Assignment III

Yanqiao Zhan Stevens Institute of Technology

P18. a. What is a whois database?
b. Use various whois databases on the Internet to obtain the names of two DNS servers. Indicate
which whois databases you used.
c. Use nslookup on your local host to send DNS queries to three DNS servers: your local DNS
server and the two DNS servers you found in part (b). Try querying for Type A, NS, and MX
reports. Summarize your findings.
d. Use nslookup to find a Web server that has multiple IP addresses. Does the Web server of your
institution (school or company) have multiple IP addresses?
e. Use the ARIN whois database to determine the IP address range used by your university.
f. Describe how an attacker can use whois databases and the nslookup tool to perform
reconnaissance on an institution before launching an attack.
g. Discuss why whois databases should be publicly available.

My Answer:
[Link] database is an online repository of information associated with registered domain
names. Store the registered users and assignees of an Internet resource.

[Link] whois databases is [Link], one DNS server for [Link] is [Link].
Another whois database is [Link], one DNS server for [Link] is youtube-
[Link].

[Link] local DNS server is recorded in /etc/[Link] file. My local DNS server is
[Link]([Link]), [Link] DNS server address is [Link] and
[Link] DNS server address is [Link].
Type A, NS and MX have different meanings of command.
A record the Fully Qualified Domain Name and is the location of the domain name in the DNS
tree to an IPv4 address.
NS record of a map of primary and secondary name servers that are authoritative for that domain
MX record of a map of mail exchange servers for a domain.

[Link] I use nslookup at [Link], then the result looks like figure 1.1, it returns multiply
IP address which are all point to [Link]. My school’s website is [Link], the
nslookup result is like figure 1.2, so my school doesn’t have multiple IP address.

Page 1 of 8
 !
figure 1.1

!
figure 1.2

[Link] using the ARIN whois database, I get the Stevens’s IP address range, like figure 1.3, net
range between [Link] - [Link]

Page 2 of 8
 figure 1.3

[Link] attacker can gain the dns server address, ip address, ip address range, etc essential
information from whois and nslookup tool. After the attacker know these information, he may set
up a DDos within the ip address range, and spoof the website’s dns server address, causing the
name server to return an incorrect IP address.

[Link] whois database is publicly available, user and system administrator can verify the
validity of the website. Also as the Internet is unsteady, so if one ip address is unavailable, then
from whois database we can gain other ip address is it has.

P19. In this problem, we use the useful dig tool available on Unix and Linux hosts to explore the
hierarchy of DNS servers. Recall that in Figure 2.21, a DNS server higher in the DNS hierarchy
delegates a DNS query to a DNS server lower in the hierarchy, by sending back to the DNS
client the name of that lower-level DNS server. First read the man page for dig, and then answer
the following questions.
a. Starting with a root DNS server (from one of the root servers [a-m].[Link]), initiate a
sequence of queries for the IP address for your department’s Web server by using dig. Show the
list of the names of DNS servers in the delegation chain in answering your query.
b. Repeat part a) for several popular Web sites, such as [Link], [Link], or [Link].

My Answer:
[Link] department web server is [Link].
The commands I type in are below:
dig @[Link] [Link]
;; AUTHORITY SECTION:
edu. 172800 IN NS [Link].
edu. 172800 IN NS [Link].
edu. 172800 IN NS [Link].
edu. 172800 IN NS [Link].
edu. 172800 IN NS [Link].
edu. 172800 IN NS [Link].

dig @[Link] [Link]

; AUTHORITY SECTION:
[Link]. 172800 IN NS [Link].
[Link]. 172800 IN NS [Link].
[Link]. 172800 IN NS [Link].

dig @[Link] [Link]

;; ANSWER SECTION:
[Link]. 3600 IN CNAME [Link].
[Link]. 604800 IN A [Link]

;; AUTHORITY SECTION:
[Link]. 3600 IN NS [Link].
[Link]. 3600 IN NS [Link].

Page 3 of 8
[Link]. 3600 IN NS [Link].

Authority section means the lower-level DNS servers that can continue to search the destination IP
address.
Answer section means the domain name has been matched.
In the third dig command return value, it has a new field called ANSWER SECTION, in this
section we can see our destination [Link]. It’s the CNAME of
[Link], and the ip address is in [Link].

b. To [Link]:
dig @[Link] [Link]
;; AUTHORITY SECTION:
com. 172800 IN NS [Link].
com. 172800 IN NS [Link].
com. 172800 IN NS [Link].
com. 172800 IN NS [Link].
com. 172800 IN NS [Link].
com. 172800 IN NS [Link].
com. 172800 IN NS [Link].
com. 172800 IN NS [Link].
com. 172800 IN NS [Link].
com. 172800 IN NS [Link].
com. 172800 IN NS [Link].
com. 172800 IN NS [Link].
com. 172800 IN NS [Link].

dig @[Link] [Link]

;; AUTHORITY SECTION:
[Link]. 172800 IN NS [Link].
[Link]. 172800 IN NS [Link].
[Link]. 172800 IN NS [Link].
[Link]. 172800 IN NS [Link].

dig @[Link] [Link]

;; ANSWER SECTION:
[Link]. 300 IN A [Link]

To [Link]:
dig @[Link] [Link]
;; AUTHORITY SECTION:
com. 172800 IN NS [Link].
com. 172800 IN NS [Link].
com. 172800 IN NS [Link].
com. 172800 IN NS [Link].
com. 172800 IN NS [Link].
com. 172800 IN NS [Link].
com. 172800 IN NS [Link].
com. 172800 IN NS [Link].
com. 172800 IN NS [Link].
com. 172800 IN NS [Link].
com. 172800 IN NS [Link].
com. 172800 IN NS [Link].

Page 4 of 8
com. 172800 IN NS [Link].

dig @[Link] [Link]

;; AUTHORITY SECTION:
[Link]. 172800 IN NS [Link].
[Link]. 172800 IN NS [Link].
[Link]. 172800 IN NS [Link].
[Link]. 172800 IN NS [Link].
[Link]. 172800 IN NS [Link].

dig @[Link] [Link]

;; ANSWER SECTION:
[Link]. 1800 IN A [Link]
[Link]. 1800 IN A [Link]
[Link]. 1800 IN A [Link]

Finally, we get an answer section contains three [Link] ip address.

To [Link]:
dig @[Link] [Link]
;; AUTHORITY SECTION:
com. 172800 IN NS [Link].
com. 172800 IN NS [Link].
com. 172800 IN NS [Link].
com. 172800 IN NS [Link].
com. 172800 IN NS [Link].
com. 172800 IN NS [Link].
com. 172800 IN NS [Link].
com. 172800 IN NS [Link].
com. 172800 IN NS [Link].
com. 172800 IN NS [Link].
com. 172800 IN NS [Link].
com. 172800 IN NS [Link].
com. 172800 IN NS [Link].

dig @[Link] [Link]

;; AUTHORITY SECTION:
[Link]. 172800 IN NS [Link].
[Link]. 172800 IN NS [Link].
[Link]. 172800 IN NS [Link].
[Link]. 172800 IN NS [Link].
[Link]. 172800 IN NS [Link].
[Link]. 172800 IN NS [Link].

dig @[Link] [Link]

;; ANSWER SECTION:
[Link]. 60 IN A [Link]
[Link]. 60 IN A [Link]
[Link]. 60 IN A [Link]

Finally, we get the answer section contains three [Link] ip address.

Page 5 of 8
P20. Suppose you can access the caches in the local DNS servers of your department. Can you
propose a way to roughly determine the Web servers (outside your department) that are most
popular among the users in your department? Explain.

My Answer:
In the local DNS servers, we can build a IP address collection of least recent frequent visit. So
the most recent frequent visit web server will always stay in the collection and at the most
beginning of the collection.

P21. Suppose that your department has a local DNS server for all computers in the department.
You are an ordinary user (i.e., not a network/system administrator). Can you determine if an
external Web site was likely accessed from a computer in your department a couple of seconds
ago? Explain.

My Answer:
We can use dig command to determine whether there is a cache in local DNS server. For
example, if someone from a computer in your department has just visited [Link] a
couple of seconds ago. Now if you type in dig @localdnsaddress [Link], there
should appear a answer section with the [Link]’s IP address.

P22. Consider distributing a file of F = 15 Gbits to N peers. The server has an upload rate of us
= 30 Mbps, and each peer has a download rate of di = 2 Mbps and an upload rate of u . For N =
10, 100, and 1,000 and u = 300 Kbps, 700 Kbps, and 2 Mbps, prepare a chart giving the
minimum distribution time for each of the combinations of N and u for both client-server
distribution and P2P distribution.

My Answer:
Client-server distribution model: Dc-s>=max{NF/us, F/dmin}
P2P distribution model: DP2P>=max{F/us, F/dmin, NF/(us+sum of ui)}
For N=10, 100, 1,000 and u=300Kbps, 700Kbps, and 2Mbps, we have the Dc-s and DP2P show in
form 1 respectively.
Additionally, I simply use 15Gbits=15,000 Mbits, and 300 Kbps=0.3Mbps, etc.
Dc-s 10 100 1000

300Kbps 7,500s 50,000s 500,000s

700Kbps 7,500s 50,000s 500,000s

2Mbps 7,500s 50,000s 500,000s

Page 6 of 8
DP2P 10 100 1000

300Kbps 7500s 25,000s 45,454s

700Kbps 7500s 15,000s 20,548s

2Mbps 7500s 7,500s 7,500s

The char of distribution time is like figure 1.4

Dc-s
10 100 1000
5d 18h 53m 20s

4d 8h 10m

2d 21h 26m 40s

1d 10h 43m 20s

0
300Kbps 700Kbps 2Mbps

Dp2p
10 100 1000
12h 37m 50s

9h 28m 22s 500ms

6h 18m 55s

3h 9m 27s 500ms

0
300Kbps 700Kbps 2Mbps

Page 7 of 8
P25. Consider an overlay network with N active peers, with each pair of peers having an active
TCP connection. Additionally, suppose that the TCP connections pass through a total of M
routers. How many nodes and edges are there in the corresponding overlay network?

My Answer:
There are N nodes, and N*(N-1)/2 edges.

Page 8 of 8