While I was looking for free public DNS servers the other day, I happened to come across the Google Public DNS. Reading the FAQ I gathered that it was not based upon BIND or NSD but was a proprietary DNS server written by Google.

When you connect to your ISP, most of the time you get an IP address and DNS servers from your ISP’s Dynamic Host Configuration Protocol (DHCP) server.

As per their website, Google Public DNS is a recursive DNS resolver, similar to other publicly available services, but it is not any of the following:

• A top-level domain (TLD) name service. Google is not an operator of top-level domain servers (generic or country-code)
• Google Public DNS is not a third-party DNS application service provider, such as DynDNS, that hosts authoritative records for other domains.
• Google Public DNS servers are not authoritative for any domain. Google maintains a set of other nameservers that are authoritative for domains it has registered, hosted at ns[1-4].google.com.
• A malware-blocking service. Google Public DNS does not perform blocking or filtering of any kind.

To use Google Public DNS, you need to explicitly change the DNS settings in your operating system or device to use the Google Public DNS IP addresses below.

The Google Public DNS IP addresses are as follows:

8.8.8.8
8.8.4.4

You can follow the steps below to change DNS settings in the TCP/IP properties window for the required network connection. (Example below is for Windows XP)

1. Navigate to the Control Panel.
2. Click Network and Internet Connections, then Network Connections.
3. Select the connection for which you want to configure Google Public DNS. For example:
- To change the settings for an Ethernet connection, right-click Local Area Connection, and click Properties.
- To change the settings for a wireless connection, right-click Wireless Network Connection, and click Properties.
4. Under the General Tab. Under This connection uses the following items, click Internet Protocol (TCP/IP), and then click Properties.
5. Click Advanced and select the DNS tab. Note down any DNS server IP addresses already listed there and then remove all of them from this window.
6. Click OK.
7. Select the option Use the following DNS server addresses. If there are any IP addresses listed in the Preferred DNS server or Alternate DNS server, write them down for future reference.
8. Replace those addresses with the IP addresses of the Google DNS servers: 8.8.8.8 and 8.8.4.4.
9. Restart the connection you selected.

I tried to gather more information about the service and noted down the following:

- Servers spread about around the globe (obviously)
- The service uses anycast routing to direct requests to the nearest DNS server
- Google Public DNS can respond to requests for IPv6 addresses (AAAA requests), but it does not yet support native IPv6 transport and cannot talk to IPv6-only authoritative nameservers. Clients should use IPv4 network connections to use Google Public DNS. This is likely to change as the service evolves.
- Google Public DNS is an independent service with no cross product dependencies.
- No technical support is provided by google directly and the only available form of support is Google groups, a Twitter channel and telephone support.
- The service is not bound by SLA at this time. 

The benefits mentioned by Google while using their DNS server are:

- Speed up your browsing experience
- Improve your security
- Get the results you expect with absolutely no redirection

I tried the new DNS settings and was satisfied (without a few domain names not resolving), I have yet to try to calculate the difference in latency of my old DNS servers versus Google Public DNS. I expect the product to improve much more in the long run.

Although BIND is the most popular domain name server software being used today, NSD (“name server daemon”) is another popular alternative open-source server program.

NSD is an authoritative name server (i.e., not implementing the recursive caching function by design) and uses BIND-style zone-files (zone-files used under BIND can usually be used unmodified in NSD, once entered into the NSD configuration).

NSD uses zone information compiled via ‘zonec’ into a binary database file (nsd.db) which allows fast startup of the NSD name-service daemon, and allows syntax-structural errors in Zone-Files to be flagged at compile-time (before being made available to NSD service itself).

The collection of programs/processes that make-up NSD are designed so that the NSD daemon itself runs as a non-privileged user and can be easily be configured to run in a Chroot jail (A chroot environment can be used to create re-root a program to another directory in unix), such that security flaws in the NSD daemon are not so likely to result in system-wide compromise.

Most of the Internet root nameservers use BIND, however a few of them also use NSD. Apart from that several other TLDs use NSD for part of their servers.

Domain Name Servers on the internet use various software to function, the most popular DNS server type on the internet is BIND, which stands for Berkeley Internet Name Domain. BIND is the predominant system on UNIX based systems. 

BIND was originally created at the University of California, Berkeley and is maintained today by the Internet Systems Consortium. It was rewritten to address architectural difficulties and also to support DNSSEC (DNS Security Extensions).

BIND initially supported only flat text files to store and retrieve data. However, recent versions of BIND have allowed zone data storage and retrieval in a variety of database formats including LDAP, PostgreSQL, MySQL, and ODBC.

Since BIND was written a long time back, there were many security vulnerabilities that have been exploited by earlier versions of BIND and hence their use is strongly discouraged. The latest version of BIND should be deployed, although they have also experienced numerous vulnerabilities which can be managed to some extent by using DNSSEC and other technologies

More information about BIND at the ISC website can be obtained from https://www.isc.org/software/bind

Nslookup.exe (abbreviation for name server lookup) is a command line utility used for testing and troubleshooting DNS servers. It is built into Unix (including Linux and variants) and Windows. The main purpose of the utility is to query DNS servers to find DNS details, MX records for a domain, NS servers of a domain

In Windows, Nslookup.exe is automatically installed along with the TCP/IP protocol installation which is done by default during a new Windows installation or setup. The actual executable lies in the system directory c:\windows\system32 directory by default in Windows XP and most other versions of Windows.

To get started with Nslookup.exe, the following prerequisites need to be present: 

The TCP/IP protocol must be installed on the computer that you want to execute the Nslookup command without which the command will not be available

When you run the ipconfig /all command, at least one DNS server should exist in the list of DNS servers

The Nslookup command always devolves (delegates from) the domain name from the current context (depending on the DNS Server settings listed). If you fail to use a fully qualified domain name, i.e. ending the domain name with a trailing dot (.), the first query will append the DNS settings to your query domain name. For example, if you have your DNS settings listed as xyz.com and you run a query for www.bing.com, the actual query will go out as www.bing.com.xyz.com because of you entering an unqualified query. However, if you were to query for www.bing.com. [with the trailing dot (.)], then the query would rightly go out to www.bing.com only (diagram below). This strange behavior is specific to the Microsoft version of the Nslookup command. I do not know of how Nslookup behaves while run with other vendors.

If the DNS search list is being used in the Domain suffix search order in TCP/IP advanced properties DNS tab (diagram below), devolution will not take place. The query will be appended to the domain suffixes specified in the list. To override the search list, always use the Fully Qualified Domain Name in your query.

The command can be used directly (non-interactive mode) or with subcommands (interactive mode). Using Nslookup.exe in the non-interactive mode is useful when we just need the output of a specific query and only a single value needs to be returned. But when we need to get the output for multiple queries and actions it is better to use the interactive mode

The syntax of Non Interactive Mode is as follows:

nslookup [-option] [hostname] [server]

 nslookup [-opt ...]                          # interactive mode using default server

nslookup [-opt ...] – server          # interactive mode using ‘server’

nslookup [-opt ...] host                 # just look up ‘host’ using default server

nslookup [-opt ...] host server    # just look up ‘host’ using ‘server’

Option refers to the various options that are available covered below

Hostname refers to the query that we need information on

Server refers to the DNS server to be used to search for the host

 Look at the following output from a unix and windows based host

Command line output (without subcommands)

UNIX

unix% nslookup example.com

Server:        192.168.1.1
Address:    192.168.1.1#53

Non-authoritative answer:

Name:    example.com
Address: 202.7.18.16

 

Windows

C:\>nslookup microsoft.com.

Server:  PQRTVXXXXD002DNS076
Address:  210.213.34.3

Non-authoritative answer:

Name:    microsoft.com
Addresses:  207.46.197.32, 207.46.232.182

Using subcommands (unix example)

nslookup

> server ns1.com

Default Server:  ns1.com
Address:  172.204.22.25

> set
> example.com

Server:  ns1.com
Address:  202.7.18.16

example.com   MX preference = 10, mail exchanger = mail.example.com
> exit

After entering the interactive mode, typing ? or help will reveal all the options that are available

To interrupt interactive commands, press CTRL+C. To exit interactive mode and return to the command prompt, type exit at the command prompt. A number of different options can be set in Nslookup.exe by running the set command at the command prompt. A complete listing of these options is obtained by typing set all.

Looking up different data types: type and querytype 

We will discuss the two options, type and querytype that belong to the set command. To look at different query type options within the domain name space, we use the set type or set querytype command at the command prompt. Both of them are exactly the same and are interchangeable. For example, to query for mail exchanger records (mail server details) of a particular domain like yahoo.com, we can type the following:

C:\>nslookup

> set q=mx
> yahoo.com.

Server:  google-public-dns-a.google.com
Address:  8.8.8.8

Non-authoritative answer:
yahoo.com       MX preference = 1, mail exchanger = a.mx.mail.yahoo.com
yahoo.com       MX preference = 1, mail exchanger = b.mx.mail.yahoo.com
yahoo.com       MX preference = 1, mail exchanger = c.mx.mail.yahoo.com
yahoo.com       MX preference = 1, mail exchanger = e.mx.mail.yahoo.com
yahoo.com       MX preference = 1, mail exchanger = f.mx.mail.yahoo.com
yahoo.com       MX preference = 1, mail exchanger = g.mx.mail.yahoo.com

The first time a remote host is queried, the local DNS server contacts the DNS server that is authoritative for that domain. The local DNS server will then cache that information, so that subsequent queries are answered nonauthoritatively out of the local server’s cache. The first time a query is made for a remote name, the answer is authoritative, but subsequent queries are nonauthoritative.

Querying another name server directly: server  and lserver

If we wanted to use another DNS server on the internet to send our queries, we can use the server or lserver commands. For example, using the DNS server 8.8.8.8 that is the Google Public DNS server

C:\>nslookup

Default Server:  nameserver1.example.com
Address:  10.1.2.3

> server 8.8.8.8
Default Server:  google-public-dns-a.google.com
Address:  8.8.8.8

The difference between the server and lserver commands is that the server command is uses the current default server to get the address of the server to switch to, whereas the lserver uses the local server to get the same address. For example, if you have a broadband connection and get a DHCP IP address from your ISP, you would also automatically get some DNS servers (assume dns1.isp1.com), the lserver command forces the usage of these local dns servers that were retrieved from your ISP. However, while using the Nslookup.exe command, if you earlier changed the DNS server that is used to query for other domains (assume you changed it to dns1.somefreedns.com), the server command would use the current default server (dns1.somefreedns.com) and not the local dns servers (dns1.isp1.com)

Zone Transfers : LS command

Nslookup.exe can be used to transfer an entire zone by using the ls command. The best use of this command is if you want to store a list of all host names within a particular remote domain into a local file (example below)

The syntax of this command is

ls [opt] DOMAIN [> FILE] – list addresses in DOMAIN (optional: output to FILE)
    -a          -  list canonical names and aliases
    -d          -  list all records
    -t TYPE     -  list records of the given type (e.g. A,CNAME,MX,NS,PTR etc.)

Using ls with no arguments will return a list of all address and name server data. The -a switch will return alias and canonical names, -d will return all data, and -t will filter by type.

>ls example.com

[nameserver1.example.com]

nameserver1.example.com.    NS     server = ns1.example.com
nameserver2.example.com     NS     server = ns2.example.com
nameserver1                            A      10.0.0.1
nameserver2                            A      10.0.0.2

While this is obviously a security issue, zone transfers can be blocked at the DNS Server level and this would be the case most of the time on the internet (unless someone foolish enough would like you to see his internal structure and naming conventions). This command is useful if we want to see the structure of hosts within a LAN environment. If zone transfers have been blocked, we would get output like the following

> ls google.com.
*** Can’t list domain example.com.: Query refused

When we want to send the output to a file (the file will be saved in the location that was mentioned in the command prompt before the nslookup command was started, we can do so as follows

> ls google.com. > lsoutput.txt
Received 0 records.
*** Can’t list domain google.com.: Query refused

In the following example below, we want to view all mail server records within a particular domain and store the output to a file

> ls –t MX google.com. > lsoutput.txt
Received 0 records.
*** Can’t list domain google.com.: Query refused

In this article the Nslookup command was covered. While this was just a brief overview, there are many other issues like troubleshooting and whether using Nslookup itself is recommend which will be covered in future articles

We all know IP addresses to be of the form XX.XX.XX.XX where XX is an octet ranging from 1 to 255 (Although other rules apply as to what the value of XX could be depending on either of the four octets)

However, for users who want to obscure the actual IP address can do so by representing them in serveral other formats. Some of the formats are:

1. Decimal System

The traditional format that we know of is 192.168.1.1 where 4 decimal numbers are seperated by dots (.)

I will practically demonstrate converting between the different formats with a live example www.bing.com

C:\>ping bing.com

Pinging bing.com [64.4.8.147] with 32 bytes of data:

Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 64.4.8.147:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

Here the Decimal System version of the IP address 64.4.8.147 , this is represented in the base 10 system. Typing http://64.4.8.147 in the browser would also take you to www.bing.com

2. Octal System

An IP address represented in the octal system is basically in the base-8 system

64.4.8.147  would be broken down into

64 = 100 (octal)

4 = 4 (octal)

8 = 10 (octal)

147 = 223 (octal)

Hence the IP address in Octal format would be 0100.04.010.0223 (for those people who hate 0′s and 1′s, the same conversion can be easily done using the Windows Calculator)

Note: A single leading zero has been added to every octal number above, however any number of leading zeroes can be added (there is however a limit, some browsers won’t accept lots of zeroes)

Hence, 0100.04.010.0223 is the same as 00100.004.0010.00223 and www.bing.com can also be written as http://0100.04.010.0223

3. Domain Name System

Here the IP address is represented in its equivalent domain name using human recognizable characters. In our example, the DNS equivalent would be www.bing.com

4. Hexadecimal System

To convert a decimal IP address into its hexadecimal equivalent, break the ip address into its individual octets. Let us take out example above 64.4.8.147

64 = 40 (hex)

4 = 04 (hex)

8 = 08 (hex)

147 = 93 (hex)

Hence, 64.4.8.147 is equivalent to 0×40040893, the 0x is prefixed to indicate hexadecimal. Typing http://ox40040893 into the browser would take you to the bing website also

5. Double Word (DWORD)

To understand this format, we first need to understand what a double word is. A word consists of 16 binary digits (bits) and a double word consists of 32 bits

 To convert a decimal IP address into DWORD format, we first need to convert it into Hexadecimal and then convert the hexadecimal number to base 10

From point 4 (decimal to hex conversion) above we can see that the Hex equivalent of our sample IP address, 64.4.8.147 is 0×40040893

Now to convert this Hexadecimal number to DWORD, one of the easiest ways is to use the Windows Calculator

Click on Start > Programs > Accessories > Calculator
Click on View > Scientific
Now, select ‘Hex’ from the left top corner and type in the hex value in the field
Then click on Dec (Decimal). You will find that the value that you typed in would have changed to the corresponding value

Hence the equivalent DWORD value as per the diagram is 1074006163 and entering http://1074006163 into the browser would also take you to www.bing.com

6. Hybrid/Mixed

Last but not least, we have another format that is a continental cocktail of two or more of the formats above. In other words, we can mix decimal and hex in one ip address or anything that you can think of

For example, IP address formats

Decimal   64.4.8.147

Hexadecimal   0×40040893

DWORD   1074006163

I can mix the decimal and the hexadecimal as in http://64.0×04.0×08.147/

I can also mix and match more than 2 formats (hex, decimal, octal) as in http://64.0×04.8.0223

Expressing characters in the URL in Hexadecimal format

An ASCII to Hex Chart can be used to represent letters in the URL in Hex format

For the complete chart and more information, an excellent resource is

http://en.wikipedia.org/wiki/ASCII

WARNING: The obscured URL’s do not work in all browsers of all types and versions, internet explorer is pretty flexible, however netscape and firefox are crancky from my experience with URL’s in different formats

To summarize, URL’s can be obscured by converting IP address from the traditional decimal format to any of the other formats mentioned like DWORD, Octal, Hexadecimal, etc. In addition, characters in a URL can be expressed as numbers in hexadecimal format