Cybersecurity Essentials: Networking

Cybersecurity Essentials
Networking
203: Name Resolution

Version 1.0
Welcome. Networking 203: Name Resolution is the fourth in a series of courses that explain how
networks operate and some of the cybersecurity issues they exhibit.
Sophos Cybersecurity Essentials

Networking
February 2020
Version: 1.0
© 2019 Sophos Limited. All rights reserved. No part of this document may be used or reproduced
in any form or by any means without the prior written consent of Sophos.
Sophos and the Sophos logo are registered trademarks of Sophos Limited. Other names, logos and
marks mentioned in this document may be the trademarks or registered trademarks of Sophos
Limited or their respective owners.
While reasonable care has been taken in the preparation of this document, Sophos makes no
warranties, conditions or representations (whether express or implied) as to its completeness or
accuracy. This document is subject to change at any time without notice.
Sophos Limited is a company registered in England number 2096520, whose registered office is at
The Pentagon, Abingdon Science Park, Abingdon, Oxfordshire, OX14 3YP.
Networking 203: Name Resolution Page 1

About This Course
It is designed for technical professionals who want to understand how
names are used and resolved on private TCP/IP networks and on the
Internet
Course Duration This course will take around 45 minutes to complete
This course is designed for technical professionals who want to understand how names are used
and resolved on private TCP/IP networks and on the Internet

Assumed Knowledge
This course assumes knowledge of the content included in other parts of the series.
There is no requirement to complete all courses but if you unfamiliar with any of the
terms and concepts used during this training, we recommend:
101 Getting Started with Networking
201 TCP/IP Networking Model
202 IP and Routing
This course assumes knowledge of the content included in other parts of the series. There is no
requirement to complete all courses but if you unfamiliar with any of the terms and concepts used
during this training, we recommend one or more of the courses shown.

Activities
Activities are suggested throughout the course that allow you to try the
techniques described
Use the Download Activity button to open instructions for a single activity
Open a PDF with all activities from the RESOURCES menu
Activities later in the course may depend on steps completed earlier
Activities are suggested throughout the course that allow you to try the techniques described. You
can complete these during the course or at a later time.
Each activity slide will include a button that opens a PDF containing instructions for that activity.
Instructions for all activities can be opened by selecting the file from the RESOURCES menu.
Instructions are also included at the back of the Student Handout.
Activities later in the course may rely on the completion of earlier activities.
The instructions are written for Windows computers but the notes will indicate where alternatives
are available for Mac or Linux.

Course Agenda
Fully Qualified Domain Names DNS Name Servers
Domain Name System (DNS) DNS Lookup
Troubleshooting Name
NetBIOS Name Resolution
Resolution
We use names to access resources on the Internet and local networks but these names must be
resolved to their IP address for communication to take place.
In this course you will learn about the structure of names and the Domain Name System that
allows them to be resolved. You will also learn about some of the security risks that name
resolution can present.
This course consists of 6 topics.

Course Hub: Select a Topic
Fully Qualified Domain Names DNS Name Servers
Domain Name System (DNS) DNS Lookup
Troubleshooting Name
Resolution
Finished? Click here to continue
This is the course hub page, which provides access to the topics in this course.
Topics can be repeated if you want to review a section and the student handout includes the slides
and notes for all topics covered.

Fully Qualified Domain Names
Fully Qualified Domain Names (FQDNs)

Human-Friendly Names
NAMES IP ADDRESS RESOLUTION
IP networks include the Domain

Any Internet request must have a
IP Addresses are not easy to remember so we Name System (DNS) which is

valid destination IP address to be
use names such as www.sophos.com responsible for resolving names
routed successfully
to IP addresses
DNS SERVERS
IP devices are configured with the IP addresses of one or more DNS Servers
The devices send requests to a DNS when they need to know the IP address
of a destination server
IP Addresses are not easy for humans to remember so networks use easy-to-remember names
such as www.sophos.com, which are known as Fully Qualified Domain Names (FQDNs). Although
names are used to make requests, a valid destination IP address is required for the request to be
routed successfully. IP networks therefore include the Domain Name System (DNS) which is
responsible for resolving names to IP addresses.
Each IP device is typically configured with the IP address of one or more DNS servers. When the
device receives a request containing a name, it sends this to the DNS server and the server
responds with the associated IP address. The device can then add the IP address to the request
and forward it appropriately.

Resolving Names to IP Addresses
Sophos Web Server
www.sophos.com
23.64.22.240
www.sophos.com
Web Browser
Router
ISP Internet
Web
request
Laptop
DNS request DNS Server
In the example, the user on the laptop opens a browser and enters a web URL of
https://www.sophos.com. The laptop sends a lookup request to the DNS server configured in its IP
configuration. The DNS server responds with the IP address associated with www.sophos.com
which is 23.64.22.240.
If your DNS server does not have the required IP address, it is able to contact other DNS servers to
obtain it.
Once the laptop has the IP address it makes the web request. Because the address is not local it
forwards the request to its default gateway.

The Evolution of DNS
In the early days of TCP/IP networking the Internet names were resolved to their IP address using a
text file named hosts. The introduction of Domain Name System (DNS) provided a centralized
means of resolving names to IP addresses, making the Internet far more accessible for everyday
use.

Top-Level
Host Subdomain Domain Root
Domain
DC.AD.sophostraining.xyz.
Alongside the introduction of DNS came the concept of fully qualified domain names (FQDN). The
concept originated for the Internet but is also now used within private networks.
A FQDN, sometimes also referred to as an absolute domain name, is a domain name that specifies
the exact location of the resource in the tree hierarchy of the Domain Name System (DNS).
A FQDN is made up of multiple parts, separated by dots:

• The host is the name of the computer or service
• The domain identifies the organization. A sub-domain may be used to separate parts of the
domain, for example Active Directory (AD) and external resources
• The further right a label is located, the higher it lies in the tree diagram, which we’ll show on the
next slide. The highest level is known as the “root” of the DNS system. It is shown as a dot but in
most cases is omitted when entering a FQDN

The Naming Hierarchy
www.sophostraining.xyz.
.
Root .
Top Level Domain com org net xyz
Organization Domain wikipedia … sophostraining …
Host / Sub-Domains sco en www AD www.sophostraining.xyz
DC SRV DC.AD.sophostraining.xyz
As the image shows, names are organized as a hierarchy.
At the top is the root, followed by the top level domain and organization domain. Below the
organization domain, it is possible to have both sub-domains and hosts. A host is a server that
provides resources such as web or email. In the example the sophostraining.xyz domain holds
external resources, such as the host www.sophostraining.xyz.
A sub-domain named AD is used for the internal network and this contains the hosts DC and SRV.

Top Level Domains (TLD)
Original TLDs Country TLDs Generic TLDs
.us United States
.uk United Kingdom

.de Germany
.website Web Sites

.wiki Wikis
.xyz General
View Top Level Domains at iana.org
Top level domains (TLDs) are generally used to identify the type of organization. The original list
included com for commercial, edu for education and gov for government.
As the Internet grew, it became increasingly difficult to find unique domain names so TLDs were
introduced for countries. More recently generic TLDs have been added and there are now about
1,500 TLDs.
The Internet Assigned Numbers Authority (IANA) is a nonprofit private American corporation that
manages the root zone in the Domain Name System (DNS). IANA has responsibility for agreeing
new TLDs and delegating their management. You can use the link to view the full list of top level
domains and the organizations to which the management of each has been delegated.

Domain Registration
Domain names must be

registered
Purchase a domain name

from a domain registrar
Domain names used on the Internet must be registered, in other words purchased. Anyone can
buy a domain name by visiting a domain name registrar, selecting an available domain name and
paying a fee.
The most popular names use the .com TLD may already be taken. As the example shows
sophostraining.com is not available but other options are suggested.

Activity 1
In this activity you will use http://whois.domaintools.com/ to

discover information about a domain
Use the Download Activity button to open the instructions
When you have finished click Continue
Download Activity Continue

Security Issue: Cybersquatting
Cybercriminals often create

www.goolge.com
vs.
websites with names similar to

genuine sites www.google.com
Links to these sites may be
included in phishing emails sophos.community.com
vs.
community.sophos.com
If the URL is not visible, use hover
or right-click and copy to view it
www.urlvoid.com
Often, cybercriminals will purchase and “squat” on website names that are similar to an official
website in the hope that users go to the wrong site, such as www.googel.com with the ‘e’ and ‘l’
reversed.
Another trick is to use fully qualified domain names that include the organization’s name but are
actually in another domain. Remember, it’s the name next to the top level domain that’s
important.
If the URL is not visible, use hover or right-click and copy to view it. If you are worried you can
paste it into websites such as https://www.urlvoid.com which will check for known malicious urls.

Activity: Is It a Phish?
Only one of these PayPal buttons would take you to a genuine PayPal login
page. Click on the button that is genuine.
Tip: you will be able to see the URL if you hover over the button.
Only one of these PayPal buttons would take you to a genuine PayPal login page. Click on the
button that is genuine. Remember, you can view the URL by hovering over the button.

Activity 2
In this activity you will use http://whois.domaintools.com/ to see

how organizations protect against cybersquatting

DNS Name Servers
DNS Name Servers

DNS Servers
DNS Name Servers
The Domain Name System (DNS) is a huge hierarchical and decentralized database of names and IP
addresses, hosted by many thousands of name servers. All name servers use the same protocols
and standards so we will start by looking at a how a single server operates.
The DNS server we will consider is on a private network and holds the records for the
ad.sophostraining.xyz domain. The computer that is hosting the DNS server is named DC. It has a
record in its own database that shows an IP address of 172.16.1.10.

DNS Clients
DNS Name Servers
Networking 202:
IP and Routing
Any device connected to a network needs a DNS server to resolve names to IP addresses.
The example shows a manual configuration pointing to a DNS server.
It is more common to obtain both an IP address and DNS server address automatically using DHCP.
For more information on DHCP see Networking 202: IP and Routing.

DNS Zones
DNS Name Servers
DNS servers are typically responsible for one or more forward lookup zones. A forward lookup is
when a client has a name and needs the corresponding IP address.
Our DNS server holds information for the ad.sophostraining.xyz zone, and this includes the host
records for clients and servers within it. It is part of a Microsoft Active Directory network so it also
holds information for the _msdcs sub-domain which holds DNS records for Microsoft-specific
services.

Host Records
Files on
SRV.ad.sophostraining.xyz
DNS Name Servers
What is the IP address for

SRV.ad.sophostraining.xyz?
DNS
The IP address for
Server
SRV.ad.sophostraining.xyz
Laptop
Is 172.16.1.200
Host records are the foundation of the DNS system. More correctly they are named Address (A)
records for IPv4 or AAAA records for IPv6.
In our example the user wants to access files located on a local server. Their laptop does not have a
record of the server’s IP address so a request is sent to their DNS for the information. The DNS has
this information as an A record in its local zone and responds with the server’s IP address.
Communication can now proceed.

Forwarding
Web www.sophos.com DNS

Browser Server
DNS Name Servers
The IP address for

www.sophos.com
Is 23.198.89.209
What is the IP address

for www.sophos.com?
DNS
Server
Laptop
Suppose the client now wants to communicate with an external resource. Zone information for the
domain sophos.com is not held by the local DNS server, so it must discover the IP address from
other DNS servers. As you will see in a later section, the local DNS server could make a request
directly to the Internet DNS servers. However a common and more secure solution is to configure
the DNS to forward requests to another DNS server, which can then discover the information on
their behalf. This allows the server to be protected by network firewalls that only permit outbound
requests from the DNS and their responses.

Forwarders
DNS Name Servers
View free public

DNS Servers
DNS severs that are configured as forwarders can be part of the corporate network, for example
located in the DMZ, or Internet-based DNS servers.
In the example, our DNS has been configured to forward to two other DNS servers if it does not
have the information locally. The first is the DNS that holds the record for the organization’s
external domain, sophostraining.xyz. The other is an example of a free, public DNS server of which
there are about 12,500 worldwide.

Cached Lookups
DNS Name Servers
When a DNS server receives information from other servers it typically caches the result to speed
up future resolution.
A caching-only DNS server does not contain zone information or a zone database file; it only holds
the results of queries that it has already performed by asking other servers.

DNS Record Types
A / AAAA
Commonly used record types:
CNAME A (Host address)
DNS Name Servers
AAAA (IPv6 host address)

MX
CNAME (Canonical name for an alias)
SOA & NS
MX (Mail eXchange)
SOA (Start of Authority) and NS (Name Server)
SRV SRV (location of service)
TXT (Descriptive text)
TXT
Finish
So far we have focused on how a DNS server is used to resolve a name to its IP address using
address records. As shown this is just one of the record types held by DNS servers. Click on the
buttons to find out more about each of these.

DNS Record Types
Address records for
hosts
A / AAAA
CNAME
DNS Name Servers
MX
Address record for the

SOA & NS domain name
SRV
TXT
Finish
As we have seen A and AAAA records are used to translate human friendly domain names into IP
addresses. A-records are not required for all computers but are needed for any computer that
provides shared resources on a network.
The example also shows an A-record for the domain name. This means that anyone entering just
sophostraining.xyz into a browser can be directed to specified server, typically hosting the website.

DNS Record Types
A / AAAA
CNAME
DNS Name Servers
MX
SOA & NS
www and mail pointing
to the same server
SRV
TXT
Finish
CNAME-records are used to provide aliases. Computers often perform multiple roles such as mail
server and web server. To simplify access, CNAME-records can be used to give a single computer
multiple names. For example, server1.sophostraining.xyz has two CNAME-records defined:
www.sophostraining.xyz and mail.sophostraining.xyz
CNAME-records are also used when a server hosts many different domain names, for example an
ISP’s server.

DNS Record Types
A / AAAA
CNAME
DNS Name Servers
MX
SOA & NS
MX records with
SRV different priorities point
to two servers
TXT
Finish
MX-records are used to specify the e-mail server(s) responsible for a domain name. Whenever an
email is sent, the SMTP (Simple Mail Transfer Protocol) service requests the MX record for the
recipient’s domain. This holds the name of an e-mail server and also a preference number (priority)
for that server. If a domain has multiple e-mail servers, a separate MX-record is used for each
server and those with the lowest preference numbers are selected first.
Once the name of the destination mail server is known, its IP address must be found using an
address lookup.

DNS Record Types
A / AAAA
CNAME
DNS Name Servers
MX
SOA & NS
SRV
TXT
Finish
An SOA (Start of Authority) record contains administrative information about the zone. An
important part of this relates to zone transfers, which we will describe later in the course. The SOA
record also contains details of the responsible person for this zone, as well as the name of the
primary name server. Zones typically have more than one name server and the NS (Name Server)
records identify each of the DNS servers that are responsible (referred to as authoritative) for
a zone.

DNS Record Types
A / AAAA
CNAME
DNS Name Servers
MX
SOA & NS
SRV
TXT
Finish
SRV (Service) records are used to specify the location of a service. In the example this is Skype for
Business, which uses the SIP service for voice and video. The SRV record for the sophostraining.xyz
domain shows that this service is hosted at online.lync.com.

DNS Record Types
A / AAAA
TXT record added to verify
domain ownership
CNAME
DNS Name Servers
MX
SOA & NS
TXT record for Sender Policy

SRV Framework (SPF)
TXT
Finish
TXT (text) records can hold many different types of information. They are often used to provide
additional information about a domain, such as contact person and phone numbers.
In the example shown the record with the value starting MS= has been added as a way to verify
domain ownership when setting up Office 365. The other record, beginning v=spf1 is for Sender
Policy Framework (SPF), which provides protection against email spoofing and spamming.

Activity 3
In this activity you will use the nslookup command to view the DNS
records for the sophos.com domain
DNS Name Servers

Security Issue: Email Using a Forged Sender Address
Security Issue: Email using a forged sender address:
SMTP email messages have an ‘envelope’ with addressing information. This includes:
DNS Name Servers
MAIL FROM: by default the sending system’s authorization to send from the address is not verified
RCPT TO: the email address the message is delivered to
The message data then follows and includes:
FROM: this address is visible to the recipient. There is no verification it is the same as the MAIL FROM address
Reply-to: is used when replying to the message and is not verified
Messages can be created and sent using telnet and can also be scripted
The lack of default checks mean that attackers can create messages with spoofed addresses
How to send an email using Telnet
Normally emails are sent using a client application. This compiles information about the sender
and the recipients, which is put into an SMTP (Simple Mail Transfer Protocol) message.
SMTP messages start with an ‘envelope’ which provides two pieces of address information:
• MAIL FROM: this is the return path for the message and is not normally visible to the end user.
By default no checks are made that the sending system is authorized to send on behalf of that
address
• RCPT TO: this specifies which email address the message is delivered to
If the receiving mail server accepts the incoming message, the sending system then follows with
the message data, which includes additional headers:
• FROM: provides the address that’s visible to the recipient. In a malicious email this may be
different from the MAIL FROM address. By default no checks are performed on this address
• Reply-to: is used by the email client when replying to the message. Similarly, this is not checked.
Messages can be created and sent using applications such as telnet or scripts and the lack of
checks mean that attackers can create messages with spoofed addresses. Spam and phishing
emails often use forged from addresses.

DNS Name Servers
Only accept messages from IP addresses in

Check all A and MX the range 216.40.42.0/24
records for a match Reject all other messages (-all)
Sender checks in Sophos Central
One solution to spoofing is the Sender Policy Framework (SPF) DNS Record. SPF allows a receiving
email server to detect a forged sender addresse during the delivery of the email.
Administrators must use the public DNS system to publish an SPF resource record for their
organization’s domain. The SPF record can include an instruction to check all A and MX records and
also a list or range of IP addresses which are authorized to transmit email for that domain.
In the example, if the IP address of the sending email host for the domain does not match an A or
MX record for that domain and is not in the IP address range 216.40.42.0/24 then the email should
be rejected, which is indicated by -all.
When an email is received, the server queries DNS to learn the SPF policy. SPF records are typically
cached to enhance performance.

DNS Name Servers
Cybersecurity Essentials:
Cryptography
DomainKeys Identified Mail (DKIM) can also be used to verify the source of an email using its
digital signature.
The sender’s mail server attaches a digital signature to the email. The signature is encrypted using
the sender’s private key. The corresponding public key is published in a DNS text record and this
will allow the signature to be decrypted. When the receiving server sees that an email has a DKIM
signature, it does a DNS lookup to find the DKIM record associated with the sending domain.
Digital signatures are an asymmetric cryptographic technique. To learn more about how
cryptography is used to provide information security we recommend the Sophos Cybersecurity
Essentials: Cryptography courses.

DMARC stands for Domain-based Message Authentication

Reporting & Conformance
DNS Name Servers
DMARC builds on the SPF and DKIM protocols
DMARC indicates that a message is protected, and states

what to do if authentication fails
DMARC allows a recipient to report to the sender the result

of a message’s evaluation
DMARC, which stands for “Domain-based Message Authentication, Reporting & Conformance”,
builds on the widely deployed SPF and DKIM protocols. A DMARC policy allows a sender to indicate
that their messages are protected by SPF and/or DKIM, and tells the recipient what to do if neither
of those authentication methods passes. Examples include moving the message to junk or
rejecting the message.
DMARC also provides a way for the recipient to report back to the sender about messages that
pass and/or fail DMARC evaluation.

Reverse Lookup Zones
DNS Name Servers
Network is 172.16.0.0/16 so the

reverse lookup zone is 16.172.in-addr.arpa
So far all the DNS records we have considered have been used for forward lookups, that is lookups
related to the host or domain name. The PTR (pointer) record type can be used to find information
about a known IP address. This record type requires the use of a Reverse Lookup Zone.
Reverse DNS lookups for IPv4 addresses use the special domain in-addr.arpa. The rest of the zone
name is based on the network ID. In the example, the network is 172.16.0.0/16 and reversing the
two numbers of the network ID gives a zone name of 16.172.in-addr.arpa.

Reverse Lookup
DNS Name Servers
The example, using nslookup, shows the record type being set to ptr.
When the IP address 172.16.1.40 is entered, this is recognised as: 40.1.16.172.in-addr.arpa and can
be resolved to the name
CLIENTTWO.ad.sophostraining.xyz

Security Issue: Reverse Lookups for Spam Prevention
Email arrives from

sender@sophostraining.xyz
The IP address of the sending Question:
server is 162.243.68.201
DNS Name Servers
What is the domain

of 162.243.68.201?
Answer:
sophostraining.xyz
Reverse DNS is one of the ways email servers use to verify that the sending server is genuine.
In the example when someone sends email from address sender@sophostraining.xyz, the
receiving server checks whether the IP address of that server has a reverse DNS record that is tied
to sophostraining.xyz.
If the sending email server does not have a reverse DNS record, that’s usually a sign of spam and
the message will be rejected by most email servers.
If the email server has a reverse DNS but it does not match the domain name, other methods such
as DKIM and SPF records can provide the necessary verification.

Domain Name System (DNS)

www.sophostraining.xyz.
Root .
Top Level Domain com org net xyz
Organization Domain wikipedia … sophostraining …
Host / Sub-Domains sco en www AD www.sophostraining.xyz
DC SRV DC.AD.sophostraining.xyz
In an earlier section we showed how fully qualified domain names are organized in a hierarchy that
starts with the root domain. We’ll now see how the many millions of records required for the
Domain Name System (DNS) are hosted on DNS servers using the same hierarchy.

Root Servers
The name servers that serve the DNS root zone are a network of hundreds of servers in many
countries around the world. They are configured in the DNS root zone as the 13 named authorities
shown in the slide.
The database that the root servers maintain contains the names of all the top-level domains (TLDs)
and the servers that hold their records.

Top Level Domain Servers
Root Zone Database
The example shows that .COM is

delegated to Verisign Global
Registry Services which provides
13 groups of servers distributed
around the world
The Internet Assigned Numbers Authority (IANA) manages the root zone database and delegates
responsibility for the management of each of the TLDs.
Using the information in this database we can see that .COM is delegated to Verisign Global
Registry Services which provides 13 groups of servers distributed around the world, holding
records for all domains ending in .com

Organization Domain Servers
Each organization domain requires one or more name servers that hold records for their zone. The
example shows that records for the sophos.com domain are held on seven name servers.
The nslookup command also displays their IP addresses, showing that two of them support both
IPv4 and IPv6.

Authoritative and Non-Authoritative Answers
Non-authoritative
answer
You may have noticed when using the nslookup command that it shows a non-authoritative
answer. This means that the server does not hold the records itself but has found the answer from
another server. A name server that holds records for the zone will provide an authoritative answer.

Activity 4
In this activity you will use nslookup to show non-authoritative and

authoritative answers

Activity 4 Output Example
Non authoritative
answer
Authoritative
answer
Continue
The slide shows the expected output from Activity 4. It also shows the two ways to specify the DNS
server in the nslookup command; using its name or its IP address.

Primary and Secondary DNS Servers
The DNS Admin

The Primary DNS server sends a read-only copy of
updates the DNS
the updated zone file to secondary DNS servers
records
DNS Admin
Primary Secondary
DNS Server DNS Server 1
As you have seen it is usual for multiple name servers to be configured for a domain. One of these
servers will be the primary name server and changes to DNS records, such as changing an IP
address, can only be done on a primary server. The primary name server then updates secondary
DNS servers, using a process known as zone transfer. This provides them with a read-only copy of
the zone file. The SOA record for a zone contains data to control the zone transfer.
An authoritative name server can either be a primary or secondary server. It is possible for DNS
servers to be primary for one DNS zone and secondary for another.

Dynamic DNS (DDNS)
DDNS is necessary to allow for IPs assigned using DHCP
DDNS updates DNS records when a resource’s IP address changes
In the early days of the Internet, IP addresses rarely changed but most ISPs now assign IPs to their
users dynamically using DHCP (Dynamic Host Configuration Protocol). Large organizations typically
have static IP addresses but for smaller services this may be too costly, and they may have IP
addresses that are frequently changed by their ISPs. This requires a dynamic DNS solution to keep
DNS records up to date.
Dynamic DNS (DDNS) is a service that keeps the DNS updated with a resource’s correct IP address,
even if that IP address is constantly being updated.
How does dynamic DNS work? One common method is for users to purchase software which runs
on their computer or router and communicates with the dynamic DNS service provider. When an IP
address provided by the ISP is updated the software alerts the dynamic DNS provider who updates
the DNS with the changes.

DNS Lookup
DNS Lookup

DNS Lookup
Web www.sophos.com DNS

Browser Server
DNS Lookup
What is the IP address

of www.sophos.com?
DNS
Server
Laptop
We’ll now look in more detail at what happens when a client requests information from their name
server, in particular how this information is retrieved from the Domain Name System and then
cached to improve performance.

Recursive and Iterative Queries
What is the IP address of

www.sophos.com?
Recursive Client DNS
Server
Here it is, or
I don’t know
DNS Lookup
What is the IP address of

www.sophos.com?
Iterative DNS
Server
DNS
Server
Here it is, or
Try this server
There are two types of DNS query:
1. Recursive queries are used by clients when they contact their DNS server and ask it to respond
with the information requested. They are also used when a DNS server requests information
from another name server that has been configured as a forwarder.
2. Iterative queries are used when DNS servers ask another DNS server to return the information
but if they don’t have it, they can return the address of another DNS server that may know the
answer.

DNS Lookup for an Unknown Host and Domain
www.sophostraining.xyz? =Hierarchy
2
1 Root Name
DNS
DNS Lookup
3
Client 1
5 Local DNS
4 xyz Name
DNS
sophostraining.xyz
DNS
Let’s consider an example where neither the client or local DNS server have previously
encountered the name or domain.
1. The client queries their local DNS for the host www.sophostraining.xyz. The local DNS server
does not have the answer and has not been configured with a forwarder. The server looks in its
‘root hint’s file to find the IP address of a Root DNS server.
2. It sends the request to the root server, which replies with information about a server for the
xyz top level domain.
3. The local DNS server now contacts the DNS server for the xyz TLD. This server replies with
information about a server for sophostraining.xyz.
4. The local DNS server now contacts the DNS server for sophostraining.xyz and is provided with
the IP address for www.sophostraining.xyz.
5. It can now provide this information to the client.

Client Resolver Cache
DNS Lookup
DNS clients and servers use caching to speed up the lookup process and to minimize traffic to the
root servers.
The example shows the client resolver cache for Windows. When a client receives a response to a
DNS lookup, the result is placed in the cache.
The cache is checked before issuing a query to a DNS server. The entry remains in cache for the
number of seconds defined in the ‘Time To Live’.
Other platforms such as Mac OS X and Chrome follow a similar approach.

DNS Server Cache
=Hierarchy
Root Name
DNS
Client 1
DNS Lookup
Local DNS
xyz Name
www.sophostraining.xyz? DNS
1 2
Client 2 sophostraining.xyz
DNS
Going back to our example, the DNS server that has resolved the client’s request for
www.sophostraining.xyz will store the result in its own cache.
This means that if another client needs to resolve the same domain name, the server can respond
using the cached result.

Lookup for an Unknown Host in a Known Domain
=Hierarchy
Root Name
DNS
Client 1
DNS Lookup
Local DNS
2 xyz Name
mail.sophostraining.xyz? DNS
1 3
Client 2 sophostraining.xyz
DNS
Servers don’t just cache the final result; they also cache the information they learned in getting
there.
If the client now wants to resolve mail.sophostraining.xyz, the request can go straight to the server
responsible for the sophostraining.xyz domain as the local server already knows who it is.

DNS Server Cache
DNS Lookup
Over time DNS servers can build up a large amount of information in their cache, which greatly
reduces the need to make requests to other servers.

Activity 5
In this activity you will use the ipconfig /displaydns command to

view the local DNS cache
DNS Lookup

Security Issue: DNS Spoofing / Cache Poisoning
Fake
Attacker Website
DNS Lookup
Resolves
to fake
Injects fake Request
website
DNS entry forwarded
Client 1 Real
IP address of Website
web site?
DNS
DNS spoofing (also known as DNS cache poisoning) is when an attacker compromises a DNS
database. This could be on anything from a large-scale Internet DNS server that serves millions of
people to just the local DNS cache on a single computer.
When the client asks for the IP address of a web location, it thinks it’s going to the correct site, but
it’s actually connecting to a site the attacker owns.
The attacker is then able to intercept content – including, for example, passwords. To hide the
attack the client can then be forwarded on to the genuine website.
If other DNS servers are getting information from the compromised server, the poisoned DNS entry
can soon spread.

Security Issue: DNS Cache Poisoning
=Hierarchy
DNSKey root
Digital signatures
of .xyz
Root DNS
DNS Lookup
DNSKey .xyz
Client 1
Digital signatures of
sophostraining.xyz
xyz DNS
DNS Cybersecurity Essentials:
Cryptography
DNSKey of
sophostraining.xyz
sophostraining.xyz DNS
In its standard form, clients making a request to a DNS do not check for credentials before
accepting the response. Under these circumstances a false entry will be used and will then be
propagated.
DNSSEC provides a solution by adding cryptographic signatures to existing DNS records. These
digital signatures are stored in DNS name servers alongside common record types like A, AAAA,
MX, CNAME, etc. By checking its associated signature, you can verify that a requested DNS record
comes from its authoritative name server and has not been altered enroute.
Digital signatures are an asymmetric cryptographic technique. To learn more about how
cryptography is used to provide information security we recommend the Sophos Cybersecurity
Essentials: Cryptography courses.

Troubleshooting Name Resolution

When Name Resolution Fails
DNS is effective and resilient but can be susceptible to:

Misconfiguration at the client
Misconfiguration of DNS records
Manipulation by attackers
DNS is an effective and highly resilient service but can be susceptible to:
• Misconfiguration at the client

• Misconfiguration of DNS records
• Manipulation by attackers
This section will show some of the methods you can use to troubleshoot.

Windows Commands to View and Test DNS Configuration
This simulation will show how to use Windows commands

to view and test DNS configuration
Follow the instructions to advance to the next step
Start
Let’s look at how all of this works with a simulation. This simulation will show how to use Windows
commands to view and test DNS configuration.

You have an Administrator Command Prompt open.
Run the command ipconfig /all

Note the DNS Suffix Search List at the top. This is used to ‘complete’ the full name if resolution using just the host name is
requested. Note the IP address of the DNS server at the bottom.
Run the command nslookup SRV
Are these domains from

which the client machine
accesses resources?
Does the IP address point to

the correct DNS Server?

The client’s DNS (172.16.1.10) has replied that SRV is really SRV.ad.sophostraining.xyz and has an IP address of 172.16.1.200.
The records for the ad.sophostraining.xyz zone are held on the client’s DNS server so it is an authoritative response.
Run the command nslookup www.sophostraining.xyz

The client’s DNS (172.16.1.10) has replied that SRV is really SRV.ad.sophostraining.xyz and has an IP address of 172.16.1.200
The records for the ad.sophostraining.xyz zone are held on the client’s DNS server so it is an authoritative response
Run the command nslookup www.sophos.com
An alias record has been configured for

www.sophostraining.xyz
This points to SRV and is resolved to 172.16.1.20

The records for the sophostraining.xyz zone are not held on the client’s DNS server so it is an non-authoritative answer
We will return to this command prompt in the next simulation. In preparation we’ll clear the command window.
Run the command cls

DNS Suffix List
Selecting these options would

have the same result as the
manual configuration below
As the simulation showed, DNS suffixes can simplify access to resources, allowing just the use of
the host name.
The example shows advanced DNS configuration for a Windows client, with two suffixes
configured. If a client is a member of an Active Directory domain, the full domain name, in this
case ad.sophostraining.xyz, will be their primary suffix. A connection specific DNS suffix is one that
is related to a particular network interface. This can be useful when clients are connected to
multiple networks, for example using a VPN. The option to append parent suffices of the primary
DNS suffix would achieve the same as the manual entries below, by adding sophostraining.xyz.
As with most network configuration, it is usual for clients to receive DNS settings through DHCP.

Security Issue: Attacker Modifies Hosts File
Before the introduction of DNS name resolution was performed using a file named hosts. This file
still exists and any entries in it will override resolution provided by DNS. This means that if an
attacker or malware modifies the hosts file, it could prevent communication with anti-malware
sites or redirect traffic to rogue servers.

Modification of the Hosts File
This simulation will show the effect of modifying the hosts file
Start
Let’s look at how all of this works with a simulation. This simulation will show the effect of
modifying the hosts file.

You are back in the Administrator Command Prompt. To save you some time we have opened the hosts file in Notepad. This file is
found in c:\windows\system32\drivers\etc
Run the command ping www.sophostraining.xyz

This tells us that the IP address of www.sophostraining.xyz has been resolved as 172.16.1.20
Double click on Google Chrome on the desktop

Enter the URL http://www.sophostraining.xyz

This takes you to the sophostraining.xyz site that is hosted on SRV
Minimize Chrome

Click on the Notepad icon in the Taskbar

Type the following into the hosts file:
172.16.1.10 www.sophostraining.xyz and press Enter

Click the File menu

Click Save

Click on the Chrome icon in the Taskbar

Click the Chrome refresh button

www.sophostraining.xyz is now resolved to the IP address in the hosts file
Click on the Command Prompt icon in the Taskbar

Enter the command ipconfig /displaydns

ipconfig /displaydns shows the entries in the DNS cache
Click on the Notepad icon in the Taskbar
This DNS cache shows that the A record for

www.sophostraining.xyz is 172.16.1.10

Delete the line containing 172.16.1.10 www.sophostraining.xyz

Click the File menu

Click Save

Click on the Refresh button in Chrome

The page still points to the wrong server because the record remains in the DNS resolver cache
Click on the Command Prompt icon in the Taskbar

The entry in the cache will be automatically deleted when its Time to Live expires
To clear the cache immediately, enter the command ipconfig /flushdns

Click on the Refresh button in Chrome

The webpage is now pointing to the correct server
Click anywhere to finish the simulation

Security Issue: Attacker Modifies Hosts File
By default modification of the hosts file requires administrator privileges. For non-administrative
user accounts the file is read only. Further protection can be provided by good endpoint protection
software and anti-phishing protection.

The ipconfig Command
Display Connection Configuration: ipconfig /all

Display DNS Cache Info: ipconfig /displaydns
Clear DNS Cache: ipconfig /flushdns
Re-Register the DNS connections: ipconfig /registerdns
As the simulation shows the ipconfig command is very useful for investigating and troubleshooting
DNS problems. The slide shows a summary of the switches which can be used for DNS client
management.

Domain Information Groper - DIG
In earlier simulations you have used the nslookup command to perform DNS queries. We’ll now
look at another tool that provides more detailed information. DIG (domain information groper) is
a command-line tool for querying the Domain Name System. It is a component of the domain
name server software suite BIND, so unlike nslookup must be downloaded and installed before
use.
BIND is the most widely used Domain Name System (DNS) software on the Internet and is the de
facto standard for Unix-like operating systems. It was originally designed at the University of
California, Berkeley and the name is an acronym of Berkeley Internet Name Domain.

Download BIND Tools
ftp://ftp.isc.org/isc/bind/cur
The site https://www.isc.org/bind/ provides options for downloading from their website or FTP.
The example shows the FTP option with the current versions folder selected. Zip files are available
for download for x64 and x86 versions of Windows. Once downloaded, the Zip file should be
extracted.

BINDInstall
Use the Tools Only

option
The BINDInstall application is included in the Zip file and this includes a Tools Only option for when
the BIND server component is not required.

Visual C++
Visual C++ Redistributable
Depending on the version of Windows, it may be necessary to install Visual C++ Redistributable.

Run dig.exe
o Run dig.exe from an Administrator
Command Prompt
o The program is located in:

o C:\Program Files\ISC BIND 9\bin OR
o C:\Program Files (x86)\ISC BIND 9\bin
o Modify the Path environment
variable to include the ‘bin’ folder
DIG should be run from an Administrator command prompt. The path to the executable will
depend on the version of Windows. The bin folder containing the program can be added to the
Path environment variable, allowing access to the DIG command without entering the full path.

DIG Commands
COMMAND DESCRIPTION EXAMPLE
Returns any A record found within the queried
dig [hostname] dig www.sophos.com
hostname’s zone
Provides a short answer, usually just an IP

dig [hostname] +short dig www.sophos.com +short
address
dig @[nameserver address]
Queries the specified nameserver dig @4.2.2.2 www.sophos.com
[hostname]
+trace instructs dig to start at the root
nameserver and then report the results from
dig [hostname] +trace dig www.sophos.com +trace
stage of the query step. It also shows signature
information for DNSSEC
dig -X [IP address] Performs a reverse lookup dig -x 172.16.1.20
dig [hostname] any Returns all records for a hostname dig sophos.com any
Returns the records of that type found within
dig [hostname] [record type] dig sophos.com MX
the queried hostname’s zone
Here are some examples of dig commands. You will use these in the following simulation.

Using DIG to Investigate DNS Resolution
This simulation will show how to use the DIG command

to investigate DNS resolution
Start
This simulation will show the how to use the DIG command to investigate DNS resolution.

Run the command dig www.sophos.com

The answer section shows that www.sophos.com is a CNAME record. This and a second CNAME record are resolved to the A
record pointing to 104.112.59.170 The server responding to the query is 172.16.1.10
Run the command dig www.sophos.com +short
The answer shows two CNAME

(alias) records and an A record
The server responding to the query

was 172.16.1.10

Adding +short to the command reduces the information to just the answer section
Run the command dig @4.2.2.2 www.sophos.com
Using +short reduces the information

to just the answer section

This has instructed dig to send the query to the DNS server with IP address 4.2.2.2
Run the command dig www.sophos.com +trace
The server responding to the query

was 4.2.2.2

+trace instructs dig to start at the root nameserver and then report the results from stage of the query step
Click in the scroll bar of the command window to move the display down
Root Servers
Top Level Domain (TLD) Servers

for .com

The dig command is DNSSEC-aware so also shows the digital signatures at each stage of the resolution
Run the command dig -x 172.16.1.20
Servers holding zone information for

sophos.com
The dig command is DNSSEC-aware so

also shows the digital signatures

Dig can be used to perform a reverse lookup using the –x switch
Run the command dig sophos.com any
-x performs a reverse lookup

This has been resolved to
srv.ad.sophostraining.xyz

The command has returned all records for sophos.com
Run the command dig sophos.com MX
NS (Name Server) records
MX (Mail Exchanger) and TXT (Text)

records
A (Address) records

Records of the type specified (in the example MX) are displayed and also the A records for the mail exchangers
Click anywhere to finish the simulation


NetBIOS (Network Basic Input/Output System)
• NetBIOS names predate DNS on

Windows networks
• Used by applications and for file

and printer sharing
• NetBIOS names are now derived
from the computer name
• Allow interoperability with older
computers and services
So far this course has focused on the use of the Domain Name System for name resolution. DNS
has now become the standard but in Windows environments it is likely that an earlier naming
system may still be running in parallel. This is known as NetBIOS and it was Microsoft’s standard
before Windows Server 2003.
NetBIOS is an abbreviation for Network Basic Input/Output System. It allows software applications
to locate and identify each other and supports file and printer sharing. In current Windows
networks the NetBIOS name still exists but is derived from the computer name. It is still supported
to provide interoperability with older computers and services.

NetBIOS Names
Like DNS, NetBIOS has both group and unique names. The example shows the NetBIOS names for a
server named DC that is part of a Windows domain named AD. If this sounds familiar this is
because this is the NetBIOS version of dc.ad.sophostraining.xyz that we have seen earlier in the
course. Unlike Fully Qualified Domain Names, NetBIOS only has two levels.
The codes next to the name identify a role. For example, 1C identifies DC as a domain controller for
the AD domain.

Network Discovery
If network discovery is enabled, it is possible to see the NetBIOS names of computers in Explorer’s
Network view.

Shared Resources
Selecting one of the computers will show the shared resources that are available. Depending on
permissions, users can then open the resource (in this case a shared folder) and view the files it
contains.

NetBIOS Name Syntax
\\DC\Shared Documents
Clicking in the address bar shows the NetBIOS name syntax for this resource, in the example
\\DC\Shared Documents

NetBIOS Names in Commands
This syntax is also used in commands such as net view.
net view \\DC lists the shared resources on the computer named DC.

NetBIOS Names in Commands
Another example of a command that uses NetBIOS names is net use. The example shows how net
use can ‘map’ drive f: to \\dc\software

WINS (Windows Internet Name Service)
WINS
Client 1
Server
Client 3
WINS Proxy
Client 2
To connect to resources you must be able to resolve the name to its IP address. The NetBIOS
equivalent of DNS was WINS (Windows Internet Name Service). WINS servers held a database of
names and their IP addresses. WINS clients could query a server on their own network but
requests could not traverse routers. WINS Proxies could be used to forward requests from clients
to WINS servers on another network. WINS Proxies could also forward any broadcast requests for
NetBIOS name resolution.

1. Check the local cache

2. Check the LMHosts file
3. Consult one or more WINS Servers

4. Broadcast for the NetBIOS name
Broadcasts generate unnecessary network

traffic so name resolution methods that use
directed requests are preferred
The process for resolving NetBIOS names could include multiple steps.
As with DNS names, the first place checked is the local cache. If the name is not in the cache the
client looks in a file named LMHosts, which is similar in function to the hosts file and is located in
the same folder. If the client has one or more WINS servers configured, they will then request
resolution from them.
The final resolution method is to broadcast for the NetBIOS name. The computer sends a packet
that is received and processed by all machines on the network. The packet requests that the
matching computer identify itself. This method is only effective in a local network as routers do not
forward broadcast packets.
Broadcasts generate unnecessary network traffic so name resolution methods that use directed
requests are preferred.

Security Issue: WINS Spoofing
SRV
Victim Attacker
1. Broadcast: I am 2. I am SRV 3. Too late in replying

looking for SRV
4. OK here are my 5. Returns an error and

credentials starts cracking the
victim’s credentials
Although WINS is largely deprecated in the latest versions of Windows Server it is still widely
available on Windows networks.
WINS requests are unauthenticated so are subject to spoofing attacks. This is when an attacker on
the network impersonates, or ‘spoofs,’ another resource’s identity and misdirects the victim’s
traffic.
If an attacker can trick a computer into connecting to them, they can grab the NTLM hash of the
user’s credentials. This hash can be run through a hash cracking mechanism to obtain the plain-
text password.

Security Issue: There is No Need for NetBIOS
NetBios is still enabled on many networks today

It can be used for name resolution if DNS is not enabled
Using NetBios creates security weaknesses
Where possible disable NetBios and use DNS
NetBIOS was created in the early 1980s but is still enabled on many networks today. The most
common use for NetBIOS over TCP/IP (NBT) is for name resolution, if DNS is not supported or is not
working on the local network. It is now very rare to find applications or devices that do not support
DNS.
There are many security concerns with NetBIOS and typically it should be disabled. This will help to
mitigate an attacker’s ability to poison and spoof responses and obtain a user’s hashed credentials.

Course Review
Now that you have completed this course, you should:
Recognize the components of a Fully Qualified Domain Name (FQDN)
Understand the role of DNS servers and the records that they hold
Recognize the process used to resolve names and how caching improves performance
Use appropriate tools to test and troubleshoot name resolution
Continue
Here are the skills you should be able to take away from this course.
If you feel confident that you have met these objectives, click Continue to complete the quiz.

Question 1 of 5
Match the DNS record type to the description
A Mail Exchange
MX IPv4 Host
CNAME Reverse lookup
PTR Location of a service
SRV Alias
SUBMIT

Question 2 of 5
Which 2 provide a solution to email address spoofing?
PTR SPF
DKIM DNSSEC
SUBMIT

Question 3 of 5
Match the command to the requirement
dig sophos.com any Start at the root and show all results
dig www.sophos.com +trace Perform a reverse lookup
dig @4.2.2.2 www.sophos.com Show all records
dig -x 172.16.1.20 Query a specified name server
SUBMIT

Question 4 of 5
Type the command you would use to clear the local resolver cache
SUBMIT

Question 5 of 5
Type the name of the protocol that adds cryptographic signatures
to DNS records
SUBMIT

Quiz Failed
Score
#/#
You have completed this course but did not pass the quiz
To retry the quiz click Restart Quiz
Restart Quiz
You have completed the course however, you have not passed the quiz.
To retry the quiz click Restart Quiz.

Quiz Passed
Score
#/#
Congratulations!
You have successfully completed this course
If you have found this course useful you may also be interested in our other
courses available in this Cybersecurity Essentials Series
Congratulations! You have successfully completed this course.
If you have found this course useful you may also be interested in our other courses available in
this Cybersecurity Essentials Series.
To view our available courses please view the On-Demand training section in the training portal

Series Feedback – What Do You Want to See?
Currently
Planned
Available
Cryptography Networking › Perimeter Security
101: Getting Started with Cryptography 101: Getting Started with Networking › Mobile Devices
201: Cryptography in Depth 201: TCP/IP Network Model › Windows Operating Systems
202: Working with Digital Certificates 202: IP and Routing › Microsoft Active Directory
203: Understanding Ciphers 203: Name Resolution › Security Threats
› Public Cloud Platforms
Wireless
101: Getting Started
Email globaltraining@sophos.com with your suggestions and feedback

Back to Hub
The courses in this series are designed for individuals with no prior knowledge of the topics.
Here is a list of currently available courses in this series.
Additionally, we have a number of courses that are being developed and will be made available
soon.
We also have a list of planned courses we would like to add to this series.
If you would like to suggest a topic for a course or to provide any feedback on this series then
please email us at globaltraining@sophos.com

TRAINING FEEDBACK
Feedback is always welcome

Please email globaltraining@sophos.com
Feedback on our courses is always welcome.
Please email us at globaltraining@sophos.com with your comments.

Sophos Cybersecurity Essentials Networking 203
In this activity you will use http://whois.domaintools.com/ to discover information about a domain.
Note: you will use the information collected in this activity for later tasks.
1 Open a browser and navigate to

2 Enter the domain name sophos.com and click
3 What is the name of the Registrar for this domain?
________________________________________________________
4 What is the IP address for this domain?
________________________________________________________
5 What are the names of the DNS Servers for this domain? Write down any two of the DNS servers listed
________________________________________________________
6 Leave the browser open at this site for the next activity
You have discovered information about a domain.
Activity No. 1
In this activity you will use http://whois.domaintools.com/ to see how organizations protect against cybersquatting.
1 Return to
2 In the Whois Lookup box at the top of the page enter the domain name googel.com
and click
3 What is the name of the Registrant Org for this domain?
________________________________________________________
4 Enter the domain name gogle.com and click
5 What is the name of the Registrant Org for this domain?
________________________________________________________
In this activity you have seen that organizations can protect themselves against cybersquatting by registering similar domain names
themselves.
Activity No. 2
In this activity you will use the nslookup command to view the DNS records for the sophos.com domain.
1 Click the and type Command

2 From the matching items which are displayed, click on the
program or app
3 In the Command Prompt dialog, enter the command nslookup This will show information about your DNS
server.
4 Enter sophos.com This will return the default address record for
the domain.
5 Enter set type=mx
6 Enter sophos.com This will display a list of Mail eXchange
records for sophos.com.
7 Enter set type=a
8 Enter the name shown in one of the MX records e.g. mx1.sophos.com This will display the IP address for the server.
9 Enter set type=ns

10 Enter sophos.com This will display a list of Name Server records
for sophos.com.
11 Close the
You have used the nslookup command to view the DNS records for the sophos.com domain.
Activity No. 3
In this activity you will use nslookup to show non-authoritative and authoritative answers.
In Activity 1 you wrote down the names of the name servers for the sophostraining.xyz domain. You will now use this information to complete
Activity 4.

program or app
3 In the Command Prompt dialog, enter the command This will show information about your DNS
nslookup server.
the domain and the response will be shown
as non-authoritative.
5 Enter server <name of a DNS server for sophos.com> This will change the DNS server to which the
following requests are made.
the domain and the response will NOT be
shown as non-authoritative.
Note: If you do not receive a successful
response to the command above, repeat the
server command but use the IPv4 address of
the DNS server instead of the name
7 Close the
You have used nslookup to show non-authoritative and authoritative answers.
Activity No. 4
In this activity you will use the ipconfig /displaydns command to view the local DNS cache.

program or app
3 In the Command Prompt dialog, enter the following commands:
cd\
md dns
cd dns
There is likely to be a large number of entries
ipconfig /displaydns in the cache and much scrolling is required to
find a specific entry.
ipconfig /displaydns > dnscache1.txt Adding > dnscache1.txt redirects the output
of the command to a text file of that name.
Leave the command prompt open
4 Use to open
5 View the entries and search for It is unlikely that this will be in the file unless
you use the French version of our website.
6 Open a and navigate to .
7 Return to the command prompt and enter the command
ipconfig /displaydns > dnscache2.txt
8 Use to open
9 Use to open
10 View the entries and search for This should now be included in the resolver
cache.
You have used the ipconfig /displaydns command to view the local DNS cache.
Activity No. 5

Cybersecurity Essentials: Networking

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Cybersecurity Essentials: Networking

Uploaded by

Copyright:

Available Formats

Cybersecurity Essentials

203: Name Resolution

Sophos Cybersecurity Essentials

Networking 203: Name Resolution Page 1

Course Duration This course will take around 45 minutes to complete

Networking 203: Name Resolution Page 2

101 Getting Started with Networking

201 TCP/IP Networking Model

202 IP and Routing

Networking 203: Name Resolution Page 3

Open a PDF with all activities from the RESOURCES menu

Activities later in the course may depend on steps completed earlier

Networking 203: Name Resolution Page 4

Fully Qualified Domain Names DNS Name Servers

Domain Name System (DNS) DNS Lookup

This course consists of 6 topics.

Networking 203: Name Resolution Page 5

Fully Qualified Domain Names DNS Name Servers

Domain Name System (DNS) DNS Lookup

Finished? Click here to continue

Networking 203: Name Resolution Page 6

Fully Qualified Domain Names (FQDNs)

Networking 203: Name Resolution Page 7

IP networks include the Domain

IP Addresses are not easy to remember so we Name System (DNS) which is

Networking 203: Name Resolution Page 8

Networking 203: Name Resolution Page 9

Networking 203: Name Resolution Page 10

A FQDN is made up of multiple parts, separated by dots:

Networking 203: Name Resolution Page 11

Top Level Domain com org net xyz

Organization Domain wikipedia … sophostraining …

Host / Sub-Domains sco en www AD www.sophostraining.xyz

As the image shows, names are organized as a hierarchy.

Networking 203: Name Resolution Page 12

.uk United Kingdom

.website Web Sites

View Top Level Domains at iana.org

Networking 203: Name Resolution Page 13

Domain names must be

Purchase a domain name

Networking 203: Name Resolution Page 14

In this activity you will use http://whois.domaintools.com/ to

discover information about a domain

Use the Download Activity button to open the instructions

When you have finished click Continue

Download Activity Continue

Networking 203: Name Resolution Page 15

Cybercriminals often create

websites with names similar to

Networking 203: Name Resolution Page 16

page. Click on the button that is genuine.

Networking 203: Name Resolution Page 17

In this activity you will use http://whois.domaintools.com/ to see

how organizations protect against cybersquatting

Use the Download Activity button to open the instructions

When you have finished click Continue

Download Activity Continue

Networking 203: Name Resolution Page 18

DNS Name Servers

Networking 203: Name Resolution Page 19

Networking 203: Name Resolution Page 20

The example shows a manual configuration pointing to a DNS server.