Professional Documents
Culture Documents
Networking
Welcome. Networking 203: Name Resolution is the fourth in a series of courses that explain how
networks operate and some of the cybersecurity issues they exhibit.
February 2020
Version: 1.0
© 2019 Sophos Limited. All rights reserved. No part of this document may be used or reproduced
in any form or by any means without the prior written consent of Sophos.
Sophos and the Sophos logo are registered trademarks of Sophos Limited. Other names, logos and
marks mentioned in this document may be the trademarks or registered trademarks of Sophos
Limited or their respective owners.
While reasonable care has been taken in the preparation of this document, Sophos makes no
warranties, conditions or representations (whether express or implied) as to its completeness or
accuracy. This document is subject to change at any time without notice.
Sophos Limited is a company registered in England number 2096520, whose registered office is at
The Pentagon, Abingdon Science Park, Abingdon, Oxfordshire, OX14 3YP.
This course is designed for technical professionals who want to understand how names are used
and resolved on private TCP/IP networks and on the Internet
This course assumes knowledge of the content included in other parts of the series. There is no
requirement to complete all courses but if you unfamiliar with any of the terms and concepts used
during this training, we recommend one or more of the courses shown.
Activities are suggested throughout the course that allow you to try the
techniques described
Use the Download Activity button to open instructions for a single activity
Activities are suggested throughout the course that allow you to try the techniques described. You
can complete these during the course or at a later time.
Each activity slide will include a button that opens a PDF containing instructions for that activity.
Instructions for all activities can be opened by selecting the file from the RESOURCES menu.
Instructions are also included at the back of the Student Handout.
Activities later in the course may rely on the completion of earlier activities.
The instructions are written for Windows computers but the notes will indicate where alternatives
are available for Mac or Linux.
Troubleshooting Name
NetBIOS Name Resolution
Resolution
We use names to access resources on the Internet and local networks but these names must be
resolved to their IP address for communication to take place.
In this course you will learn about the structure of names and the Domain Name System that
allows them to be resolved. You will also learn about some of the security risks that name
resolution can present.
Troubleshooting Name
NetBIOS Name Resolution
Resolution
This is the course hub page, which provides access to the topics in this course.
Topics can be repeated if you want to review a section and the student handout includes the slides
and notes for all topics covered.
DNS SERVERS
IP devices are configured with the IP addresses of one or more DNS Servers
The devices send requests to a DNS when they need to know the IP address
of a destination server
IP Addresses are not easy for humans to remember so networks use easy-to-remember names
such as www.sophos.com, which are known as Fully Qualified Domain Names (FQDNs). Although
names are used to make requests, a valid destination IP address is required for the request to be
routed successfully. IP networks therefore include the Domain Name System (DNS) which is
responsible for resolving names to IP addresses.
Each IP device is typically configured with the IP address of one or more DNS servers. When the
device receives a request containing a name, it sends this to the DNS server and the server
responds with the associated IP address. The device can then add the IP address to the request
and forward it appropriately.
www.sophos.com
Web Browser
Router
ISP Internet
Web
request
Laptop
DNS request DNS Server
In the example, the user on the laptop opens a browser and enters a web URL of
https://www.sophos.com. The laptop sends a lookup request to the DNS server configured in its IP
configuration. The DNS server responds with the IP address associated with www.sophos.com
which is 23.64.22.240.
If your DNS server does not have the required IP address, it is able to contact other DNS servers to
obtain it.
Once the laptop has the IP address it makes the web request. Because the address is not local it
forwards the request to its default gateway.
In the early days of TCP/IP networking the Internet names were resolved to their IP address using a
text file named hosts. The introduction of Domain Name System (DNS) provided a centralized
means of resolving names to IP addresses, making the Internet far more accessible for everyday
use.
Top-Level
Host Subdomain Domain Root
Domain
DC.AD.sophostraining.xyz.
Alongside the introduction of DNS came the concept of fully qualified domain names (FQDN). The
concept originated for the Internet but is also now used within private networks.
A FQDN, sometimes also referred to as an absolute domain name, is a domain name that specifies
the exact location of the resource in the tree hierarchy of the Domain Name System (DNS).
Root .
DC SRV DC.AD.sophostraining.xyz
At the top is the root, followed by the top level domain and organization domain. Below the
organization domain, it is possible to have both sub-domains and hosts. A host is a server that
provides resources such as web or email. In the example the sophostraining.xyz domain holds
external resources, such as the host www.sophostraining.xyz.
A sub-domain named AD is used for the internal network and this contains the hosts DC and SRV.
Top level domains (TLDs) are generally used to identify the type of organization. The original list
included com for commercial, edu for education and gov for government.
As the Internet grew, it became increasingly difficult to find unique domain names so TLDs were
introduced for countries. More recently generic TLDs have been added and there are now about
1,500 TLDs.
The Internet Assigned Numbers Authority (IANA) is a nonprofit private American corporation that
manages the root zone in the Domain Name System (DNS). IANA has responsibility for agreeing
new TLDs and delegating their management. You can use the link to view the full list of top level
domains and the organizations to which the management of each has been delegated.
Domain names used on the Internet must be registered, in other words purchased. Anyone can
buy a domain name by visiting a domain name registrar, selecting an available domain name and
paying a fee.
The most popular names use the .com TLD may already be taken. As the example shows
sophostraining.com is not available but other options are suggested.
Often, cybercriminals will purchase and “squat” on website names that are similar to an official
website in the hope that users go to the wrong site, such as www.googel.com with the ‘e’ and ‘l’
reversed.
Another trick is to use fully qualified domain names that include the organization’s name but are
actually in another domain. Remember, it’s the name next to the top level domain that’s
important.
If the URL is not visible, use hover or right-click and copy to view it. If you are worried you can
paste it into websites such as https://www.urlvoid.com which will check for known malicious urls.
Only one of these PayPal buttons would take you to a genuine PayPal login
Fully Qualified Domain Names
Tip: you will be able to see the URL if you hover over the button.
Only one of these PayPal buttons would take you to a genuine PayPal login page. Click on the
button that is genuine. Remember, you can view the URL by hovering over the button.
The Domain Name System (DNS) is a huge hierarchical and decentralized database of names and IP
addresses, hosted by many thousands of name servers. All name servers use the same protocols
and standards so we will start by looking at a how a single server operates.
The DNS server we will consider is on a private network and holds the records for the
ad.sophostraining.xyz domain. The computer that is hosting the DNS server is named DC. It has a
record in its own database that shows an IP address of 172.16.1.10.
Networking 202:
IP and Routing
Any device connected to a network needs a DNS server to resolve names to IP addresses.
It is more common to obtain both an IP address and DNS server address automatically using DHCP.
DNS servers are typically responsible for one or more forward lookup zones. A forward lookup is
when a client has a name and needs the corresponding IP address.
Our DNS server holds information for the ad.sophostraining.xyz zone, and this includes the host
records for clients and servers within it. It is part of a Microsoft Active Directory network so it also
holds information for the _msdcs sub-domain which holds DNS records for Microsoft-specific
services.
Host records are the foundation of the DNS system. More correctly they are named Address (A)
records for IPv4 or AAAA records for IPv6.
In our example the user wants to access files located on a local server. Their laptop does not have a
record of the server’s IP address so a request is sent to their DNS for the information. The DNS has
this information as an A record in its local zone and responds with the server’s IP address.
Communication can now proceed.
Laptop
Suppose the client now wants to communicate with an external resource. Zone information for the
domain sophos.com is not held by the local DNS server, so it must discover the IP address from
other DNS servers. As you will see in a later section, the local DNS server could make a request
directly to the Internet DNS servers. However a common and more secure solution is to configure
the DNS to forward requests to another DNS server, which can then discover the information on
their behalf. This allows the server to be protected by network firewalls that only permit outbound
requests from the DNS and their responses.
DNS severs that are configured as forwarders can be part of the corporate network, for example
located in the DMZ, or Internet-based DNS servers.
In the example, our DNS has been configured to forward to two other DNS servers if it does not
have the information locally. The first is the DNS that holds the record for the organization’s
external domain, sophostraining.xyz. The other is an example of a free, public DNS server of which
there are about 12,500 worldwide.
When a DNS server receives information from other servers it typically caches the result to speed
up future resolution.
A caching-only DNS server does not contain zone information or a zone database file; it only holds
the results of queries that it has already performed by asking other servers.
So far we have focused on how a DNS server is used to resolve a name to its IP address using
address records. As shown this is just one of the record types held by DNS servers. Click on the
buttons to find out more about each of these.
CNAME
DNS Name Servers
MX
SRV
TXT
Finish
As we have seen A and AAAA records are used to translate human friendly domain names into IP
addresses. A-records are not required for all computers but are needed for any computer that
provides shared resources on a network.
The example also shows an A-record for the domain name. This means that anyone entering just
sophostraining.xyz into a browser can be directed to specified server, typically hosting the website.
CNAME
DNS Name Servers
MX
SOA & NS
www and mail pointing
to the same server
SRV
TXT
Finish
CNAME-records are used to provide aliases. Computers often perform multiple roles such as mail
server and web server. To simplify access, CNAME-records can be used to give a single computer
multiple names. For example, server1.sophostraining.xyz has two CNAME-records defined:
www.sophostraining.xyz and mail.sophostraining.xyz
CNAME-records are also used when a server hosts many different domain names, for example an
ISP’s server.
CNAME
DNS Name Servers
MX
SOA & NS
MX records with
SRV different priorities point
to two servers
TXT
Finish
MX-records are used to specify the e-mail server(s) responsible for a domain name. Whenever an
email is sent, the SMTP (Simple Mail Transfer Protocol) service requests the MX record for the
recipient’s domain. This holds the name of an e-mail server and also a preference number (priority)
for that server. If a domain has multiple e-mail servers, a separate MX-record is used for each
server and those with the lowest preference numbers are selected first.
Once the name of the destination mail server is known, its IP address must be found using an
address lookup.
CNAME
DNS Name Servers
MX
SOA & NS
SRV
TXT
Finish
An SOA (Start of Authority) record contains administrative information about the zone. An
important part of this relates to zone transfers, which we will describe later in the course. The SOA
record also contains details of the responsible person for this zone, as well as the name of the
primary name server. Zones typically have more than one name server and the NS (Name Server)
records identify each of the DNS servers that are responsible (referred to as authoritative) for
a zone.
CNAME
DNS Name Servers
MX
SOA & NS
SRV
TXT
Finish
SRV (Service) records are used to specify the location of a service. In the example this is Skype for
Business, which uses the SIP service for voice and video. The SRV record for the sophostraining.xyz
domain shows that this service is hosted at online.lync.com.
MX
SOA & NS
TXT
Finish
TXT (text) records can hold many different types of information. They are often used to provide
additional information about a domain, such as contact person and phone numbers.
In the example shown the record with the value starting MS= has been added as a way to verify
domain ownership when setting up Office 365. The other record, beginning v=spf1 is for Sender
Policy Framework (SPF), which provides protection against email spoofing and spamming.
In this activity you will use the nslookup command to view the DNS
records for the sophos.com domain
DNS Name Servers
SMTP email messages have an ‘envelope’ with addressing information. This includes:
DNS Name Servers
MAIL FROM: by default the sending system’s authorization to send from the address is not verified
RCPT TO: the email address the message is delivered to
The message data then follows and includes:
FROM: this address is visible to the recipient. There is no verification it is the same as the MAIL FROM address
Reply-to: is used when replying to the message and is not verified
Messages can be created and sent using telnet and can also be scripted
The lack of default checks mean that attackers can create messages with spoofed addresses
Normally emails are sent using a client application. This compiles information about the sender
and the recipients, which is put into an SMTP (Simple Mail Transfer Protocol) message.
SMTP messages start with an ‘envelope’ which provides two pieces of address information:
• MAIL FROM: this is the return path for the message and is not normally visible to the end user.
By default no checks are made that the sending system is authorized to send on behalf of that
address
• RCPT TO: this specifies which email address the message is delivered to
If the receiving mail server accepts the incoming message, the sending system then follows with
the message data, which includes additional headers:
• FROM: provides the address that’s visible to the recipient. In a malicious email this may be
different from the MAIL FROM address. By default no checks are performed on this address
• Reply-to: is used by the email client when replying to the message. Similarly, this is not checked.
Messages can be created and sent using applications such as telnet or scripts and the lack of
checks mean that attackers can create messages with spoofed addresses. Spam and phishing
emails often use forged from addresses.
One solution to spoofing is the Sender Policy Framework (SPF) DNS Record. SPF allows a receiving
email server to detect a forged sender addresse during the delivery of the email.
Administrators must use the public DNS system to publish an SPF resource record for their
organization’s domain. The SPF record can include an instruction to check all A and MX records and
also a list or range of IP addresses which are authorized to transmit email for that domain.
In the example, if the IP address of the sending email host for the domain does not match an A or
MX record for that domain and is not in the IP address range 216.40.42.0/24 then the email should
be rejected, which is indicated by -all.
When an email is received, the server queries DNS to learn the SPF policy. SPF records are typically
cached to enhance performance.
Cybersecurity Essentials:
Cryptography
DomainKeys Identified Mail (DKIM) can also be used to verify the source of an email using its
digital signature.
The sender’s mail server attaches a digital signature to the email. The signature is encrypted using
the sender’s private key. The corresponding public key is published in a DNS text record and this
will allow the signature to be decrypted. When the receiving server sees that an email has a DKIM
signature, it does a DNS lookup to find the DKIM record associated with the sending domain.
Digital signatures are an asymmetric cryptographic technique. To learn more about how
cryptography is used to provide information security we recommend the Sophos Cybersecurity
Essentials: Cryptography courses.
DMARC, which stands for “Domain-based Message Authentication, Reporting & Conformance”,
builds on the widely deployed SPF and DKIM protocols. A DMARC policy allows a sender to indicate
that their messages are protected by SPF and/or DKIM, and tells the recipient what to do if neither
of those authentication methods passes. Examples include moving the message to junk or
rejecting the message.
DMARC also provides a way for the recipient to report back to the sender about messages that
pass and/or fail DMARC evaluation.
So far all the DNS records we have considered have been used for forward lookups, that is lookups
related to the host or domain name. The PTR (pointer) record type can be used to find information
about a known IP address. This record type requires the use of a Reverse Lookup Zone.
Reverse DNS lookups for IPv4 addresses use the special domain in-addr.arpa. The rest of the zone
name is based on the network ID. In the example, the network is 172.16.0.0/16 and reversing the
two numbers of the network ID gives a zone name of 16.172.in-addr.arpa.
The example, using nslookup, shows the record type being set to ptr.
When the IP address 172.16.1.40 is entered, this is recognised as: 40.1.16.172.in-addr.arpa and can
be resolved to the name
CLIENTTWO.ad.sophostraining.xyz
Answer:
sophostraining.xyz
Reverse DNS is one of the ways email servers use to verify that the sending server is genuine.
In the example when someone sends email from address sender@sophostraining.xyz, the
receiving server checks whether the IP address of that server has a reverse DNS record that is tied
to sophostraining.xyz.
If the sending email server does not have a reverse DNS record, that’s usually a sign of spam and
the message will be rejected by most email servers.
If the email server has a reverse DNS but it does not match the domain name, other methods such
as DKIM and SPF records can provide the necessary verification.
DC SRV DC.AD.sophostraining.xyz
In an earlier section we showed how fully qualified domain names are organized in a hierarchy that
starts with the root domain. We’ll now see how the many millions of records required for the
Domain Name System (DNS) are hosted on DNS servers using the same hierarchy.
The name servers that serve the DNS root zone are a network of hundreds of servers in many
countries around the world. They are configured in the DNS root zone as the 13 named authorities
shown in the slide.
The database that the root servers maintain contains the names of all the top-level domains (TLDs)
and the servers that hold their records.
The Internet Assigned Numbers Authority (IANA) manages the root zone database and delegates
responsibility for the management of each of the TLDs.
Using the information in this database we can see that .COM is delegated to Verisign Global
Registry Services which provides 13 groups of servers distributed around the world, holding
records for all domains ending in .com
Each organization domain requires one or more name servers that hold records for their zone. The
example shows that records for the sophos.com domain are held on seven name servers.
The nslookup command also displays their IP addresses, showing that two of them support both
IPv4 and IPv6.
Non-authoritative
answer
You may have noticed when using the nslookup command that it shows a non-authoritative
answer. This means that the server does not hold the records itself but has found the answer from
another server. A name server that holds records for the zone will provide an authoritative answer.
authoritative answers
Non authoritative
Domain Name System (DNS)
answer
Authoritative
answer
Continue
The slide shows the expected output from Activity 4. It also shows the two ways to specify the DNS
server in the nslookup command; using its name or its IP address.
records
DNS Admin
Primary Secondary
DNS Server DNS Server 1
As you have seen it is usual for multiple name servers to be configured for a domain. One of these
servers will be the primary name server and changes to DNS records, such as changing an IP
address, can only be done on a primary server. The primary name server then updates secondary
DNS servers, using a process known as zone transfer. This provides them with a read-only copy of
the zone file. The SOA record for a zone contains data to control the zone transfer.
An authoritative name server can either be a primary or secondary server. It is possible for DNS
servers to be primary for one DNS zone and secondary for another.
In the early days of the Internet, IP addresses rarely changed but most ISPs now assign IPs to their
users dynamically using DHCP (Dynamic Host Configuration Protocol). Large organizations typically
have static IP addresses but for smaller services this may be too costly, and they may have IP
addresses that are frequently changed by their ISPs. This requires a dynamic DNS solution to keep
DNS records up to date.
Dynamic DNS (DDNS) is a service that keeps the DNS updated with a resource’s correct IP address,
even if that IP address is constantly being updated.
How does dynamic DNS work? One common method is for users to purchase software which runs
on their computer or router and communicates with the dynamic DNS service provider. When an IP
address provided by the ISP is updated the software alerts the dynamic DNS provider who updates
the DNS with the changes.
DNS Lookup
Laptop
We’ll now look in more detail at what happens when a client requests information from their name
server, in particular how this information is retrieved from the Domain Name System and then
cached to improve performance.
1. Recursive queries are used by clients when they contact their DNS server and ask it to respond
with the information requested. They are also used when a DNS server requests information
from another name server that has been configured as a forwarder.
2. Iterative queries are used when DNS servers ask another DNS server to return the information
but if they don’t have it, they can return the address of another DNS server that may know the
answer.
www.sophostraining.xyz? =Hierarchy
2
1 Root Name
DNS
DNS Lookup
3
Client 1
5 Local DNS
4 xyz Name
DNS
sophostraining.xyz
DNS
Let’s consider an example where neither the client or local DNS server have previously
encountered the name or domain.
1. The client queries their local DNS for the host www.sophostraining.xyz. The local DNS server
does not have the answer and has not been configured with a forwarder. The server looks in its
‘root hint’s file to find the IP address of a Root DNS server.
2. It sends the request to the root server, which replies with information about a server for the
xyz top level domain.
3. The local DNS server now contacts the DNS server for the xyz TLD. This server replies with
information about a server for sophostraining.xyz.
4. The local DNS server now contacts the DNS server for sophostraining.xyz and is provided with
the IP address for www.sophostraining.xyz.
5. It can now provide this information to the client.
DNS clients and servers use caching to speed up the lookup process and to minimize traffic to the
root servers.
The example shows the client resolver cache for Windows. When a client receives a response to a
DNS lookup, the result is placed in the cache.
The cache is checked before issuing a query to a DNS server. The entry remains in cache for the
number of seconds defined in the ‘Time To Live’.
=Hierarchy
Root Name
DNS
Client 1
DNS Lookup
Local DNS
xyz Name
www.sophostraining.xyz? DNS
1 2
Client 2 sophostraining.xyz
DNS
Going back to our example, the DNS server that has resolved the client’s request for
www.sophostraining.xyz will store the result in its own cache.
This means that if another client needs to resolve the same domain name, the server can respond
using the cached result.
=Hierarchy
Root Name
DNS
Client 1
DNS Lookup
Local DNS
2 xyz Name
mail.sophostraining.xyz? DNS
1 3
Client 2 sophostraining.xyz
DNS
Servers don’t just cache the final result; they also cache the information they learned in getting
there.
If the client now wants to resolve mail.sophostraining.xyz, the request can go straight to the server
responsible for the sophostraining.xyz domain as the local server already knows who it is.
Over time DNS servers can build up a large amount of information in their cache, which greatly
reduces the need to make requests to other servers.
Fake
Attacker Website
DNS Lookup
Resolves
to fake
Injects fake Request
website
DNS entry forwarded
Client 1 Real
IP address of Website
web site?
DNS
DNS spoofing (also known as DNS cache poisoning) is when an attacker compromises a DNS
database. This could be on anything from a large-scale Internet DNS server that serves millions of
people to just the local DNS cache on a single computer.
When the client asks for the IP address of a web location, it thinks it’s going to the correct site, but
it’s actually connecting to a site the attacker owns.
The attacker is then able to intercept content – including, for example, passwords. To hide the
attack the client can then be forwarded on to the genuine website.
If other DNS servers are getting information from the compromised server, the poisoned DNS entry
can soon spread.
DNSKey .xyz
Client 1
Digital signatures of
sophostraining.xyz
xyz DNS
DNS Cybersecurity Essentials:
Cryptography
DNSKey of
sophostraining.xyz
sophostraining.xyz DNS
In its standard form, clients making a request to a DNS do not check for credentials before
accepting the response. Under these circumstances a false entry will be used and will then be
propagated.
DNSSEC provides a solution by adding cryptographic signatures to existing DNS records. These
digital signatures are stored in DNS name servers alongside common record types like A, AAAA,
MX, CNAME, etc. By checking its associated signature, you can verify that a requested DNS record
comes from its authoritative name server and has not been altered enroute.
Digital signatures are an asymmetric cryptographic technique. To learn more about how
cryptography is used to provide information security we recommend the Sophos Cybersecurity
Essentials: Cryptography courses.
Manipulation by attackers
DNS is an effective and highly resilient service but can be susceptible to:
This section will show some of the methods you can use to troubleshoot.
Start
Let’s look at how all of this works with a simulation. This simulation will show how to use Windows
commands to view and test DNS configuration.
As the simulation showed, DNS suffixes can simplify access to resources, allowing just the use of
the host name.
The example shows advanced DNS configuration for a Windows client, with two suffixes
configured. If a client is a member of an Active Directory domain, the full domain name, in this
case ad.sophostraining.xyz, will be their primary suffix. A connection specific DNS suffix is one that
is related to a particular network interface. This can be useful when clients are connected to
multiple networks, for example using a VPN. The option to append parent suffices of the primary
DNS suffix would achieve the same as the manual entries below, by adding sophostraining.xyz.
As with most network configuration, it is usual for clients to receive DNS settings through DHCP.
Before the introduction of DNS name resolution was performed using a file named hosts. This file
still exists and any entries in it will override resolution provided by DNS. This means that if an
attacker or malware modifies the hosts file, it could prevent communication with anti-malware
sites or redirect traffic to rogue servers.
This simulation will show the effect of modifying the hosts file
Start
Let’s look at how all of this works with a simulation. This simulation will show the effect of
modifying the hosts file.
By default modification of the hosts file requires administrator privileges. For non-administrative
user accounts the file is read only. Further protection can be provided by good endpoint protection
software and anti-phishing protection.
As the simulation shows the ipconfig command is very useful for investigating and troubleshooting
DNS problems. The slide shows a summary of the switches which can be used for DNS client
management.
In earlier simulations you have used the nslookup command to perform DNS queries. We’ll now
look at another tool that provides more detailed information. DIG (domain information groper) is
a command-line tool for querying the Domain Name System. It is a component of the domain
name server software suite BIND, so unlike nslookup must be downloaded and installed before
use.
BIND is the most widely used Domain Name System (DNS) software on the Internet and is the de
facto standard for Unix-like operating systems. It was originally designed at the University of
California, Berkeley and the name is an acronym of Berkeley Internet Name Domain.
ftp://ftp.isc.org/isc/bind/cur
The site https://www.isc.org/bind/ provides options for downloading from their website or FTP.
The example shows the FTP option with the current versions folder selected. Zip files are available
for download for x64 and x86 versions of Windows. Once downloaded, the Zip file should be
extracted.
The BINDInstall application is included in the Zip file and this includes a Tools Only option for when
the BIND server component is not required.
Depending on the version of Windows, it may be necessary to install Visual C++ Redistributable.
DIG should be run from an Administrator command prompt. The path to the executable will
depend on the version of Windows. The bin folder containing the program can be added to the
Path environment variable, allowing access to the DIG command without entering the full path.
Here are some examples of dig commands. You will use these in the following simulation.
Start
This simulation will show the how to use the DIG command to investigate DNS resolution.
Root Servers
A (Address) records
So far this course has focused on the use of the Domain Name System for name resolution. DNS
has now become the standard but in Windows environments it is likely that an earlier naming
system may still be running in parallel. This is known as NetBIOS and it was Microsoft’s standard
before Windows Server 2003.
NetBIOS is an abbreviation for Network Basic Input/Output System. It allows software applications
to locate and identify each other and supports file and printer sharing. In current Windows
networks the NetBIOS name still exists but is derived from the computer name. It is still supported
to provide interoperability with older computers and services.
Like DNS, NetBIOS has both group and unique names. The example shows the NetBIOS names for a
server named DC that is part of a Windows domain named AD. If this sounds familiar this is
because this is the NetBIOS version of dc.ad.sophostraining.xyz that we have seen earlier in the
course. Unlike Fully Qualified Domain Names, NetBIOS only has two levels.
The codes next to the name identify a role. For example, 1C identifies DC as a domain controller for
the AD domain.
If network discovery is enabled, it is possible to see the NetBIOS names of computers in Explorer’s
Network view.
Selecting one of the computers will show the shared resources that are available. Depending on
permissions, users can then open the resource (in this case a shared folder) and view the files it
contains.
\\DC\Shared Documents
Clicking in the address bar shows the NetBIOS name syntax for this resource, in the example
\\DC\Shared Documents
net view \\DC lists the shared resources on the computer named DC.
Another example of a command that uses NetBIOS names is net use. The example shows how net
use can ‘map’ drive f: to \\dc\software
WINS
Client 1
NetBIOS Name Resolution
Server
Client 3
WINS Proxy
Client 2
To connect to resources you must be able to resolve the name to its IP address. The NetBIOS
equivalent of DNS was WINS (Windows Internet Name Service). WINS servers held a database of
names and their IP addresses. WINS clients could query a server on their own network but
requests could not traverse routers. WINS Proxies could be used to forward requests from clients
to WINS servers on another network. WINS Proxies could also forward any broadcast requests for
NetBIOS name resolution.
The process for resolving NetBIOS names could include multiple steps.
As with DNS names, the first place checked is the local cache. If the name is not in the cache the
client looks in a file named LMHosts, which is similar in function to the hosts file and is located in
the same folder. If the client has one or more WINS servers configured, they will then request
resolution from them.
The final resolution method is to broadcast for the NetBIOS name. The computer sends a packet
that is received and processed by all machines on the network. The packet requests that the
matching computer identify itself. This method is only effective in a local network as routers do not
forward broadcast packets.
Broadcasts generate unnecessary network traffic so name resolution methods that use directed
requests are preferred.
SRV
NetBIOS Name Resolution
Victim Attacker
Although WINS is largely deprecated in the latest versions of Windows Server it is still widely
available on Windows networks.
WINS requests are unauthenticated so are subject to spoofing attacks. This is when an attacker on
the network impersonates, or ‘spoofs,’ another resource’s identity and misdirects the victim’s
traffic.
If an attacker can trick a computer into connecting to them, they can grab the NTLM hash of the
user’s credentials. This hash can be run through a hash cracking mechanism to obtain the plain-
text password.
NetBIOS was created in the early 1980s but is still enabled on many networks today. The most
common use for NetBIOS over TCP/IP (NBT) is for name resolution, if DNS is not supported or is not
working on the local network. It is now very rare to find applications or devices that do not support
DNS.
There are many security concerns with NetBIOS and typically it should be disabled. This will help to
mitigate an attacker’s ability to poison and spoof responses and obtain a user’s hashed credentials.
Understand the role of DNS servers and the records that they hold
Recognize the process used to resolve names and how caching improves performance
Continue
Here are the skills you should be able to take away from this course.
If you feel confident that you have met these objectives, click Continue to complete the quiz.
A Mail Exchange
MX IPv4 Host
SRV Alias
SUBMIT
PTR SPF
DKIM DNSSEC
SUBMIT
dig sophos.com any Start at the root and show all results
SUBMIT
SUBMIT
SUBMIT
You have completed this course but did not pass the quiz
Restart Quiz
You have completed the course however, you have not passed the quiz.
Congratulations!
You have successfully completed this course
If you have found this course useful you may also be interested in our other
courses available in this Cybersecurity Essentials Series
If you have found this course useful you may also be interested in our other courses available in
this Cybersecurity Essentials Series.
To view our available courses please view the On-Demand training section in the training portal
The courses in this series are designed for individuals with no prior knowledge of the topics.
Additionally, we have a number of courses that are being developed and will be made available
soon.
We also have a list of planned courses we would like to add to this series.
If you would like to suggest a topic for a course or to provide any feedback on this series then
please email us at globaltraining@sophos.com
In this activity you will use http://whois.domaintools.com/ to discover information about a domain.
Note: you will use the information collected in this activity for later tasks.
________________________________________________________
4 What is the IP address for this domain?
________________________________________________________
5 What are the names of the DNS Servers for this domain? Write down any two of the DNS servers listed
________________________________________________________
6 Leave the browser open at this site for the next activity
Activity No. 1
Sophos Cybersecurity Essentials Networking 203
In this activity you will use http://whois.domaintools.com/ to see how organizations protect against cybersquatting.
1 Return to
2 In the Whois Lookup box at the top of the page enter the domain name googel.com
and click
3 What is the name of the Registrant Org for this domain?
________________________________________________________
4 Enter the domain name gogle.com and click
5 What is the name of the Registrant Org for this domain?
________________________________________________________
In this activity you have seen that organizations can protect themselves against cybersquatting by registering similar domain names
themselves.
Activity No. 2
Sophos Cybersecurity Essentials Networking 203
In this activity you will use the nslookup command to view the DNS records for the sophos.com domain.
You have used the nslookup command to view the DNS records for the sophos.com domain.
Activity No. 3
Sophos Cybersecurity Essentials Networking 203
In this activity you will use nslookup to show non-authoritative and authoritative answers.
In Activity 1 you wrote down the names of the name servers for the sophostraining.xyz domain. You will now use this information to complete
Activity 4.
4 Enter sophos.com This will return the default address record for
the domain and the response will be shown
as non-authoritative.
5 Enter server <name of a DNS server for sophos.com> This will change the DNS server to which the
following requests are made.
6 Enter sophos.com This will return the default address record for
the domain and the response will NOT be
shown as non-authoritative.
Note: If you do not receive a successful
response to the command above, repeat the
server command but use the IPv4 address of
the DNS server instead of the name
7 Close the
Activity No. 4
Sophos Cybersecurity Essentials Networking 203
In this activity you will use the ipconfig /displaydns command to view the local DNS cache.
cd\
md dns
cd dns
There is likely to be a large number of entries
ipconfig /displaydns in the cache and much scrolling is required to
find a specific entry.
ipconfig /displaydns > dnscache1.txt Adding > dnscache1.txt redirects the output
of the command to a text file of that name.
4 Use to open
5 View the entries and search for It is unlikely that this will be in the file unless
you use the French version of our website.
6 Open a and navigate to .
7 Return to the command prompt and enter the command
ipconfig /displaydns > dnscache2.txt
8 Use to open
9 Use to open
10 View the entries and search for This should now be included in the resolver
cache.
You have used the ipconfig /displaydns command to view the local DNS cache.
Activity No. 5