In this recipe, we will see how to find out if DNS is working properly or not. We will see some scenarios of DNS operations, and what can go wrong.
Open Wireshark and start capturing data. You should mirror a device that is using DNS, or the DNS server itself.
Connect Wireshark to the LAN switch attached to the monitored device, and configure port mirror to the device from which you suspect the problem is coming. Go through the following steps:
- In case of user complains, configure the port mirror for monitoring the user device.
- In case of a general problem in the network, configure port mirror to the DNS server:
- When the DNS server is configured on the internal server, configure port mirror on the server
- When the DNS server is configured on external server, configure port mirror to the link that connects you to the Internet
DNS is the major protocol used for name resolution, and it is used when browsing the Internet. It is also used for working in the organization network. The DNS standards describe three functionalities:
- Namespace which is what DNS names look like, and how they are allocated
- The name registration process, that is, how we register DNS names and how they are forwarded through the DNS servers' network
- The resolving process, that is, how names are resolved to the IP addresses
In this recipe we will focus on the third subject, that is, what happens when we browse the Internet, send or receive e-mails, or access internal servers in our organization. The basic DNS operation is shown in the following diagram:
User programs (web browser, mail client, and many others) interact with the DNS server through a resolver, which is also a part of the operating system. The resolver interacts with external name server that provide it with the required IPs (the name server can be local or remote; it is external to the resolver). The way the user queries the DNS server is OS specific. DNS queries and responses are sent and received between the resolver and the name server.
The local name server is usually located in the organization network, and interacts with the DNS server of your ISP. In the case of a home or a small office network, your DNS server can be configured on the router that connects you to the Internet, or directly to the DNS server of your ISP:
The DNS namespace is based on a hierarchical tree structure, as presented in the next diagram. The structure is as follows:
- The network of root servers (http://www.iana.org/domains/root/servers).
- The network of Top Level Domain servers (TLDs) (http://www.iana.org/domains/root/db).
- Each top-level domain has name servers similar to that of IANA administers. Top-level domains contain second-level domains. TLDs are the highest-level servers, for example, country servers as illustrated in the next diagram.
- Second Level Domains (SLDs) contain the domains and names for organizations and countries. The names in second-level domains are administered by the organization or country specified.
There are some important definitions, as shown in following diagram:
- Domain: It constitutes all branches under ndi-com.com, in this case a second level domain
- Zone: It is a contiguous portion of a DNS domain in the DNS namespace, whose database records exist and are managed in a particular DNS database file stored on one or multiple DNS servers
There are two reasons for using DNS servers:
- The first reason is that it is used for internal communication in your organization. In this case, you have a DNS server in your organization, which resolves the IP addresses to names in your organization.
- It is used for connecting to the Internet, browsing, sending mails, and so on.
When both services are used, you will send the DNS query to your organization server, which will send the query to the Internet. For example, when you want to get to a local server in your organization, you will send a DNS query to the local DNS, and you will get the server IP. When you browse a website on the Internet, your local DNS server forwards the request to the external DNS, for example, the ISP DNS.
Is it the correct DNS server you have configured? Theoretically, when you connect to the Internet, you can configure any DNS server in the world. Usually, the best DNS server to use is the nearest one. In your organization, you should configure your local DNS as first priority, and then the DNS servers of your ISP.
There are various utilities to check the DNS response. Some of them are as follows:
- Namebench from Google (http://code.google.com/p/namebench/downloads/detail?name=namebench-1.3.1-Windows.exe&can=2&q=)
- DNS Benchmark from GRC (https://www.grc.com/dns/benchmark.htm)
In the test result, you should get a good response time for your configured DNS servers. If not, change them.
When a process on the end device is looking for the IP address of a specific name, it interacts with the local resolver that goes out to the DNS servers. When the DNS server does not find the entry you are looking for in its database, it can respond in two ways—recursive or iterative:
- Recursive mode: In this mode, when the application (for example, a web browser) wants to resolve the name of the website www.packtpub.com, it sends a DNS request to the local DNS server (marked as 1 in the following diagram). The local DNS server sends the request to a root server (marked as 2 and 3 in the following diagram), then to the TLD (marked as 3 and 4 in the following diagram), and finally to the authoritative server of www.packtpub.com, which gives us the required address (marked as 6 and 7 in the following diagram). Then, the local DNS server sends us the required address (marked as 8 in the following diagram). In each one of the responses, the resolver gets the DNS to query in the next step.
- Iterative mode: In this mode, a DNS client can receive a response from the DNS server that will tell the client where to look for the requested name. When the application (for example, a web browser) wants to browse the website www.packtpub.com, it sends a DNS request to the local DNS server (marked as 1 in the following diagram). The local server forwards the request to a root DNS server (marked as 2 in the following diagram). If it doesn't know the answer, it forwards the request to the TLD (marked as 3 in the following diagram) and the authoritative DNS (marked as 4 in the following diagram). Then, the answer is sent all the way back to the client (marked as 5, 6, 7, and 8 in the following diagram):
