Information Technology Grimoire

Version .0.0.1

IT Notes from various projects because I forget, and hopefully they help you too.

DNS Investigation

Quick

  • public dns match private dns?
  • dns to ip correct?
  • dns propagation
  • dns cache?
dig +short yoursite.com @resolver1.opendns.com -t A
nslookup
https://www.digwebinterface.com/
ping -a -c 1 x.x.x.x
ping -c 1 somename.com

Example Investigation

Google Tools

https://toolbox.googleapps.com/apps/dig/#TXT/_acme-challenge.jamesfraze.com.

Debian Tools

sudo apt install dns-utils

Dig Basic format

dig <@nameserver> -t <TYPE> domain.ext <optional +short>

TXT Records

TXT records are key=value. They Often used for verification, or spf records, all @,k=v are easy to find

~$ dig @8.8.8.8 -t TXT jamesfraze.com +short
"v=spf1 include:emailsrvr.com ~all"
"google-site-verification=_yNO75ldL621q6wCY2rD-C9-ftZHWUpogxny2AJnIM"

Note, you must specify subdomain if TXT is key, value type

~$ dig @216.146.35.35 -t TXT jamesfraze.com +short

~$ dig @216.146.35.35 -t TXT _acme-challenge.jamesfraze.com +short
"erT_KkyUWydd4D86PcKm7_CmOzQ7jDAZ0YFjYF7Kjeg"

~$ dig @8.8.8.8 -t TXT _acme-challenge.jamesfraze.com +short
"erT_KkyUWydd4D86PcKm7_CmOzQ7jDAZ0YFjYF7Kjeg"

~$ dig @208.67.222.220 -t TXT _acme-challenge.jamesfraze.com +short
"erT_KkyUWydd4D86PcKm7_CmOzQ7jDAZ0YFjYF7Kjeg"

~$ dig @204.117.214.10 -t TXT _acme-challenge.jamesfraze.com +short
"erT_KkyUWydd4D86PcKm7_CmOzQ7jDAZ0YFjYF7Kjeg"

A Records

A records point to the server IP

~$ dig @8.8.8.8 -t A jamesfraze.com +short
3.130.72.10

CNAME

CNAME must specify the suspected CNAME

I like to use the CNAME for www, but some use A record for this too

~$ dig @8.8.8.8 -t CNAME jamesfraze.com +short
~$ dig @8.8.8.8 -t CNAME www.jamesfraze.com +short
jamesfraze.com.

MX Records

MX Records are the mail exchange

~$ dig @8.8.8.8 -t mx jamesfraze.com +short
10 mx1.emailsrvr.com.
20 mx2.emailsrvr.com.

dnstracer

$ dnstracer "-s" . "-q" A -4 somehost.com | grep -v 0000
Strange querytype, setting to default
Tracing to somehost.com[a] via A.ROOT-SERVERS.NET, maximum of 3 retries
A.ROOT-SERVERS.NET [.] (198.41.0.4)
 |\___ m.gtld-servers.net [com] (192.55.83.30)
 |     |\___ ns3.shopco.com [somehost.com] (1.2.3.4) Got authoritative answer
 |     |\___ ns2.shopco.com [somehost.com] (2.3.4.5) Got authoritative answer
 |      \___ ns1.shopco.com [somehost.com] (3.4.5.6) Got authoritative answer
<snip>
   \___ a.gtld-servers.net [com] (192.5.6.30)
       |\___ ns3.shopco.com [somehost.com] (1.2.3.4) (cached)
       |\___ ns2.shopco.com [somehost.com] (2.3.4.5) (cached)
        \___ ns1.shopco.com [somehost.com] (3.4.5.6) (cached)

$ dnstracer "-s" . "-q" A -4 jamesgrokit.com | grep -v 0000
Strange querytype, setting to default
Tracing to jamesgrokit.com[a] via A.ROOT-SERVERS.NET, maximum of 3 retries
A.ROOT-SERVERS.NET [.] (198.41.0.4)
 |\___ m.gtld-servers.net [com] (192.55.83.30)
 |     |\___ ns-1850.awsdns-39.co.uk [jamesgrokit.com] (205.251.199.58)
 |     |\___ ns-1076.awsdns-06.org [jamesgrokit.com] (205.251.196.52)
 |     |\___ ns-298.awsdns-37.com [jamesgrokit.com] (205.251.193.42)
 |      \___ ns-521.awsdns-01.net [jamesgrokit.com] (205.251.194.9)
 |\___ l.gtld-servers.net [com] (192.41.162.30)
 |     |\___ ns-1850.awsdns-39.co.uk [jamesgrokit.com] (205.251.199.58)
 |     |\___ ns-1076.awsdns-06.org [jamesgrokit.com] (205.251.196.52)
 |     |\___ ns-298.awsdns-37.com [jamesgrokit.com] (205.251.193.42)
 |      \___ ns-521.awsdns-01.net [jamesgrokit.com] (205.251.194.9)
<snip>
  \___ a.gtld-servers.net [com] (192.5.6.30)
       |\___ ns-1850.awsdns-39.co.uk [jamesgrokit.com] (205.251.199.58)
       |\___ ns-1076.awsdns-06.org [jamesgrokit.com] (205.251.196.52)
       |\___ ns-298.awsdns-37.com [jamesgrokit.com] (205.251.193.42)
        \___ ns-521.awsdns-01.net [jamesgrokit.com] (205.251.194.9)

DNS History

https://securitytrails.com/domain/jamesfraze.com/dns https://whoisrequest.com/history/ https://dnschecker.org/#A/jamesfraze.com

Example 2

Reminder: Record Types

typedescription
SOAthe authority, that usually tells where the NS should point
NSWhere current records are looked up
Ausually an IP, that tells where your server is
CNAMEusually www or some other alternate name that resolves to the same A record
MXwhere your mail is managed, this is important for SPF/DKIM/DMARC!
PTRa reverse lookup, so if someone does nslookup on your IP, it will resolve to your domain.com, used for mail servers mostly

Who is Your Registrar?

In order to change DNS records or add SPF, TXT, DKIM etc you must be able to login to your DNS control panel. You could of purchased through godaddy, wsmdomains, tucows, ionos, google, aws, etc - so how do you know which you purchased from? (I don’t know!)

I first checked if jamesfraze.com was listed in https://portal-wsmdomains-com.shopco.com/manage/index, but couldn’t find it. So I logged into all of them until I found it.   A better way is to use technology like it’s supposed to be used and look up the NS records, SOA and then lookup registrar info.

Investigation Tools for DNS:

DNS Checker

https://dnschecker.org/#TXT/jamesfraze.com

This tool is awesome, I use it all the time!

nslookup

C:\>nslookup
Default Server:  dns.opendns.com
Address:  208.67.222.222

> server 8.8.8.8
Default Server:  dns.google
Address:  8.8.8.8

> set type=NS
> jamesfraze.com
Server:  dns.google
Address:  8.8.8.8

Non-authoritative answer:
jamesfraze.com    nameserver = ns1039.ui-dns.org
jamesfraze.com    nameserver = ns1069.ui-dns.de
jamesfraze.com    nameserver = ns1069.ui-dns.biz
jamesfraze.com    nameserver = ns1114.ui-dns.com

Knowing that my name servers are controlled by ui-dns.com led me to a whois search on ui-dns.com but it looks like my registrar resells ui-dns.com service…. ok, dead end.

So I looked up SOA and the clue was “1und1.com”. Now I know this domain is at 1and1.com! I log in and sure enough my DNS records are there.

> set type=SOA
> jamesfraze.com
Server:  dns.opendns.com
Address:  208.67.222.222

Non-authoritative answer:
jamesfraze.com
        primary name server = ns1114.ui-dns.com
        responsible mail addr = hostmaster.1und1.com
        serial  = 2017060117
        refresh = 28800 (8 hours)
        retry   = 7200 (2 hours)
        expire  = 604800 (7 days)
        default TTL = 600 (10 mins)

repeat for MX, A, CNAME, TXT, or any other record type you might be querying

dig

dig SOA +short jamesfraze.com
ns1114.ui-dns.com. hostmaster.1und1.com. 2017060116 28800 7200 604800 600

or

dig 8.8.8.8 jamesfraze.com SOA +short
ns1114.ui-dns.com. hostmaster.1und1.com. 2017060116 28800 7200 604800 600

Icann Lookup

I already saw in the SOA lookup a good enough clue, but if we do not know which registrar the method instead is to query DNS, then query icann:

https://lookup.icann.org/en