Lab - Researching DNS and IP Reputation

---

Scenario

In this lab, you will perform research about a registered domain name and some suspicious IP addresses. You will also perform lookups through DNS using nslookup and dig.

As a cybersecurity analyst, you are working to discover weaknesses and vulnerabilities that your organization, Structureality Inc., needs to mitigate. You are tasked with finding issues related to domain names and IP addresses discovered in various user activity logs.

Your cybersecurity analyst (CySA) workstation, running Kali Linux, is located in Structureality’s server subnet.

In this lab, you will first perform domain name reconnaissance using whois. Next, you will conduct IP address research using the RIR of ARIN. Next, you will perform IP address reputation checking at AbuseIPDB. Next, you will perform DNS reconnaissance with nslookup. And finally, you will perform DNS reconnaissance with dig.

Understand your environment

You will be working from a virtual machine named KALI hosting Kali Linux connected to the vLAN_SERVERS subnet.

Steps

1. Whois reconnaissance

When analyzing the contents of logs of user activity, you will often discover domain names that need to be investigated. For this exercise, you will use the domain name of comptia.org with a whois service to determine the ownership of a registered domain name. In addition, this procedure can provide details about the associated company name, address, phone, email addresses, and personnel set as contact points.

1. On your local computer, use a whois service to query comptia.org.

   • whois comptia.org

2. Read over the output of the whois query for comptia.org.

   • who is the registrar?
   • what year was the domain originally registered?

2. IP address research

When analyzing the contents of logs of user activity, you will often discover IP addresses that need to be investigated. For this exercise, you will use the IP address of 217.138.207.226 found in a suspicious email’s header. You will use ARIN (American Registry of Internet Numbers) to research IP addresses to determine to whom the number is registered.

1. On your local computer, perform a number registration lookup at arin.net of 217.138.207.226 to determine the details related to this IPv4 address discovered in the suspicious email header.

   1. Enter arin.net in your local browser’s address bar.
   2. The ARIN (American Registry for Internet Numbers) website is displayed.
   3. Enter 217.138.207.226 in the Search Site or Whois field at the top of the page, then select Search.
   4. Look over the results of this search.
   5. Notice that this IPv4 address is part of a Net Range of 217.138.207.0 - 217.138.207.255 that is registered to M247-LTD-Paris.
   6. Further down the page is an entry of Roles as “Abuse” with an email address. If the concerning email messages continue, you could contact M247 to inquire about the cause or source of the suspicious email messages.

2. Perform a location lookup of the IP address 217.138.207.226 at ip2location.com.

   1. Scroll down the page to locate the Learn more about your Internet traffics, then locate the Try IP2Location Demo field.
   2. Enter 217.138.207.226 in the Try IP2Location Demo field, then select LOOK UP.
   3. Look over the results of this search.
   4. Notice this service identified the location as Paris, France.

3. Close the tabs in your local browser focused on ip2location.com and arin.net.

3. IP address reputation checking

When analyzing the contents of logs of user activity, you will often discover IP addresses that need to be investigated. For this exercise, you will use the IP address of 217.138.207.226 found in a suspicious email’s header. You will use the AbuseIPDB service to research IP addresses to determine its abuse reputation.

1. On your local computer, perform a location lookup of the IP address 217.138.207.226 at abuseipdb.com.

It is important to note that users and system owners report the abuses listed on AbuseIPDB. These issues are not confirmed or verified by AbuseIPDB. Instead, they are simply inventoried and maintained for others to view. Some of these reported issues may be incorrect, invalid, or misleading.

2. Return to the front page of AbuseIPDB by clicking on their logo at the top of any page. Then, scroll to the bottom of the page to locate the Recently Reported IPs section. Explore a few IP addresses listed here, and you might be surprised by the results.

3. Close the tab in your local browser focused on abuseipdb.com.

3. DNS reconnaissance with nslookup

When analyzing the contents of logs of user activity, you will often discover domain names that need to be investigated. For this exercise, you will use the nslookup tool to analyze the domain name of comptia.org. This procedure can often be used to discover other related FQDNs, name servers, email servers, and more.

1. Open a terminal window on your local system.

2. Use nslookup to determine the default DNS lookup server IP address and enter it into the Default DNS lookup server box below:

   1. Working from your local system’s terminal window, open nslookup in interactive mode by entering: nslookup.
   2. Check the lookup server used by nslookup by entering: server.
   3. The results should indicate the IP address used as the default DNS lookup server.

3. If the following nslookup commands are not providing results, you may need to change your DNS lookup address. Your current default DNS server lookup address 192.168.1.1 may be limiting or restricting your queries. You can attempt to bypass this restriction by using a different and external DNS server, such as that hosted by Google at 8.8.8.8, Cloudflare at 1.1.1.1, or Level 3 Communications at 4.2.2.1. Use the following command to change your DNS lookup server address: server 8.8.8.8.

4. View the address resource records of the FQDN www.comptia.org.

   1. View the address resource records of the FQDN by entering: www.comptia.org.
   2. The results should show one or more addresses assigned to the FQDN of www.comptia.org in an Address (A) record.

5. Notice the caveat statement above the results of “Non-authoritative answer:”. This indicates the results are returned from a caching DNS server instead of directly from an authoritative server. It is good practice to work directly against an authoritative server.

6. Determine the IP address of an authoritative server for comptia.org, then enter it into the DNS IP address box below.

   1. Enter: set type=SOA
      • this command sets the lookup to the SOA (Start of Authority) resource record type, which contains the primary authoritative DNS server’s IP address.
      • It is also possible to view NS records to see all authoritative DNS servers for a domain name. The NS list will include the primary and secondary authoritative DNS servers for a domain name, but they will not be labeled as such. Any addresses from the NS list would be effective for obtaining authoritative results.
   2. Enter: comptia.org
   3. The results should be similar to the following:

origin = armando.ns.cloudflare.com
mail addr = dns.cloudflare.com
erial = 2299472123
refresh = 1000
retry = 2400
expire = 604800
minimum = 3600

Info

The refresh, retry, expire, and minimum values are shown as numbers of seconds. Divide those numbers by 60 to determine the intervals in minutes, then divide again by 60 to determine the intervals in hours, then divide by 24 to determine the intervals in days. For example, 604800 seconds / 60 = 10,080 minutes; 10,080 minutes / 60 = 168 hours; and 168 hours / 24 = 7 days.

Tip

The value named “origin” identifies the primary authoritative DNS server for the queried domain name (i.e., comptia.org). The primary authoritative DNS server hosts the only readable and write-able copy of the zone file for the domain. The zone file contains the various resource records for the domain.

• continuing
  4. Enter: set type=a.
  5. Enter: armando.ns.cloudflare.com

7. Change the lookup server for nslookup to the IP address of the authoritative DNS server for comptia.org, then confirm that lookups are now authoritative.

   1. Change the lookup server for nslookup to the IP address of the authoritative DNS server for comptia.org (hosted by Cloudflare) by entering: server 162.159.44.225
   2. Perform the original FQDN address query again by entering: www.comptia.org.
   3. Notice the results no longer have the caveat line. Therefore, the results are coming directly from an authoritative DNS server. This usually means they are more trustworthy and accurate since they are from an authoritative source.

8. Determine all of the authoritative DNS servers for comptia.org

   1. Change the resource record type to view the authoritative DNS servers related to the registered domain name by entering: set type=ns followed by comptia.org.
   2. The results should show the nameservers for comptia.org of armando.ns.cloudflare.net and jade.ns.cloudflare.net.

9. Determine the emails servers for comptia.org using nslookup.

   1. Change the resource record type to view the SMTP email servers related to the registered domain name by entering: set type=mx followed by comptia.org.
   2. The results should show the mail exchanger (i.e., SMTP server) FQDN for comptia.org.

10. View the alias DNS name associated with email.comptia.org.

    1. Change the resource record type to view the CNAME (Canonical Name) (i.e., alias) records related to a FQDN domain name by entering: set type=cname followed by email.comptia.org.
    2. The results should show a canonical name for email.comptia.org. However, the result seems to be a computer-generated name rather than one assigned by a person since it is a 36 hexadecimal hostname within pacloudflare.com. For example, the result viewed at the time of this lab’s creation was ba239281d46848cab40cd11b871f9d36.pacloudflare.com.

11. Exit interactive-mode nslookup by entering: exit.

The tool of nsloolup is a powerful DNS utility, but it does not lend itself easily to recording its operations and results (at least not in interactive mode). So while you can use nslookup in non-interactive command mode, in the next exercise, you will use dig to perform the same queries and capture the output into a file to retain this information for your security analyst report.

2. DNS reconnaissance with dig

When analyzing the contents of logs of user activity, you will often discover domain names that need to be investigated. For this exercise, you will use the dig tool to analyze the domain name of comptia.org. This procedure can often be used to discover other related FQDNs, name servers, email servers, and more.

1. Use the dig utility to determine the IP address of the primary authoritative DNS server related to the registered domain name of comptia.org.

   1. Use the dig utility to determine the primary authoritative DNS server related to the registered domain name of comptia.org by entering: dig -t SOA comptia.org
   2. View the output of the dig operation
   3. Notice that this operation displayed the SOA record for comptia.org. The SOA values of origin, mail addr, serial, refresh, retry, expire, and minimum are present, but all in one line without labels
   4. To display the A record for the primary authoritative DNS server, enter: dig -t A armando.ns.cloudflare.com
   5. View the results to locate an IP address for armando.ns.cloudflare.com, which should be 162.159.44.225.

2. Use dig to view the authoritative output of the A records for www.comptia.org.

   1. Use dig to display the authoritative output of the A records for www.comptia.org by entering: dig @162.159.44.225 -t A www.comptia.org

3. Use dig to view the authoritative output of the MX records for www.comptia.org.

   1. Use dig to display the authoritative output of the MX records for comptia.org by entering: dig @162.159.44.225 -t MX comptia.org

4. Use dig to view the authoritative output of the NS records for www.comptia.org.

   1. Use dig to display the authoritative output of the NS records for comptia.org by entering: dig @162.159.44.225 -t NS comptia.org

5. Use dig to view the authoritative output of the CNAME records for email.comptia.org.

   1. Use dig to display the authoritative output of the CNAME records for email.comptia.org by entering: dig @162.159.44.225 -t CNAME email.comptia.org

6. Close your local terminal window.

Done.