab 1.


Note: If you don’t have a Windows machine, you can use a university or classroom machine. However, you won’t be able to use the Remote Desktop Connection — as described in — because the Command Prompt is disabled.


Task 1: nslookup


nslookup is a tool available in most Linux/UNIX platforms (including Ubuntu, which is what we use in the Virtual Hands-On Labs, and on the Mac), and on Windows. To run it in Ubuntu or the Mac, open Terminal like we did when we were learning socket programming in Python, and type “nslookup” as described below. To run it in Windows, open the Command Prompt, and type it there.


In its most basic operation, nslookup allows the host running the tool to query any specified DNS server for a DNS record. The queried DNS server can be a root DNS server, a top-level-domain DNS server, an authoritative DNS server, or an intermediate DNS server (see the textbook for definitions of these terms). To accomplish this task, nslookup sends a DNS query to the specified DNS server, receives a DNS reply from that same DNS server, and displays the result.


Let’s say that we want to get the IP address for At the Terminal, type:




The following screenshot shows one result of this command:


The command we sent essentially says, “Please give me the IP address for the host” As shown in the screenshot, the response from this command provides two pieces of information:


1)       the name and IP address of the DNS server that provides the answer (here, it is a DNS server that is being accessed through the router on my home network, and the router’s IP address is Although this local DNS server provided the response, it’s quite possible that it iteratively contacted several other DNS servers to get the answer; and

2)       the answer itself, which is the host name and IP address of


You’ll observe that the answer refers to being “non-authoritative.” Let’s say that we want to get an authoritative answer to the same question. To do that, let’s run a second command in the Terminal:


Here, we provided the option “-type=NS” in addition to the command we entered the first time. This causes nslookup to send a query for a type NS record; in other words, to look for the host names of the authoritative DNS servers for Here, there are three authoritative DNS servers for;; . Note that here too we are receiving a non-authoritative answer.


Now that we know a DNS server (three of them, actually) that is authoritative for, we can continue as shown below:


This command says that we want to query the DNS server (which I picked at random) instead of the default DNS server. Thus, the query and reply transaction take place directly between our querying host and . Note that the IP address provided by an authoritative DNS is the same as the one provided by the non-authoritative DNS. This will usually be the case—but won’t you sleep easier knowing that you’ve checked with an authoritative source?


Question 1 – Run nslookup to obtain the IP address of a Web server anywhere in Asia. What is the IP address of that server? Please include a screenshot or screenshots to show how you got the answer.


Question 2 – Run nslookup to determine the authoritative DNS server(s) for Please include a screenshot.


Question 3 – Run nslookup so that one of the DNS servers obtained in Question 2 is queried for a Web server for What is the IP address of that Web server? Please include a screenshot.



Task 2: ipconfig


ipconfig is a tool available from the Windows Command Prompt that has many uses, and is especially well-suited to debugging network issues. It can be used to show your current TCP/IP information, including your address, DNS server addresses, adapter type, and other information that you’ll see in the screenshots below and in your experimentation. To begin, enter the following command (again, you must be running this in Microsoft Windows):


ipconfig /all


Question 4 – Run the above command on your Windows machine, and include a screenshot (or a text export) of the result. What is the IP address of your default DNS server?


ipconfig is also useful for managing the DNS information stored in your host. Recall that a host can cache DNS records that it recently obtained. To see these cached records, use this command in the Windows Command Prompt (If you don’t see any records, try opening a Web site, then re-trying the command):


ipconfig /displaydns


Each entry shows the remaining TTL in seconds for that record.


Question 5 – Run the command described above. Include a screenshot of the results, and a brief description of what any one of the resulting records means.



Task 3: WHOIS


WHOIS is a protocol that is used for, among other things, getting information about a domain name that has been registered by a registrar with the domain name system. It can be accessed through the command line/Terminal, or through a variety of Web sites that provide frontends to the same functionality. We’ll work with the Web site version. To begin, go to . Enter in a domain name of your choice (for example, but don’t use this one,, and hit “Search.”


Question 6 – Provide a screenshot of the result of the search described above. Then answer the following questions, the answers of which should be visible in the screenshot:

a)       When does the domain name expire?

b)       Who was the registrar (don’t confuse this with “registrant”)?

c)       If domain servers are included in the results, what are those domain servers?



Task 4: Wireshark DNS packet analysis


A DNS system is a global naming system built on a distributed database. The database translates the alphanumeric addressing that is easy for people to understand into the numerical addressing that is easy for the computer to understand. If the DNS server does not have the address in its database then it will send queries to other DNS servers looking for answers. The DNS protocol is commonly used when you are attempting to visit a website for the first time (a.k.a. you do not have any of the site information stored in a cache file).


When a host sends a DNS query packet to a DNS server, the DNS server will reply with a response packet which contains the following fields:

          Time – This field shows the time (in seconds) elapsed between the DNS query and the reply. 

          Transaction ID – This field contains an ID code that should match the Transaction ID listed in the DNS query packet. 

          Queries – This is simply the DNS query restated. 

          Answers – Shows the type of address (in this case will be type A for a host address), the name of the host, IP address, and the “Time to live” value which states how long your computer is allowed to cache the website information; this is why a website will load faster if you had previously visited it recently.  


CNAME: With many systems the address you request does not necessarily correspond to the server name you enter. For example many larger websites like Amazon or Apple will have many broadly distributed webservers servicing the same site. The Canonical Name or CNAME is the name of the server that their DNS directs you to. 


MDNS or Multicast DNS : Provides a DNS service to smaller networks that might not have DNS servers of their own. MDNS operates just as DNS does except instead of sending a packet directly to a DNS server the requesting machine sends a broadcast packet to all addresses looking for a match.


A great way to see DNS request and response packets, or any other packet, is to use a packet sniffer like Wireshark. Follow the steps below to complete the task.


Step 1          Logon On to VM Ware as directed from the following website:


Step 2               You may need to logon to the Linux virtual machine with the user name “ Administrator ” (no quotes). The password is “ password ” (no quotes).


Step 3               Open the evidence03.pcap file in the Wireshark Captures folder on the desktop. In the Filters field type in ‘dns’ to show only DNS protocol packets. Click Apply. 



S tep 4               Analyze the packets by looking in the packet details (middle) pane to determine the answers to the following questions. Clicking on the arrow next to the information shows more of the data.



Question 7 – What are the IP addresses (and CNAMEs, if applicable), for each of the hosts listed below? Please include a screenshot for each showing where you got the answer.






Question 8 – Which port(s) does DNS traffic use? Please include a screenshot showing where you got the answer.
















Note: This is an individual lab assignment. Each student needs work on and submit his/her report independently.

Clearly state your results of this project. You are expected to hand in a report in the following format: 

          A cover page including project title and your name and Penn State email address

          Numbered pages. Font size 12, single column

          Save the Microsoft Word (.doc or .docx) document with your name in the title. Upload the document into the appropriate Canvas dropbox.


The report should have the following section:


Section I (100 pts): Answer Questions 1-8 on pages 3-6. Be sure to include screenshots as directed.