quarta-feira, 26 de agosto de 2015

Comandos úteis para a resolução de nomes

Neste artigo descrevo os principais comandos que podem ser usados para analisar o cliente DNS, ou seja, o processo de resolução de nomes em uma estação de trabalho Linux.


Nslookup

O nslookup é usado para consultar registros em servidores DNS. A forma mais simples é:

$ nslookup ricardoolonca.blogspot.com.br
Server: 192.168.1.1
Address: 192.168.1.1#53
Non-authoritative answer:
ricardoolonca.blogspot.com.br canonical name = blogspot.l.googleusercontent.com.
Name: blogspot.l.googleusercontent.com
Address: 74.125.234.107
Name: blogspot.l.googleusercontent.com
Address: 74.125.234.106
Name: blogspot.l.googleusercontent.com
Address: 74.125.234.108

Você pode querer fazer uma consulta usando outro servidor DNS. No exemplo abaixo eu estou fazendo uma consulta DNS, mas não usando o meu DNS, e sim o do Terra (200.176.2.12).

$ nslookup ricardoolonca.blogspot.com.br 200.176.2.12
Server: 200.176.2.12
Address: 200.176.2.12#53

Non-authoritative answer:
ricardoolonca.blogspot.com.br canonical name = blogspot.l.googleusercontent.com.
Name: blogspot.l.googleusercontent.com
Address: 74.125.234.11
Name: blogspot.l.googleusercontent.com
Address: 74.125.234.12
Name: blogspot.l.googleusercontent.com
Address: 74.125.234.10

Para descobrir quem é o servidor DNS do site em questão, use o parâmetro type=ns:

$ nslookup -type=ns ricardoolonca.blogspot.com.br
Server: 192.168.1.1
Address: 192.168.1.1#53

Non-authoritative answer:
ricardoolonca.blogspot.com.br canonical name = blogspot.l.googleusercontent.com.
Authoritative answers can be found from:
l.googleusercontent.com
origin = ns1.google.com
mail addr = dns-admin.google.com
serial = 1529890
refresh = 900
retry = 900
expire = 1800
minimum = 60

Para descobrir qual servidor responde pelos e-mail dos site, utilize type=mx

$ nslookup -type=mx ricardoolonca.blogspot.com.br
Server: 192.168.1.1
Address: 192.168.1.1#53

Non-authoritative answer:
ricardoolonca.blogspot.com.br canonical name = blogspot.l.googleusercontent.com.
Authoritative answers can be found from:
l.googleusercontent.com
origin = ns1.google.com
mail addr = dns-admin.google.com
serial = 1529890
refresh = 900
retry = 900
expire = 1800
minimum = 60

Podemos ver que este domínio não tem serviço de e-mail. Vamos tentar com outro domínio:

$ nslookup -type=mx google.com
Server: 192.168.1.1
Address: 192.168.1.1#53

Non-authoritative answer:
google.com mail exchanger = 40 alt3.aspmx.l.google.com.
google.com mail exchanger = 10 aspmx.l.google.com.
google.com mail exchanger = 20 alt1.aspmx.l.google.com.
google.com mail exchanger = 30 alt2.aspmx.l.google.com.
google.com mail exchanger = 50 alt4.aspmx.l.google.com. Authoritative answers can be found from:
alt1.aspmx.l.google.com internet address = 173.194.75.27
alt2.aspmx.l.google.com internet address = 173.194.67.27

Podemos notar que há cinco servidores que tratam as mensagens de e-mail do Google, sendo o aspmx.l.google.com o prioritário.


Dig

O dig é outro utilitário usado para consultar nomes. Sua sintaxe é simples:

$ dig ricardoolonca.blogspot.com.br
; <<>> DiG 9.9.5-6-Debian <<>> ricardoolonca.blogspot.com.br
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- 20754="" id:="" noerror="" opcode:="" p="" query="" status:="">
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1280
;; QUESTION SECTION:
;ricardoolonca.blogspot.com.br. IN A

;; ANSWER SECTION:
ricardoolonca.blogspot.com.br. 600 IN CNAME blogspot.l.googleusercontent.com.
blogspot.l.googleusercontent.com. 300 IN A 64.233.186.132

;; Query time: 117 msec
;; SERVER: 172.20.1.6#53(172.20.1.6)
;; WHEN: Wed Aug 26 15:32:48 BRT 2015
;; MSG SIZE  rcvd: 120



Para consulta o servidor mx:

$ dig -q-type=mx google.com
;<<>> DiG 9.9.5-6-Debian <<>> -q-type=mx google.com
; global options: +cmd
;; Got answer:
;; ->>HEADER<<- 16201="" id:="" opcode:="" p="" query="" servfail="" status:="">;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1280
;; QUESTION SECTION:
;-type=mx. IN A

;; Query time: 0 msec
;; SERVER: 172.20.1.6#53(172.20.1.6)
;; WHEN: Wed Aug 26 15:33:54 BRT 2015
;; MSG SIZE  rcvd: 37

;; Got answer:
;; ->>HEADER<<- 46779="" id:="" noerror="" opcode:="" p="" query="" status:="">;; flags: qr rd ra; QUERY: 1, ANSWER: 11, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1280
;; QUESTION SECTION:
;google.com. IN A

;; ANSWER SECTION:
google.com. 298 IN A 173.194.118.34
google.com. 298 IN A 173.194.118.37
google.com. 298 IN A 173.194.118.35
google.com. 298 IN A 173.194.118.40
google.com. 298 IN A 173.194.118.46
google.com. 298 IN A 173.194.118.39
google.com. 298 IN A 173.194.118.41
google.com. 298 IN A 173.194.118.32
google.com. 298 IN A 173.194.118.38
google.com. 298 IN A 173.194.118.33
google.com. 298 IN A 173.194.118.36

;; Query time: 0 msec
;; SERVER: 172.20.1.6#53(172.20.1.6)
;; WHEN: Wed Aug 26 15:33:54 BRT 2015
;; MSG SIZE  rcvd: 215


Host

Outro comando usado para resolver nomes é o host. O host gera saídas mais enxutas.

$ host ricardoolonca.blogspot.com.br
ricardoolonca.blogspot.com.br is an alias for blogspot.l.googleusercontent.com.
blogspot.l.googleusercontent.com has address 74.125.234.138
blogspot.l.googleusercontent.com has address 74.125.234.139
blogspot.l.googleusercontent.com has address 74.125.234.140
blogspot.l.googleusercontent.com has IPv6 address 2800:3f0:4001:802::100b

Você pode fazer consultas reversas:

$ host 74.125.234.138
138.234.125.74.in-addr.arpa domain name pointer gru03s13-in-f10.1e100.net.


Whois

O comando whois mostra informações sobre o domínio, como o nome e contato dos responsáveis, o DNS, a data da última atualização, etc.

$ whois ricardoolonca.blogspot.com.br 
% Copyright (c) Nic.br
% The use of the data below is only permitted as described in
% full by the terms of use (http://registro.br/termo/en.html),
% being prohibited its distribution, comercialization or
% reproduction, in particular, to use it for advertising or
% any similar purpose.
% 2013-08-19 16:36:04 (BRT -03:00)


domain: blogspot.com.br
owner: Google Brasil Internet Ltda
ownerid: 006.990.590/0001-23
responsible: Domain Administrator
country: BR
owner-c: DOADM17
admin-c: DOADM17
tech-c: DOADM17
billing-c: NAB51
nserver: ns1.google.com
nsstat: 20130818 AA
nslastaa: 20130818
nserver: ns2.google.com
nsstat: 20130818 AA
nslastaa: 20130818
nserver: ns3.google.com
nsstat: 20130818 AA
nslastaa: 20130818
nserver: ns4.google.com
nsstat: 20130818 AA
nslastaa: 20130818
created: 20041205 #1920190
expires: 20131205
changed: 20121113
status: published


nic-hdl-br: DOADM17
person: Domain Admin
e-mail: ccops@markmonitor.com
created: 20100520
changed: 20130423


nic-hdl-br: NAB51
person: NameAction do Brasil
e-mail: cctld@nameaction.com
created: 20020619
changed: 20130430


% Security and mail abuse issues should also be addressed to
% cert.br, http://www.cert.br/, respectivelly to cert@cert.br
% and mail-abuse@cert.br
%
% whois.registro.br accepts only direct match queries. Types
% of queries are: domain (.br), ticket, provider, ID, CIDR
% block, IP and ASN.


Você pode usar o whois para saber quem é o responsável por um ip específico:

$ whois 74.125.234.138

#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/whois_tou.html
#


#
# The following results may also be obtained via:
# http://whois.arin.net/rest/nets;q=74.125.234.234?showDetails=true&showARIN=false&ext=netref2
#


NetRange: 74.125.0.0 - 74.125.255.255
CIDR: 74.125.0.0/16
OriginAS:
NetName: GOOGLE
NetHandle: NET-74-125-0-0-1
Parent: NET-74-0-0-0-0
NetType: Direct Allocation
RegDate: 2007-03-13
Updated: 2012-02-24
Ref: http://whois.arin.net/rest/net/NET-74-125-0-0-1


OrgName: Google Inc.
OrgId: GOGL
Address: 1600 Amphitheatre Parkway
City: Mountain View
StateProv: CA
PostalCode: 94043
Country: US
RegDate: 2000-03-30
Updated: 2013-08-07
Ref: http://whois.arin.net/rest/org/GOGL


OrgTechHandle: ZG39-ARIN
OrgTechName: Google Inc
OrgTechPhone: +1-650-253-0000
OrgTechEmail: arin-contact@google.com
OrgTechRef: http://whois.arin.net/rest/poc/ZG39-ARIN


OrgAbuseHandle: ZG39-ARIN
OrgAbuseName: Google Inc
OrgAbusePhone: +1-650-253-0000
OrgAbuseEmail: arin-contact@google.com
OrgAbuseRef: http://whois.arin.net/rest/poc/ZG39-ARIN


#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/whois_tou.html
#

Essas são as principais ferramentas de resolução de nomes usadas para fazer análise de rede. Caso algum site não esteja acessível, antes de ficar fuçando no Squid, verifique se o site existe, usando nslookup, ping, dig, etc.