From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Leaked Network Security Information Analysis
1. Page 1 of 27
Name: Allen Galvan
Due: 27 October 2005
CSFI 214: Information Security Systems Analysis – Fall 2005
Lab #2: Reconnaissance (Fingerprinting),
Passive Information Gathering
The Analysis of Leaked Network SecurityInformation
Last printed 10/26/2005 1:40:00 a10/p10 Page 1
2. Page 2 of 27
Exercise 1 – Internet Service Registration............................................................. ....................3
Exercise 2 – Domain Name System......................................................................... ..................4
Nslookup (Authoritative & Non-Authoritative), Network-Tools on DNS Servers..........4
Dig (Unix tool to query DNS Servers).......................................................................... .....5
Zone Transfer.................................................................................................................... ..5
Brute Force Reverse DNS Lookup................................................................................... ..6
Exercise 3 – Search Engines................................................................................................. 7 ......
Exercise 4 – E Mail Systems................................................................................... ...................8
Exercise 5 – Naming Conventions........................................................................ .....................9
Exercise 6 – Website Analysis......................................................................... ........................10
Notes.........................................................................................................................................13
Appendix....................................................................................................................... ............14
Exercise 1 – Internet Service Registration........................................................... ....................15
Exercise 2 – Domain Name System........................................................................ .................15
Nslookup (Authoritative) using Network-Tools on ccc.edu...........................................15 .
Nslookup (Non-Authoritative) using Network-Tools on ccc.edu...................................17
.......................................................................................................................................
...........18
Nslookup (Authoritative) using Network-Tools on www.microsoft.com ......................18
Nslookup (Non-Authoritative) using Network-Tools on microsoft.com........................19
Zone-Transfer of nexiliscom.com..................................................................... ...............21
Zone-Transfer of microsoft.com................................................................ ......................23
Exercise 3 – Search Engines............................................................................................... 24 ......
Netcraft Search Web by Domain for .google.com...................................................... .....24
Exercise 4 – E Mail Systems.................................................................................. ..................25
Email Headers............................................................................................................... ....25
Exercise 5 – Naming Conventions...................................................................... .....................27
Tracert of www.ccc.edu....................................................................... ............................27
Exercise 6 – Website Analysis......................................................................... ........................27
Last printed 10/26/2005 1:40:00 a10/p10 Page 2
3. Page 3 of 27
Exercise 1 – Internet Service Registration
Internet Service Registration information gathering finds information based on global
registration and maintenance of IP address information. Whois is a service that queries top-
level domains for information on a domain name. There are several Whois tools provided by
Network Solutions, Arin, Geektools, and Sam Spade. Using these several tools, the whois
information was look up on the below websites:
Ccc.edu
Microsoft.com
Citibank.com
Thesportsauthority.com
Baitnet.com
Answer the following questions:
What kinds of information is available for social engineering attacks?
o The actual name of the Registrant
o An actual address.
o An actual phone number
What kinds of information is available for technical attacks?
o The Maintainer (MNTNER) password is information that is available for
technical attacks. If the password is weak, it could be broken, and this would
lead to attacks such as: DoS, Url spoofing, and Identity Theft.
Who owns the netblock (IP space)?
o The netblock is owned by the organization name..
What are the authoritative DNS servers?
o A server that knows the content of a DNS zone from local knowledge, and
thus can answer queries about that zone without needing to query other
servers.
o The authoritative servers are given in an authoritative query using the
Network Service-based Whois lookup tool of http://network-
tools.com/nslook/Default.asp
What are the IP addresses of those servers?
o The IP addresses of the servers are specified by the parameter inetnum, in a
Network Service-based Whois lookup,
The following table specifies Information leakagevulnerabilities, possible attacks, and
possible countermeasures.
Information Attack Countermeasures
Leakage
ISP DNS Server Attack. Pick an ISP that has well secured
Man in the Middle Attack.
Zone Transfers.
Address Social Engineering Scams Pick PO Box, or use Accountant
Last printed 10/26/2005 1:40:00 a10/p10 Page 3
4. Page 4 of 27
Information Address.
Real Social Engineering Scams Pick generic function names, &
Names Pick generic email names.
Phone Social Engineering Scams Use a receptionist general number.
Numbers Have receptionist take a message.
MNTNER Unauthorized changes to Choose at least PGP authorization.
Auth Registration. DoS. Url Choose strong passwords.
Spoofing
Whois Information Leakage, Attack & Countermeasures Summary
Figure 1
Exercise 2 – Domain Name System
Domain Name System (DNS) information gathering provides information on local and
global registration and maintenance of host naming. Use service-based Whois
(http://network-tools.com/nslook/Default.asp), to find record information of the below Url
websites:
Nslookup (Authoritative & Non-Authoritative), Network-Tools on DNS Servers
http://ccc.edu/
o A non-authoritative DNS server
o An authoritative DNS server
o Are there any differences?
Nslookup, using http://network-tools.com/nslook/Default.asp,
retrieved more information regarding the authoritative response
compared with the non-authoritative response. Specifically, more
Name Servers (type=NS) and more Authoritative (Canonical or Alias)
Servers (type=A) were found, regarding the authoritative queried
response.
o Capture the output of each query.
The output was captured on page regarding Exercise 2 on page 15.
http://www.microsoft.com/
o A non-authoritative DNS server
o An authoritative DNS server
o Are there any differences?
Nslookup, using http://network-tools.com/nslook/Default.asp,
retrieved more information regarding the authoritative response
compared with the non-authoritative response. Specifically, more
Name Servers (type=NS) and more Authoritative (Canonical or Alias)
Servers (type=A) were found, regarding the authoritative queried
response. Also the primary DNS server is identified (Type=SOA),
and all the Mail Servers are identified (Type=MX), all regarding the
authoritative response.
o Capture the output of each query.
o Why are there multiple mail servers?
Last printed 10/26/2005 1:40:00 a10/p10 Page 4
5. Page 5 of 27
There are multiple mail servers for load balancing and as redundant
backups of each other.
o Why are there differences with IP addresses?
There are different IP addresses for several reasons:
Load Balancing.
Redundant Backup.
To Accommodate different services to different customers.
Disaster Recovery.
To support Regional Branch Office Operations.
Dig (Unix tool to query DNS Servers)
Dig is the Unix-based Nslookup DNS query tool. Using Dig (http://www.ip-
plus.net/tools/dig_dns_set.en. tml), the Domain nexilliscom.com is queried, regarding the
h
DNS Server 209.180.121.65. What kind of interesting information is learned from here?
The authoritative Servers, mail Servers, and primary DNS Server are displaying with
this Dig query. The operating system is Linux. The network is sharing a printer.
Zone Transfer
A special service involves a DNS Server to exchange Authoritative Records for a
domain between primary and secondary servers. Also any client system can query a
DNS Server and request a Zone Transfer. Using Dig (http://www.ip-
plus.net/tools/dig_dns_set.en. tml), the Domain nexilliscom.com is queried, regarding
h
the DNS Server 209.180.121.65.
What are the names and IP addresses of the systems?
o Ns1.nexiliscom.com 209.180.121.65
o Ns2.nexiliscom.com 209.180.121.67
o revolvstore.nexiliscom.com 209.180.121.65
o there were many other IP addresses listed on p.22 regarding the “Zone-
Transfer of nexiliscom.com”
Can you guess what each system does?
o The primary name server is given: ns1.nexiliscom.com; & the IP address is
209.180.121.65.
o Also the zone transfer associated the primary name server
ns1.nexiliscom.com with postmaster.nexiliscom.com. The embedded word
of “postmaster” implies an Email function.
o The below Zone Transfer information suggests an Email function, regarding
the words “mail,” “postmaster,” “newmail”:
“mail.nexiliscom.com address 209.180.121.65 maps to
ns1.nexiliscom.com,”
“ns1.nexiliscom.com postmaster.nexiliscom.com”
“newmail.nexiliscom.com address 64.119.36.25”
Last printed 10/26/2005 1:40:00 a10/p10 Page 5
6. Page 6 of 27
o The below Zone Transfer information suggests possible services. The
suggestive word is store.
“revolvstore.nexiliscom.com address 209.180.121.65”
o The below Zone Transfer information suggest that it might be a web server.
The suggestive word is web.
“webtoo.nexiliscom.com address 64.119.36.28”
Try this against the domain of Microsoft.com, using DNS Server NS1.MSFT.NET
o Can a Zone Transfer be performed?
Yes, a Zone Transfer was performed.
o Why or why not?
Yes, a Zone Transfer was performed, but it seems like it yielded less
information. The usual information of authoritative and name server
information were available, as in authoritative and non-authoritative
Whois lookups.
How could an attacker user a Zone Transfer?
o First, the host name (for e.g. postmaster.nexiliscom.com) suggests its
function by using the embedded word of “postmaster.”
o Second, these suggestive host names (for e.g. “mail.nexiliscom.com address
209.180.121.65”) are associated with an IP address. One could enter that IP
address into a browser to see the web site, and infer its function.
Brute Force Reverse DNS Lookup
Do a brute force lookup on all of the IP addresses in the Class C space of www.cc.edu, and
answer the following questions.
Can you figure out how the batch file does it work?
s
o The input file is ips.txt. All desired IP addresses to lookup are input into this
file. First all the IP addresses are automatically input into the output file
dsnout.txt. Next if nslookup finds a “hot” existing IP address, it looks for a
string called “Name” and outputs the parameter variable, with the reverse
lookup of the IP (for e.g. 206.166.50.100) into its corresponding host address
(for e.g. dns.lth1.k12.il.us)
What use is the output?
o The script quickly and automatically searched an IP range and identifies
“hot” existing IP addresses.
o It identified the existing IP address along with its reverse lookup host
address. It basically did an nslookup.
o This is the 1st stage of identifying places to look (IP addresses) to start to find
any vulnerabilities.
What else do you know about the target network?
Last printed 10/26/2005 1:40:00 a10/p10 Page 6
7. Page 7 of 27
o It is possible to run a script on an IP address range based on the Primary DNS
server (type=SOA). This information was divulged from the nslookup tool of
network-tools.
o One could start with all the name servers and authoritative and non-
authoritative server information from all the public whois and nslookup
information, and configure an IP address block (for e.g. 206.166.50.0-
206.166.50.254), and search for all host “hot” existing IP address including
servers and PC’s. The question always in mind would be, what hosts are
vulnerable?
Information Attack Countermeasures
Leakage
Zone A Zone Transfer Only allow Zone Transfers to
Transfer Could be downloaded to yield the Trusted Systems. Configure
entire network the server to only allow
Configuration, as the certain Ip addresses. Restrict
Initial stage of a DoS, DDoS, or port 53.
Social
Engineering Attack.
Reverse Given netblock information, it Is The server should Be
Lookup possible to Reverse lookup Configured to only allow
Host names. This could Be the access on a
first stage of a DoS, DDoS, or Restricted basis and only to
Social Engineering Attack. trusted system Ip Addresses.
Exercise 3 – Search Engines
Search engines gather information on an organization and its employees.
Go to the web site www.netcraft.com, and answer the following questions, regarding
“.google.com” (remembering to include the dot preceding Google.com):
How many systems are there?
o The search found 144 systems.
Which systems are NOT using Linux operating systems?
o There are some systems that are designated as “unknown” operating systems.
Which systems are NOT using Google netblocks?
o All the systems yielded information on Goog netblocks.
le
What kinds of information can you learn from the site information link?
o Domain: google.com
o NetBlock Owner: Google Inc.
o Domain Registry: markmonitor.com
o Site DNS name: http://1.qos.google.com
o IP address 66.102.9.147
Last printed 10/26/2005 1:40:00 a10/p10 Page 7
8. Page 8 of 27
Go to the web site www.netcraft.com, and answer the following questions, regarding
“.ccc.edu’ (remembering to include the dot preceding ccc.edu):
Of the servers owned by City Colleges in Chicago,are there any differences between
this list and the list found doing the brute force DNS lookup?
Information Attacks Countermeasures
Leakage
Cache Information Cache pages and Control the cache information
Information could be And meta data to limit third
Retrieved as the first stage Party caching.
Of a DoS, DDoS, or
Social Engineering Attack.
Error Messages Information on Make error messages generic
Hardware configuration Without hardware or
And component information Application information
Could be leaked in the error Embedded in the message.
Messages. This could be
used as the first stage of a
DoS, DDoS, or Social
Engineering Attack.
Company Employees could leak Train employees to not be
Confidential Information that could be Allowed to leak confidential
Information made Used as the first stage Company information into
Public Of a DoS, DDoS, or The public domain.
Social Engineering Attack.
Public Documents Company Documents could If company documents
Be made public that Leak Are to be posted publically on
Information that could be The web, remove all sensitive
Used as the first stage Internal information.
Of a DoS, DDoS, or
Social Engineering Attack.
the Robots.txt file An attacker could get Restrict access to this file.
Information on a Restrict the information in
Company’s system, With This file.
which to Perpetrate a DoS
DDoS, or Social
Engineering Attack.
Exercise 4 – E Mail Systems
Email system information gathering uses information found within the Email system and
Email messages.
Go to http://www.spamcop.net/fom-serve/cache/19.html, to discover how to look at headers
regarding email. Send an email from your school email account to your personal email
account. Look at the headers and answer the following questions:
Last printed 10/26/2005 1:40:00 a10/p10 Page 8
9. Page 9 of 27
What are the IP addresses of the systems that handled this mail?
o Received: from 207.115.20.36 (flpvm06.prodigy.net)
o Received: from student.ccc.edu (student.ccc.edu [216.125.49.18])
(scholarmail.ccc.edu) Apache/2.0.49a NETWARE mod_jk/1.2.6-dev
o by flpvm06.prodigy.net (8.12.10 083104/8.12.10) with ESMTP id
j8R3rwmF014910
o Received: from agalvan1 [216.125.49.114] by student.ccc.edu ()
What kinds of servers handled the mail?
o SMTP Servers
o Received: from student.ccc.edu (student.ccc.edu [216.125.49.18])
(scholarmail.ccc.edu) Apache/2.0.49a NETWARE mod_jk/1.2.6-dev
Is the same path taken both ways?
o Yes the same path is taken both ways.
Can you tell what kind of email systems handled the messages?
o SMTP Servers
Using the list of possible SMTP mail systems, grab ccc.edu’s mail server banner.
o I couldn’t find the ccc.edu server banner.
Exercise 5 – Naming Conventions
Naming conventions describe how an organization categorizes their host devices.
At a DOS command line prompt type the command “tracert www.ccc.edu” and answer the
following questions.
Can you deduce the naming convention (if any)?
o The physical location is used in the naming convention.
o The owner company is used in the namingconvention.
o One of the routers indicates it could be part of a Virtual LAN (VLAN).
Can you deduce what operating system is being used from the name?
o The Operating system might be VLAN 5.0
Can you deduce the physical location of the host from the name?
o Theses routers are all in Chicago
Ads1-68-72-175-254.ds1.chcgil.ameritech.net
Dist2-vlan50.chcgil.ameritech.net
Bb2-g7-0.chcgil.ameritech.net
Ex1-p0-0.eqchil.sbcglobal.net
Chcgil1wcx1-pos9-0-oc48.wcg.net
Chcgil1wxc1-dept-central-mgmt.wcg.net
Last printed 10/26/2005 1:40:00 a10/p10 Page 9
10. Page 10 of 27
Ge-1-0-ans-sob1.chicago.lincon.net
Ge2-1.sob11.chicago.lincon.net
Can you determine which device is the perimeter router?
o 192.168.1.1 is my originating perimeter router
o 206.166.90.246 is the target perimeter router
Which netblock (IP block) is owned by the target?
o Illinois Century Network owns t e netblock.
h
Information Attack Countermeasures
Leakage
Device Could be used to Refrain from naming
Location Determine the Devices with location
Network configuration Information.
And lead to Dos, DDoS
Or stealing financial or
Confidential information.
Device Could be used to Refrain from naming
Function Determine the Conventions with
Network configuration Function information.
And lead to Dos, DDoS
Or stealing financial or
Confidential information.
Exercise 6 – Website Analysis
Website analysis is an information gatherin technique that uses public information via web
g
sites. The discovered information may expose the system to unintended vulnerabilities.
There are many sources of information from the website:
Look at the HTML source code for:
Passwords.
Comments and other useful information.
Disabled code.
Meta-tags containing the signatures of the development tools used to
build the site
Email addresses for social engineering attacks.
Accidental links to internal resources.
Error pages can leak important details about the structure of the website
For example the website is stored on drive D.
When I looked at the web page http://www.robotstxt.org/wc/active/html/googlebot.html, it
was clean of any extraneous information that d not pertain to the displayed web page.
id
Last printed 10/26/2005 1:40:00 a10/p10 Page 10
11. Page 11 of 27
WebSPHINX
o By looking at the source code and the structure of the web site, what kinds of
information can you glean?
The HTML source code yielded hyperlinks to other colleges and other
hyperlinks related to www.ccc.edu.
o How might it be used in an attack?
By using Websphinx on the web site of
http://wright.ccc.edu/department/forensics/in dex.asp, websphinx touched
all the links to http://wright.ccc.edu/department/forensics
.
All the different hyperlinks could be perused for information that could
be used in a social engineering attack.
Information in Binary Files regarding the downloaded file,
http://www.bergkaprowlewis.co.uk/budget2002 /revce1.doc:
o Use the “strings” program to extract ASCII text.
o I couldn’t extract any ASCII text using Strings.
o What kinds of metadata are found here?
o I found the below metadata:
the author was found to be “Fred Rothwell.”
the company name was “Her Majesty’s Treasure.”
Date Created: 9/27/2005 2:21 AM
Date Last Saved 9/29/2005 2:21 AM
Last Printed 4/17/2002 4:11 AM
Edit Time: 12:00 AM
o Anything that could be useful in an attack?
o The Author’s name and company name could be used in a social engineering
attack.
o What is the redacted text from line 4 – 12?
o The redacted text was “draft”
Information Attack Countermeasures
Leakage
Personal Could be used All personal information
Information In a Social Should be restricted. Any
Engineering Contact information should
Attack. Be to generic emails or to the
Main company phone number.
Error Message Could be used to Error messages should be made
Pages Determine the devices To be standard and generic without
Of a network as a Function, device, or location
Prelude to a DoS, DDoS Information.
Last printed 10/26/2005 1:40:00 a10/p10 Page 11
12. Page 12 of 27
Or financial information
Attack.
Web Server Could be used to Web Server Banners should be
Banners Determine the Rewritten in a way different than
Network configuration The manufacturer standard header
As a prelude to a DoS And without Function, device, or
DDos, or financial locationInformation.
Information stealing
Attack.
Document Could be used Strong passwords should be used.
Properties In a Social User names should be restricted
Engineering
Attack.
Web code and Could be used to All code should be
Client code Determine the Cleaned of all
Network configuration “dead” code.
As a prelude to a DoS
DDos, or financial
Information stealing
Attack.
Last printed 10/26/2005 1:40:00 a10/p10 Page 12
13. Page 13 of 27
Notes
This is the other paper of reference:
An Overview of Passive Information Gathering Techni ues for Network Security,
q
http://www.ottawa.drdc-rddc.gc.ca/docs/e/TM2004-073.pdf, &
Passive Information Gathering, The Analysis of Leaked Network Security Information,
http://www.ngssoftware.com/papers/NGSJan2004PassiveWP.pdf
NGS NISR
Next Generation Security SoftwareLtd.
Passive Information Gathering
The Analysis of Leaked Network Security Information
Gunter Ollmann, Professional Services Director
Abstract, (p.1)
Information Leakage, (p.2)
Definition of “Passive” (p.2)
Passive Information Gathering Techniques (p.4)
Whois, (p.5)
Network Service-Based WHOIS (p.6)
Network service-based WHOISdata provides details of network management data.
Netblock Registration Maintenance (p.9)
,
Netblock registration maintenance is normally carriedout in a secure & controlled
manner.
Name Service-Based WHOIS (p.11)
Name service-based WHOIS data provides a number of details about a domain.
Domain Name System, (p.16)
Zone Transfers, (p.20)
Reverse resolution, (p.22)
DNS Brute force, (p.24)
Search Engines, (p.26)
Email sytems, (p.29)
Trace Route (tracert), (p.36)
Displays # of hops between originating host ip (192.168.100.1) ww.example.com
Cisco-gw.example.com [212.84.xx.1]
o Probably the start of a netblock; suggests it is a border router, for
example.com & it is made by Cisco.
Cpfw1.examle.com [212.84.xx.2]
o Almost certainly is a Checkpoint firewall-1 firewall host.
Last printed 10/26/2005 1:40:00 a10/p10 Page 13
14. Page 14 of 27
Web Server Banner (p.39)
Server: Zues / 4.2
Server: Microsoft IIS / 6.0
Server: Apache / 2.0.48-dev (Unix)
Appendix
Last printed 10/26/2005 1:40:00 a10/p10 Page 14
15. Page 15 of 27
Exercise 1 – Internet Service Registration
Exercise 2 – Domain Name System
Nslookup (Authoritative) using Network-Tools on ccc.edu
NsLookup Query
the DNS
for
resource
records
domain ccc.edu query type ANY - Any type
server NS1.ILLINOIS.NET query class IN - Internet
port 53 timeout (ms) 5000
no recursion advanced output
NS1.ILLINOIS.NET [206.166.83.22] returned an authoritative response in 31 ms:
Answer records
name class type data time to live
ccc.edu IN MX preference: 0
exchange: pobox.ccc.edu
600s (10m)
ccc.edu IN MX preference: 5
exchange: pobox2.ccc.edu
600s (10m)
ccc.edu IN MX preference: 10
exchange: guardian.ccc.edu
600s (10m)
ccc.edu IN NS ns1.msa1.illinois.net 600s (10m)
ccc.edu IN NS ns1.illinois.net 600s (10m)
ccc.edu IN NS ns2.illinois.net 600s (10m)
ccc.edu IN NS guardian.ccc.edu 600s (10m)
ccc.edu IN A 216.125.49.11 600s (10m)
ccc.edu IN SOA server: ns1.msa1.illinois.net
email: msa1hostmaster@illinois.net
serial: 2005062401
refresh: 10800
retry: 3600
expire: 604800
minimum
ttl:
600
600s (10m)
Authority records
name class type data time to live
NsLookup - Query the DNS for resource records Page 1 of 2
http://network-tools.com/nslook/default.asp 9/20/2005
-- end --
URL for this output
ccc.edu IN NS ns1.msa1.illinois.net 600s (10m)
ccc.edu IN NS ns1.illinois.net 600s (10m)
ccc.edu IN NS ns2.illinois.net 600s (10m)
ccc.edu IN NS guardian.ccc.edu 600s (10m)
Last printed 10/26/2005 1:40:00 a10/p10 Page 15
16. Page 16 of 27
Additional records
name class type data time to live
pobox.ccc.edu IN A 216.125.49.10 600s (10m)
pobox2.ccc.edu IN A 216.125.49.50 600s (10m)
guardian.ccc.edu IN A 216.125.49.254 600s (10m)
ns1.msa1.illinois.net IN A 206.166.50.100 60s (1m)
ns1.illinois.net IN A 206.166.83.22 3600s (1h)
ns2.illinois.net IN A 206.166.17.200 3600s (1h)
Page NsLookup - Query the DNS for resource records e 2 of 2
http://network-tools.com/nslook/default.asp 9/20/2005
Last printed 10/26/2005 1:40:00 a10/p10 Page 16
17. Page 17 of 27
Nslookup (Non-Authoritative) using Network-Tools on ccc.edu
NsLookup Query the
DNS for
resource
records
domain ccc.edu query type ANY - Any type
server 66.98.244.52 query class IN - Internet
port 53 timeout (ms) 5000
no recursion advanced output
[66.98.244.52] returned a non-authoritative response in 94 ms:
Answer records
name class type data time to live
ccc.edu IN MX preference: 0
exchange: pobox.ccc.edu
600s (10m)
ccc.edu IN MX preference: 5
exchange: pobox2.ccc.edu
600s (10m)
ccc.edu IN MX preference: 10
exchange: guardian.ccc.edu
600s (10m)
ccc.edu IN NS ns1.msa1.illinois.net 600s (10m)
ccc.edu IN NS ns1.illinois.net 600s (10m)
ccc.edu IN NS ns2.illinois.net 600s (10m)
ccc.edu IN NS guardian.ccc.edu 600s (10m)
ccc.edu IN A 216.125.49.11 600s (10m)
ccc.edu IN SOA server: ns1.msa1.illinois.net
email: msa1hostmaster@illinois.net
serial: 2005062401
refresh: 10800
retry: 3600
expire: 604800
minimum
ttl:
600
600s (10m)
Authority records
[none]
Additional records
NsLookup - Query the DNS for resource records Page 1 of 2
http://network-tools.com/nslook/default.asp 9/20/2005
-- end --
URL for this output
name class type data time to live
pobox.ccc.edu IN A 216.125.49.10 600s (10m)
pobox2.ccc.edu IN A 216.125.49.50 600s (10m)
guardian.ccc.edu IN A 216.125.49.254 600s (10m)
Page NsLookup - Query the DNS for resource records e 2 of 2
http://network-tools.com/nslook/default.asp 9/20/2005
Last printed 10/26/2005 1:40:00 a10/p10 Page 17
18. Page 18 of 27
Nslookup (Authoritative) using Network-Tools on www.microsoft.com
NsLookup Query the
DNS for
resource
records
domain microsoft.com query type ANY - Any type
server 207.46.138.20 query class IN - Internet
port 53 timeout (ms) 5000
no recursion advanced output
[207.46.138.20] returned an authoritative response in 94 ms:
Header
rcode: Success
id: 0 opcode: Standard query
is a response: True authoritative: True
recursion desired: True recursion avail: False
truncated: False
questions: 1 answers: 12
authority recs: 0 additional recs: 11
Questions
name class type
microsoft.com IN ANY
Answer records
name class type data time to live
microsoft.com IN A 207.46.250.119 3600s (1h)
microsoft.com IN A 207.46.130.108 3600s (1h)
microsoft.com IN NS ns3.msft.net 172800s (2d)
microsoft.com IN NS ns4.msft.net 172800s (2d)
microsoft.com IN NS ns5.msft.net 172800s (2d)
microsoft.com IN NS ns1.msft.net 172800s (2d)
NsLookup - Query the DNS for resource records Page 1 of 2
http://network-tools.com/nslook/default.asp 9/20/2005
-- end --
URL for this output
microsoft.com IN NS ns2.msft.net 172800s (2d)
microsoft.com IN SOA server: dns.cp.msft.net
email: msnhst@microsoft.com
serial: 2005092003
refresh: 300
retry: 600
expire: 2419200
minimum
ttl:
3600
3600s (1h)
microsoft.com IN MX preference: 10
exchange: mailc.microsoft.com
3600s (1h)
microsoft.com IN MX preference: 10
exchange: maila.microsoft.com
3600s (1h)
Last printed 10/26/2005 1:40:00 a10/p10 Page 18
19. Page 19 of 27
microsoft.com IN MX preference: 10
exchange: mailb.microsoft.com
3600s (1h)
microsoft.com IN TXT v=spf1 mx
redirect=_spf.microsoft.com
3600s (1h)
Authority records
[none]
Additional records
name class type data time to live
ns3.msft.net IN A 213.199.144.151 3600s (1h)
ns4.msft.net IN A 207.46.66.75 3600s (1h)
ns5.msft.net IN A 207.46.138.20 3600s (1h)
ns1.msft.net IN A 207.46.245.230 3600s (1h)
ns2.msft.net IN A 64.4.25.30 3600s (1h)
mailc.microsoft.com IN A 207.46.121.52 3600s (1h)
mailc.microsoft.com IN A 207.46.121.53 3600s (1h)
maila.microsoft.com IN A 131.107.3.125 3600s (1h)
maila.microsoft.com IN A 131.107.3.124 3600s (1h)
mailb.microsoft.com IN A 131.107.3.123 3600s (1h)
mailb.microsoft.com IN A 207.46.121.51 3600s (1h)
Page NsLookup - Query the DNS for resource records e 2 of 2
http://network-tools.com/nslook/default.asp 9/20/2005
Nslookup (Non-Authoritative) using Network-Tools on microsoft.com
NsLookup Query the DNS for resource
records
domain microsoft.com query type ANY - Any type
server 66.98.244.52 query class IN - Internet
port 53 timeout (ms) 5000
no recursion advanced output
[66.98.244.52] returned a non-authoritative response in 0 ms:
-- end --
URL for this output
Answer records
name class type data time to live
microsoft.com IN NS ns5.msft.net 171510s (1d 23h 38m
30s)
microsoft.com IN NS ns4.msft.net 171510s (1d 23h 38m
30s)
microsoft.com IN NS ns3.msft.net 171510s (1d 23h 38m
30s)
microsoft.com IN NS ns2.msft.net 171510s (1d 23h 38m
30s)
microsoft.com IN NS ns1.msft.net 171510s (1d 23h 38m
30s)
Authority records
[none]
Additional records
[none]
NsLookup - Query the DNS for resource records Page 1 of 1
Last printed 10/26/2005 1:40:00 a10/p10 Page 19
20. Page 20 of 27
http://network-tools.com/nslook/default.asp 9/20/2005
Last printed 10/26/2005 1:40:00 a10/p10 Page 20
21. Page 21 of 27
Zone-Transfer of nexiliscom.com
1 of 2 9/26/2005 1:56 AM
DNS check tool Back
Domain nexiliscom.com, DNS server 209.180.121.65
Setting Source IP Address to : quot;164.128.36.54quot;
Check if the server quot;209.180.121.65quot; is configured for quot;nexiliscom.comquot;
... ok.
Check SOA Record ...
Server: ns1.nexiliscom.com
Address: 209.180.121.65
Query about nexiliscom.com for record types SOA
Trying nexiliscom.com ...
nexiliscom.com 3600 IN SOA ns1.nexiliscom.com postmaster.nexiliscom.com (
2005083001 ;serial (version)
3600 ;refresh period (1 hour)
*** WARNING *** Refresh 3600 , use recommended value quot;10800quot;
3600 ;retry interval (1 hour)
3600 ;expire time (1 hour)
*** WARNING *** Expire 3600 , use recommended value quot;604800quot;
3600 ;default ttl (1 hour)
*** WARNING *** TTL 3600 , use recommended value quot;86400quot;
Check NS Records ...
Server: ns1.nexiliscom.com
Address: 209.180.121.65
Query about nexiliscom.com for record types NS
Trying nexiliscom.com ...
Query done, 2 answers, authoritative status: no error
nexiliscom.com 3600 IN NS ns2.nexiliscom.com
ns2.nexiliscom.com is secondary nameserver
nexiliscom.com 3600 IN NS ns1.nexiliscom.com
ns1.nexiliscom.com is primary nameserver
Additional information:
ns1.nexiliscom.com 3600 IN A 209.180.121.65
ns2.nexiliscom.com 3600 IN A 209.180.121.67
Found IP address quot;209.180.121.67quot; for server quot;ns2.nexiliscom.comquot;
Found IP address quot;209.180.121.65quot; for server quot;ns1.nexiliscom.comquot;
Check SOA Record for Consistency on all Servers ...
nexiliscom.com NS ns1.nexiliscom.com
ns1.nexiliscom.com postmaster.nexiliscom.com (2005083001 3600 3600 3600
3600)
*** WARNING *** !!! nexiliscom.com SOA refresh+retry exceeds expire
*** WARNING *** !!! nexiliscom.com SOA expire is less than 1 week (1
hour)
nexiliscom.com NS ns2.nexiliscom.com
ns1.nexiliscom.com postmaster.nexiliscom.com (2005060901 3600 3600 3600
3600)
*** WARNING *** !!! ns2.nexiliscom.com and ns1.nexiliscom.com have
different serial for nexiliscom.Check Zone Transfer
This may take a while, please wait ... /opt/wwwtools-1.0/checkdom/hostsqs
-Z -a -l -v -A -G -D done.
*** WARNING *** !!! nexiliscom.com address 209.180.121.65 maps to
ns1.nexiliscom.com
*** WARNING *** !!! atensubmissions.nexiliscom.com address 209.180.121.65
maps to ns1.nexiliscom.
IP-Plus http://www.ip-plus.net/tools/domaincheck.cgi
Last printed 10/26/2005 1:40:00 a10/p10 Page 21
22. Page 22 of 27
2 of 2 9/26/2005 1:56 AM
*** WARNING *** !!! mail.nexiliscom.com address 209.180.121.65 maps to
ns1.nexiliscom.com
*** WARNING *** !!! memorial-unborn.nexiliscom.com address 209.180.121.65
maps to ns1.nexiliscom.*** WARNING *** !!! mms1.nexiliscom.com address
64.119.36.27 maps to ip027.nexilis.cr3.tus.simplybits.*** WARNING *** !!!
netsaint.nexiliscom.com address 209.180.121.67 maps to ns2.nexiliscom.com
*** WARNING *** !!! newmail.nexiliscom.com address 64.119.36.25 maps to
newmail1.nexiliscom.com
*** WARNING *** !!! newmail.nexiliscom.com address 209.180.121.66 maps to
newmail2.nexiliscom.com
*** WARNING *** !!! ns3.nexiliscom.com address 64.119.36.26 maps to
ip026.nexilis.cr3.tus.simplybits.*** WARNING *** !!! pop.nexiliscom.com
address 209.180.121.65 maps to ns1.nexiliscom.com
*** WARNING *** !!! revolvstore.nexiliscom.com address 209.180.121.65
maps to ns1.nexiliscom.com
*** WARNING *** !!! smtp.nexiliscom.com address 209.180.121.65 maps to
ns1.nexiliscom.com
*** WARNING *** !!! test.nexiliscom.com address 209.180.121.65 maps to
ns1.nexiliscom.com
*** WARNING *** !!! webtoo.nexiliscom.com address 64.119.36.28 maps to
ip028.nexilis.cr3.tus.simplybits.*** WARNING *** !!! www.nexiliscom.com
address 209.180.121.65 maps to ns1.nexiliscom.com
No errors found in quot;nexiliscom.comquot;
21 warnings found in quot;nexiliscom.comquot;
Possible error messages and warnings
Last printed 10/26/2005 1:40:00 a10/p10 Page 22
23. Page 23 of 27
Zone-Transfer of microsoft.com
IP-Plus http://www.ip-plus.net/tools/domaincheck.cgi
1 of 2 9/26/2005 6:36 PM
DNS check tool Back
Domain microsoft.com, DNS server ns1.msft.net
Found IP address quot;207.46.245.230quot; for server quot;ns1.msft.netquot;
Setting Source IP Address to : quot;164.128.36.54quot;
Check if the server quot;ns1.msft.netquot; is configured for quot;microsoft.comquot; ...
ok.
Check SOA Record ...
Server: ns1.msft.net
Address: 207.46.245.230
Query about microsoft.com for record types SOA
Trying microsoft.com ...
microsoft.com 3600 IN SOA dns.cp.msft.net msnhst.microsoft.com (
2005092601 ;serial (version)
300 ;refresh period (5 minutes)
*** WARNING *** Refresh 300 , use recommended value quot;10800quot;
600 ;retry interval (10 minutes)
*** WARNING *** Retry 600 , use recommended value quot;3600quot;
2419200 ;expire time (4 weeks)
*** WARNING *** Expire 2419200 , use recommended value quot;604800quot;
3600 ;default ttl (1 hour)
*** WARNING *** TTL 3600 , use recommended value quot;86400quot;
Check NS Records ...
Server: ns1.msft.net
Address: 207.46.245.230
Query about microsoft.com for record types NS
Trying microsoft.com ...
Query done, 5 answers, authoritative status: no error
microsoft.com 172800 IN NS ns5.msft.net
ns5.msft.net is secondary nameserver
microsoft.com 172800 IN NS ns1.msft.net
ns1.msft.net is secondary nameserver
microsoft.com 172800 IN NS ns2.msft.net
ns2.msft.net is secondary nameserver
microsoft.com 172800 IN NS ns3.msft.net
ns3.msft.net is secondary nameserver
microsoft.com 172800 IN NS ns4.msft.net
ns4.msft.net is secondary nameserver
Additional information:
ns5.msft.net 3600 IN A 207.46.138.20
ns1.msft.net 3600 IN A 207.46.245.230
ns2.msft.net 3600 IN A 64.4.25.30
ns3.msft.net 3600 IN A 213.199.144.151
ns4.msft.net 3600 IN A 207.46.66.75
Found IP address quot;207.46.138.20quot; for server quot;ns5.msft.netquot;
*** WARNING *** failed reverse lookup for quot;207.46.138.20quot;
*** WARNING *** 207.46.138.20 does not exist at ns1.msft.net
(Authoritative answer)
*** WARNING *** It's recommended to have reverse lookup for your
nameservers
Found IP address quot;207.46.245.230quot; for server quot;ns1.msft.netquot;
*** WARNING *** failed reverse lookup for quot;207.46.245.230quot;
Last printed 10/26/2005 1:40:00 a10/p10 Page 23
24. Page 24 of 27
*** WARNING *** 207.46.245.230 does not exist at ns1.msft.net
(Authoritative answer)
*** WARNING *** It's recommended to have reverse lookup for your
nameservers
IP-Plus http://www.ip-plus.net/tools/domaincheck.cgi
2 of 2 9/26/2005 6:36 PM
Found IP address quot;64.4.25.30quot; for server quot;ns2.msft.netquot;
*** WARNING *** failed reverse lookup for quot;64.4.25.30quot;
*** WARNING *** 64.4.25.30 does not exist at ns1.msft.net (Authoritative
answer)
*** WARNING *** It's recommended to have reverse lookup for your
nameservers
Found IP address quot;213.199.144.151quot; for server quot;ns3.msft.netquot;
*** WARNING *** failed reverse lookup for quot;213.199.144.151quot;
*** WARNING *** 213.199.144.151 does not exist at ns1.msft.net
(Authoritative answer)
*** WARNING *** It's recommended to have reverse lookup for your
nameservers
Found IP address quot;207.46.66.75quot; for server quot;ns4.msft.netquot;
*** WARNING *** failed reverse lookup for quot;207.46.66.75quot;
*** WARNING *** 207.46.66.75 does not exist at ns1.msft.net
(Authoritative answer)
*** WARNING *** It's recommended to have reverse lookup for your
nameservers
*** ERROR *** NS record for primary nameserver quot;dns.cp.msft.netquot; missing.
Check SOA Record for Consistency on all Servers ...
microsoft.com NS ns1.msft.net
dns.cp.msft.net msnhst.microsoft.com (2005092601 300 600 2419200 3600)
*** WARNING *** !!! microsoft.com SOA primary dns.cp.msft.net is not
advertised via NS
*** WARNING *** !!! microsoft.com SOA retry exceeds refresh
microsoft.com NS ns2.msft.net
dns.cp.msft.net msnhst.microsoft.com (2005092601 300 600 2419200 3600)
microsoft.com NS ns3.msft.net
dns.cp.msft.net msnhst.microsoft.com (2005092601 300 600 2419200 3600)
microsoft.com NS ns4.msft.net
dns.cp.msft.net msnhst.microsoft.com (2005092601 300 600 2419200 3600)
microsoft.com NS ns5.msft.net
dns.cp.msft.net msnhst.microsoft.com (2005092601 300 600 2419200 3600)
Check Zone Transfer
This may take a while, please wait ... /opt/wwwtools-1.0/checkdom/hostsqs
-Z -a -l -v -A -G -D done.
*** ERROR *** 207.46.245.230 (207.46.245.230) connect: Connection timed
out
2 errors found in quot;microsoft.comquot; please correct
11 warnings found in quot;microsoft.comquot;
Possible error messages and warnings
Exercise 3 – Search Engines
Netcraft Search Web by Domain for .google.com
Netcraft - Search Web by Domain http://searchdns.netcraft.com/?host=.google.com&position=limited&loo...
1 of 1 9/26/2005 9:48 PM
Last printed 10/26/2005 1:40:00 a10/p10 Page 24