Nslookup.exe (abbreviation for name server lookup) is a command line utility used for testing and troubleshooting DNS servers. It is built into Unix (including Linux and variants) and Windows. The main purpose of the utility is to query DNS servers to find DNS details, MX records for a domain, NS servers of a domain

In Windows, Nslookup.exe is automatically installed along with the TCP/IP protocol installation which is done by default during a new Windows installation or setup. The actual executable lies in the system directory c:\windows\system32 directory by default in Windows XP and most other versions of Windows.

To get started with Nslookup.exe, the following prerequisites need to be present: 

The TCP/IP protocol must be installed on the computer that you want to execute the Nslookup command without which the command will not be available

When you run the ipconfig /all command, at least one DNS server should exist in the list of DNS servers

The Nslookup command always devolves (delegates from) the domain name from the current context (depending on the DNS Server settings listed). If you fail to use a fully qualified domain name, i.e. ending the domain name with a trailing dot (.), the first query will append the DNS settings to your query domain name. For example, if you have your DNS settings listed as xyz.com and you run a query for www.bing.com, the actual query will go out as www.bing.com.xyz.com because of you entering an unqualified query. However, if you were to query for www.bing.com. [with the trailing dot (.)], then the query would rightly go out to www.bing.com only (diagram below). This strange behavior is specific to the Microsoft version of the Nslookup command. I do not know of how Nslookup behaves while run with other vendors.

If the DNS search list is being used in the Domain suffix search order in TCP/IP advanced properties DNS tab (diagram below), devolution will not take place. The query will be appended to the domain suffixes specified in the list. To override the search list, always use the Fully Qualified Domain Name in your query.

The command can be used directly (non-interactive mode) or with subcommands (interactive mode). Using Nslookup.exe in the non-interactive mode is useful when we just need the output of a specific query and only a single value needs to be returned. But when we need to get the output for multiple queries and actions it is better to use the interactive mode

The syntax of Non Interactive Mode is as follows:

nslookup [-option] [hostname] [server]

 nslookup [-opt ...]                          # interactive mode using default server

nslookup [-opt ...] – server          # interactive mode using ‘server’

nslookup [-opt ...] host                 # just look up ‘host’ using default server

nslookup [-opt ...] host server    # just look up ‘host’ using ‘server’

Option refers to the various options that are available covered below

Hostname refers to the query that we need information on

Server refers to the DNS server to be used to search for the host

 Look at the following output from a unix and windows based host

Command line output (without subcommands)

UNIX

unix% nslookup example.com

Server:        192.168.1.1
Address:    192.168.1.1#53

Non-authoritative answer:

Name:    example.com
Address: 202.7.18.16

 

Windows

C:\>nslookup microsoft.com.

Server:  PQRTVXXXXD002DNS076
Address:  210.213.34.3

Non-authoritative answer:

Name:    microsoft.com
Addresses:  207.46.197.32, 207.46.232.182

Using subcommands (unix example)

nslookup

> server ns1.com

Default Server:  ns1.com
Address:  172.204.22.25

> set
> example.com

Server:  ns1.com
Address:  202.7.18.16

example.com   MX preference = 10, mail exchanger = mail.example.com
> exit

After entering the interactive mode, typing ? or help will reveal all the options that are available

To interrupt interactive commands, press CTRL+C. To exit interactive mode and return to the command prompt, type exit at the command prompt. A number of different options can be set in Nslookup.exe by running the set command at the command prompt. A complete listing of these options is obtained by typing set all.

Looking up different data types: type and querytype 

We will discuss the two options, type and querytype that belong to the set command. To look at different query type options within the domain name space, we use the set type or set querytype command at the command prompt. Both of them are exactly the same and are interchangeable. For example, to query for mail exchanger records (mail server details) of a particular domain like yahoo.com, we can type the following:

C:\>nslookup

> set q=mx
> yahoo.com.

Server:  google-public-dns-a.google.com
Address:  8.8.8.8

Non-authoritative answer:
yahoo.com       MX preference = 1, mail exchanger = a.mx.mail.yahoo.com
yahoo.com       MX preference = 1, mail exchanger = b.mx.mail.yahoo.com
yahoo.com       MX preference = 1, mail exchanger = c.mx.mail.yahoo.com
yahoo.com       MX preference = 1, mail exchanger = e.mx.mail.yahoo.com
yahoo.com       MX preference = 1, mail exchanger = f.mx.mail.yahoo.com
yahoo.com       MX preference = 1, mail exchanger = g.mx.mail.yahoo.com

The first time a remote host is queried, the local DNS server contacts the DNS server that is authoritative for that domain. The local DNS server will then cache that information, so that subsequent queries are answered nonauthoritatively out of the local server’s cache. The first time a query is made for a remote name, the answer is authoritative, but subsequent queries are nonauthoritative.

Querying another name server directly: server  and lserver

If we wanted to use another DNS server on the internet to send our queries, we can use the server or lserver commands. For example, using the DNS server 8.8.8.8 that is the Google Public DNS server

C:\>nslookup

Default Server:  nameserver1.example.com
Address:  10.1.2.3

> server 8.8.8.8
Default Server:  google-public-dns-a.google.com
Address:  8.8.8.8

The difference between the server and lserver commands is that the server command is uses the current default server to get the address of the server to switch to, whereas the lserver uses the local server to get the same address. For example, if you have a broadband connection and get a DHCP IP address from your ISP, you would also automatically get some DNS servers (assume dns1.isp1.com), the lserver command forces the usage of these local dns servers that were retrieved from your ISP. However, while using the Nslookup.exe command, if you earlier changed the DNS server that is used to query for other domains (assume you changed it to dns1.somefreedns.com), the server command would use the current default server (dns1.somefreedns.com) and not the local dns servers (dns1.isp1.com)

Zone Transfers : LS command

Nslookup.exe can be used to transfer an entire zone by using the ls command. The best use of this command is if you want to store a list of all host names within a particular remote domain into a local file (example below)

The syntax of this command is

ls [opt] DOMAIN [> FILE] – list addresses in DOMAIN (optional: output to FILE)
    -a          -  list canonical names and aliases
    -d          -  list all records
    -t TYPE     -  list records of the given type (e.g. A,CNAME,MX,NS,PTR etc.)

Using ls with no arguments will return a list of all address and name server data. The -a switch will return alias and canonical names, -d will return all data, and -t will filter by type.

>ls example.com

[nameserver1.example.com]

nameserver1.example.com.    NS     server = ns1.example.com
nameserver2.example.com     NS     server = ns2.example.com
nameserver1                            A      10.0.0.1
nameserver2                            A      10.0.0.2

While this is obviously a security issue, zone transfers can be blocked at the DNS Server level and this would be the case most of the time on the internet (unless someone foolish enough would like you to see his internal structure and naming conventions). This command is useful if we want to see the structure of hosts within a LAN environment. If zone transfers have been blocked, we would get output like the following

> ls google.com.
*** Can’t list domain example.com.: Query refused

When we want to send the output to a file (the file will be saved in the location that was mentioned in the command prompt before the nslookup command was started, we can do so as follows

> ls google.com. > lsoutput.txt
Received 0 records.
*** Can’t list domain google.com.: Query refused

In the following example below, we want to view all mail server records within a particular domain and store the output to a file

> ls –t MX google.com. > lsoutput.txt
Received 0 records.
*** Can’t list domain google.com.: Query refused

In this article the Nslookup command was covered. While this was just a brief overview, there are many other issues like troubleshooting and whether using Nslookup itself is recommend which will be covered in future articles

An IP Directed broadcast gives the sender the capability to send a packet and broadcast it to the entire network. An example of a network broadcast address for the classful network ID 140.101.0.0/16 is 140.101.255.255. When Cisco introduced this command in IOS version 10.0, they did not realize the ramifications of enabling directed broadcasts which enabled users to launch DOS attacks like the ICMP Smurf attack. In version 12.0 of the IOS, they made amends by changing the default behavior of dropping all directed broadcasts by default.

To understand what attackers can do if IP directed broadcasts are left enabled, we need to understand what a Smurf attack is and how it works

SMURF Attacks

These are a type of Denial of Service attack where the attacker sends source packets with a spoofed source IP address that belongs to the host that is being targeted in the attack. Now if the router is enabled for sending IP directed broadcasts, these ICMP packets will be sent to all hosts in the network. Now imagine that there are 100 active hosts in that network and then imagine all of them simultaneously sending ICMP reply messages to the source IP address of the attacker which is nothing but the IP address of the victim. These hosts would starve the bandwidth of the network and would also deny legitimate users from accessing the victim host, thus creating a Denial of Service for the host being attacked. The diagram below explains this effectively.

The only way to stop this type of a Smurf attack is by filtering the traffic that comes in at the network border. One method is to ensure that IP Directed Broadcasts are disabled and another method would be to use an ACL (which would be more cumbersome but flexible and detailed)

The first thing we will do is find out the version of the IOS that the router is running by typing in the show version command

We see that the IOS is running version 12.4 which means that IP directed broadcasts are disabled on all interface by default. To enable or disable directed broadcasts, we first need to know of the interfaces our router has, we do that by running the command show ip interface brief and the output is as shown in the diagram below. We can see from the output below that interface FastEthernet0/0 is enabled and FastEthernet0/1 is disabled.

Now to see if directed broadcasts are enabled for any of the interfaces, we need to scroll through the running configuration to see if directed-broadcasts are enabled or disabled

Now since directed broadcasts are enabled on FastEthernet0/0, we will disable it. We do that by entering the no ip directed-broadcast command under the interface configuration as can be seen from the diagram below

So do we ever need to enable Directed broadcasts ?

Yes, there might be certain situations where directed broadcasts are required such as DHCP. For example, if you LAN where clients in a particular network, say 33.35.22.0/24 (Vlan 33) connect to a DHCP Server (IP address 55.35.76.1) in another VLAN (Vlan 55) to receive IP dynamic IP addresses. By default the border router of VLAN 33 would not allow the DHCP server in Vlan 55 to receive any DHCP requests as well as send a DHCP reply or Dynamic IP address to any of the clients within Vlan 33.

In addition, the ip helper-address interface configuration command would be required to tell your Cisco router to forward DHCP requests to a central DHCP server located at 55.35.76.1. This is accomplished by the commands below

Point all clients in Vlan 33 to the DHCP server in Vlan 55
R1(config)#int FastEthernet0/0
R1(config-if)#ip helper-address 55.35.76.1

Allow DHCP using this statement
R1(config)#ip forward-protocol udp bootpc

The following statements are to be included for all protocols that are not allowed
R1(config)#no ip forward-protocol udp domain
R1(config)#no ip forward-protocol udp echo

One often overlooked fact is that ip helper-address will actually forward many other UDP-based broadcasts to the address specified which might not be what you want. In such a situation, we would need to enable directed broadcasts but only specifically for the DHCP protocol (using the ip forward-protocol command and negating any other protocols that we do not want using the no ip forward-protocol command

To summarize, if we’ve got the latest gear (updated IOS versions), IP directed broadcasts would be disabled by default, but we need to know in what situations it needs to be enabled and for what protocols. In general few applications will make use of the IP directed broadcast as a concept, so it is should always be disabled by default and only enabled on specific interfaces for specific protocols and an alternative method is to configure access lists to permit or deny IP Directed-Broadcasts. This is not feasible however, in larger networks and enabling directed broadcasts on specific interfaces when needed for specific protocols is a better solution.

We might sometimes need to manually configure the routes in the routing table. To get a better understanding of the capabilities of the ROUTE command, its best to get started with the documentation. Hence, running a route command without any parameters gives us the syntax and documentation of this command as can be seen from the screen shot below and the examples below

Examples:

    > route PRINT
    > route ADD 157.0.0.0 MASK 255.0.0.0  157.55.80.1 METRIC 3 IF 2
       where the parameters above in bold refer to
      destination , mask , gateway , metric , Interface

If IF is not given, it tries to find the best interface for a given gateway
    > route PRINT
    > route PRINT 157*          …. Only prints those matching 157*
    > route CHANGE 157.0.0.0 MASK 255.0.0.0 157.55.80.5 METRIC 2 IF 2

      CHANGE is used to modify gateway and/or metric only.
    > route PRINT
    > route DELETE 157.0.0.0
    > route PRINT

To get started we will print out the output of the current routing table

The output above of the route PRINT command firstly displays the list of interfaces that are present in the local system and the type of interface, manufacturer they belong to. Under that the list of Active and Persistent routes are displayed. We can very well see that the IP address 123.236.4.217 refers to our local systems IP address and theIP address 123.236.4.1 is the default gateway

Let us add an active route to the list of routes, we type the command

route ADD 123.17.17.0 MASK 255.255.255.0 123.236.4.1 METRIC 33 IF 196610

Note: 196610 is derived from the hex value 0×30002 which is the interface identifier of our Local Area Network

To verify that the route has been added with the dummy metric of 33, lets run a route PRINT

We see that the route has been added as can be viewed from the screenshot (red arrow)

The problem here is that when we reboot the pc the network 123.17.17.0 will not persist and will be removed. If we want the route to survive a reboot, we need to type in something like

route -p ADD 123.18.18.0 MASK 255.255.255.0 123.236.4.1 METRIC 44 IF 196610

The persistent route has been added (green arrow)

If we made an error and wanted to change the metric for this persistent route, we could run the command

route -p CHANGE 123.18.18.0 MASK 255.255.255.0 123.236.4.1 METRIC 55 IF 196610 

The change in metric has been carried out below (yellow arrow)

To delete the persistent route we just added, we can run the command

route -p DELETE 123.18.18.0 MASK 255.255.255.0 123.236.4.1 METRIC 55 IF 196610 

All symbolic names used for destination are looked up in the network database file NETWORKS. The symbolic names for gateway are looked up in the host name database file HOSTS 

Lets take a better look at the default hosts file (the file doesn’t have an extension and needs to be opened in notepad)

Location: C:\WINDOWS\system32\drivers\etc\hosts

# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a ‘#’ symbol.
#
# For example:
#
#      102.54.94.97     rhino.acme.com          # source server
#       38.25.63.10     x.acme.com              # x client host

127.0.0.1       localhost

This file contains a list of all the hosts in the system, let us add a line to signify a dummy host, the line would look like

64.4.8.147     gotothebingwebsite

123.19.19.1     123dummygateway

To test if our newly added host is working, we can do a few things

1. Type the URL http://gotothebingwebsite in any browser and this should redirect us to the IP address 64.4.8.147 which is nothing but www.bing.com

2. Ping the host gotothebingwebsite would send a ping to 64.4.8.147 as can be seen from the output below

C:\>ping gotothebingwebsite

Pinging gotothebingwebsite [64.4.8.147] with 32 bytes of data:

Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 64.4.8.147:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

Similarly lets look at the default networks file

C:\WINDOWS\system32\drivers\etc\hosts

# Copyright (c) 1993-1999 Microsoft Corp.
#
# This file contains network name/network number mappings for
# local networks. Network numbers are recognized in dotted decimal form.
#
# Format:
#
# <network name>  <network number>     [aliases...]  [#<comment>]
#
# For example:
#
#    loopback     127
#    campus       284.122.107
#    london       284.122.108

loopback                 127

The networks file as of now only contains a single network which is the localhost network starting with network number 127. Let us add another network starting with network number 123.19.19.0
Let us take a scenario where all traffic starting with 123.19.19.0 network, should be routed to the gateway we created earlier called 123dummygateway

To do that, we go back to the command prompt and type the command

C:\>route ADD 123.19.0.0 MASK 255.255.254.0 123dummygateway METRIC 7

The use of symbolic names is useful when adding many entries to the routing table and the networks and IP addresses have to be typed many times

We can also selective print output that we want instead of displaying the entire routing table. For example, the command below only displays routes starting with 123.18

route PRINT 123.18.*

Wildcards supported are * and ? where, the ‘*’ matches any string, and ‘?’ matches any one character

The last option is the -F option which is used to clear the routing tables of all gateway entries.  If this is  used in conjunction with one of the commands, the tables are  cleared prior to running the command. 

To summarize, we need to understand the route command and how the output is interpreted because it will help us in identifying any entries that are not supposed to be there or have been maliciously added to redirect traffic to specific interfaces. For example, if a malicious user is able to install a router/gateway with an IP address belonging to the same network that a company is running on and then makes an entry into a PC’s routing table (via a shell script, etc), the attacker can indirectly redirect traffic that is destined to another gateway to the gateway that is being run by him thereby creating a Man in the Middle (MIM) type attack where all the traffic of the victim passes through his gateway. This can have security implications and also hamper performance.

Hexadecimal equivalent codes of ASCII characters can be used to represent characters of a URL’s path and filename.

Each hex number is preceded by a “%” symbol to identify the following two numbers/letters as a hexadecimal representation of the character

An ASCII chart can be used for the conversion from ASCII to Hex or vice versa

One good source for ASCII to Hex charts is http://en.wikipedia.org/wiki/ASCII (both the tables below have been taken from this URL)

The need for typing in Hex codes into a URL is to make it possible to include special characters in a URL which would otherwise be wrongly interpreted or not allowed. A good example is SPACE which would not be able to fit into a URL in its original form and hence is represented by the Hex code 20 (prefixed by % in a URL making it %20)

For example, if we were to visit the URL www.bing.com , it could be written as

B =  %42

I = %49

N = %4e

G = %47

Hence, www.bing.com could be written as www.%42%49%4e%47.com

Note: The “slashes” in the address cannot be represented in hex; nor can the IP address be rendered using this logic (the %XX way) but the rest of the URL can be manipulated