Tshark

 Tshark -  TShark is the command-line version of Wireshark

It performs similar network packet capture and analysis functions but without a graphical user interface. It is widely used for network monitoring, troubleshooting, and security analysis, especially in environments where a GUI is not available.

 

Examples :

 

Capture packets on an interface: 

tshark -i eth0

Capture and display only HTTP traffic: 

tshark -i eth0 -f "tcp port 80"

Capture packets and save to a file:

tshark -i eth0 -w capture.pcap

Display DNS queries:

tshark -i eth0 -Y "dns"

Output capture to JSON format:

tshark -i eth0 -T json

Key Options:

-i -> interface selection : Specifies the network interface to capture packets

 Example: tshark -i eth0

-D -> Get list of interfaces : we get output , that you get all list of interfaces

 Example: tshark -D

-f -> capture filter : Specifies a filter for the packets captured at the interface level.

 Example : tshark -i eth0 -f "tcp port 80"

-Y -> display filter :  Filters the packets after capture (similar to Wireshark's display filters).

 Example : tshark -i eth0 -Y "http"

-w -> write output to the file: Writes the captured packets to a file in PCAP format, which can be opened later in Wireshark.

 Example : tshark -i eth0 -w capture.pcap

For More Info: https://www.securitymanadhey.com/p/tshark-tshark-is-command-line-version.html

Querying DNS Records

In the Windows operating system, the nslookup command is used to query DNS records.

For example, to query the DNS A record for a domain, use the following command:

nslookup -type=A domainname

nslookup -type=A securitymanadhey.com

This command produces output:

Server: reliance.reliance (this is ISP connection)

Address: 2405:201:c00b:3a31::c0a8:1d01(the IP address of the Reliance DNS resolver)

Non-authoritative answer:

Name: securitymanadhey.com(domain)

Addresses:  

15.197.225.128 (IPV4 of the domain)

3.33.251.168(IPV4 of the domain)

Details:

Server: Displays the name and IP address of the DNS resolver used for the query.( this DNS resolver provided by your Internet Service Provider(ISP))

Non-authoritative answer: Indicates that the response came from a DNS server that is not the authoritative server for the domain.

Name: Shows the queried domain name.

Addresses: Lists the IP addresses associated with the domain (IPv4 in this example).

By default, your device uses the DNS resolver provided by your Internet Service Provider (ISP) unless you configure it to use a custom DNS server.

If you configure your device to use custom DNS servers (like Google's 8.8.8.8 or Cloudflare's 1.1.1.1), the output would display those instead in the Server and Address fields.

DNS Zones

Zone files are plain text files that store information about a specific domain's DNS configuration. They are part of the Domain Name System (DNS) and are maintained by authoritative DNS servers. Each zone file contains DNS records that define the mappings and properties for a domain and its subdomains.

Key Components of zone file are A ,AAAA,NS,CNAME,MX,TXT,SOA and other records.

DNS Server basics, types, record types, query types

 

The Basics of DNS: The Internet's Address Book

Imagine if every time you wanted to call a friend, you had to remember their exact 10-digit phone number. The internet would be similarly frustrating if we had to remember IP addresses for every website we wanted to visit! This is where the Domain Name System (DNS) comes in, acting as the "phone book" of the internet. DNS lets us use friendly domain names (like “www.miusecurity.blogspot.com”) instead of remembering a long string of numbers.

When you type a website address in your browser, DNS resolves the IP address for that domain. Think of DNS as the bridge between people and computers, translating easy-to-remember names into IP addresses that computers need to communicate.

Here's how DNS works,

• User Query: Imagine you entered “www.miusecurity.blogspot.com” into your web browser
• Recursive /DNS Resolver: First, your computer sends the request to a DNS resolver. This DNS resolver converts the domain name into an IP address, and this DNS resolver will be offered by your internet service provider (ISP). If not, we can use a public Google DNS server to resolve the DNS request.
• Root Server Query: If the resolver doesn't know the IP address (because it's not cached), it reaches out to one of the 13 root DNS servers to get the information. These servers don't hold specific addresses but know where to find the servers that manage top-level domains (like .com, .org, etc.).
• TLD Server Query: The root server then directs the resolver to the TLD server for .com (since we're looking for miusecurity.blogspot.com).
• Authoritative DNS Server Query: The TLD server tells the resolver which authoritative DNS server handles “www.miusecurity.blogspot.com”.
• Final Resolution: The authoritative DNS server, for “www.miusecurity.blogspot.com”, finally returns the IP address for “www.miusecurity.blogspot.com” to the resolver.
• Connection Established: Now that the resolver has the IP address and sends it back to your browser, the browser can use that address to connect to the website

  

Types of DNS Servers

1. Root Name Servers: These are the first step in the DNS lookup process. When a query is made, they direct the request to the appropriate Top-Level Domain (TLD) servers.
2. TLD Name Servers: These servers manage domains within specific top-level domains like .com, .org, or .net. They help identify which authoritative DNS server should handle the request for a particular domain.
3. Authoritative DNS Servers: These servers are responsible for storing the actual DNS records (A, MX, TXT, etc.) for your domain. These servers provide the definitive answers to DNS queries about your domain.
4. Recursive DNS Servers (such as Google DNS, Cloudflare DNS, etc.): These servers are responsible for helping users (clients) resolve DNS queries by contacting authoritative servers to get the correct information.

DNS Record Types

DNS records are the data that DNS servers return when a query is made. Here are some common record types:

• A (Address) Record: This record maps a domain name to an IPv4 address.
• AAAA (IPv6 Address) Record: It is like an A record, but it maps a domain to an IPv6 address.
• CNAME (Canonical Name) Record: This record allows one domain name to refer to another domain. It's commonly used for domain aliases.
• MX (Mail Exchange) Record: This record directs email to the correct mail server of the domain.
• TXT (Text) Record: Stores arbitrary text, often used for verification, such as SPF records for email security.
• NS (Name Server) Record: Identifies the authoritative DNS servers for a domain.

DNS Query Types

• Recursive Query: In this type of query, the DNS resolver fully resolves the domain name by interacting with multiple servers until it gets the final IP address, and then it sends that back to the user.
•  Iterative Query: When a resolver (client) asks a DNS server for an IP address, and the server doesn't have the exact answer, it will point the resolver in the direction of another DNS server that might know more. This process continues, with the resolver querying multiple DNS servers, each one getting closer to the final answer until the correct IP address is found.

DNS Caching

• DNS responses are cached basically to speed up lookups and reduce the load on DNS servers. Responses cache on the User's Device, by the internet service provider(ISP) recursive resolver, and by the Browsers .

DNS Security Concerns:

DNS is vulnerable to various attacks:

• DNS Spoofing (Cache Poisoning): This is when attackers inject false information into a DNS cache, redirecting users to malicious websites.
• DNS Tunneling: Malicious data can be hidden in DNS queries, which can bypass security measures and used for exfiltrating sensitive information.
• DDoS Attacks on DNS Infrastructure: Distributed Denial-of-Service (DDoS) attacks can overwhelm DNS servers, making websites unreachable.
• DNS Hijacking: Malicious actors can take control of DNS queries, redirecting users to fraudulent servers, which is often for phishing.

How to play with DNS records

Ramya is an intelligent and ambitious young woman with a deep passion for creating websites and a talent for crafting beautiful wool products. Determined to turn her creativity into a profitable business before landing a job, she decided to sell her products online.

So, she opted for a user-friendly platform like WordPress, Wix, or Blogger to simplify the process of building and managing a website rather than wasting time building an entire website from scratch.

Creating Her Website

Ramya began by selecting a platform and a theme that matched her brand's aesthetic. She then customized the site to display her wool products beautifully. During this phase, the platform provided her with a temporary domain to preview her work.

Once the website design and content were complete, Ramya purchased a custom domain, wool-clothes.com, through GoDaddy.

Configuring DNS for Her Domain

Ramya edited the DNS records to link her domain to the website platform. The platform automatically provided the following essential records:

A Record: (Maps the domain to the IPv4 address of the server)

The A Record maps her domain name (e.g., wool-clothes.com) to the IPv4 address of the hosting server provided by the website platform she chose (e.g., WordPress, Wix, or Blogger). - this is generally your site's IP address; GoDaddy gives this default, and you can't delete or edit it.

AAAA Record: Maps the domain to the IPv6 address of the server.

NS Record: Specifies the authoritative name servers for the domain.

NS (Name Server) Records specify which name servers are authoritative for the domain. These records ensure that DNS queries for wool-clothes.com are directed to the correct DNS servers.

CNAME Record: Maps subdomains to the main domain or another server.

The CNAME (Canonical Name) Record is used to map a subdomain (e.g., www.wool-clothes.com) to the root domain (wool-clothes.com) or another server provided by the platform.

Ramya followed the platform's guidelines to edit and map these DNS records appropriately. For instance, platforms like Google Blogger or Wix provided custom CNAME values, which she added. 

Setting Up Redirection:

After successfully linking the domain, Ramya noticed a minor issue: entering wool-clothes.com did not redirect to www.wool-clothes.com. To ensure a seamless user experience, she configured a domain forwarding rule to redirect visitors automatically from the non-www version to the www version of her site.

After her website was live and accessible, Ramya's business flourished as customers flocked to her site.

Ramya quoted a quote: "Dream an idea, learn its depth, craft its form, and earn from its execution."