A Win32 version of digL http://members.shaw.ca/nicholas.fong/dig/
On Mon, Feb 23, 2009 at 09:23, Jason Gurtz <jasongu...@npumail.com> wrote: > Note: the dig tool is easier and better than nslookup, but unfortunately > doesn't come with windows. You can download the Windows port of the BIND > name server and find dig there, but that's extra steps to find out just > what dlls you also need, etc... If you're going to do this a lot I do > recommend that you take the time to learn dig instead of nslookup. > >> In the reverse DNS section of this tool, do I need to check the box? I >> don't host my external DNS records, so I don't know what PTR records, if >> any, are out there. > > Open cmd prompt. Type nslookup and press enter. At the new "> " prompt > type set type=ptr and press enter > > wacky thing #1: IP addy that you query is backwards from what it is > wacky thing #2: you are querying for the backwards address in this weird > domain called in-addr.arpa. You can think of .in-addr.arpa as being to > IP addresses the same as .com. or .org. are to domain names. It is the > story of the whale; it's just how it is. > > So, for example let's look up some aol.com PTR records...3 MX records I > see are: > > mailin-01.mx.aol.com internet address = 205.188.156.248 > mailin-02.mx.aol.com internet address = 205.188.249.91 > mailin-03.mx.aol.com internet address = 205.188.252.17 > > Hey, let's see if their ducks are in a row! To query the PTR record for > the first one just type this: > >> 248.156.188.205.in-addr.arpa > > After pressing enter you should see something like this : > > Non-authoritative answer: > 248.156.188.205.in-addr.arpa name = dd.mx.aol.com > > What!? dd.mx.aol.com != mailin-01.mx.aol.com. Well that's OK, aol is > probably not sending any mail out from this box here ;) Likely, that > "box" is a load balancer of some type... OK, trawling through some logs > here I do see them sending mail from host imo-d05.mx.aol.com which has an > address of 205.188.157.37. Let's check it out! > >> set type=a >> imo-d05.mx.aol.com > Server: dns-01.ns.aol.com > Address: 64.12.51.132 > > Name: imo-d05.mx.aol.com > Address: 205.188.157.37 > > [Yup, still sitting on the same addy] > >> set type=ptr >> 37.157.188.205.in-addr.arpa > Server: dns-01.ns.aol.com > Address: 64.12.51.132 > > 37.157.188.205.in-addr.arpa name = imo-d05.mx.aol.com > > [This time we have a match! AOL admins know what they're doing.] > > 157.188.205.in-addr.arpa nameserver = dns-02.ns.aol.com > 157.188.205.in-addr.arpa nameserver = dns-01.ns.aol.com > dns-01.ns.aol.com internet address = 64.12.51.132 > dns-02.ns.aol.com internet address = 205.188.157.232 > > So yeppers, all aol.com ducks in a row for that outbound server. As you > can see nslookup also tells you what name servers have authority for the > address space containing 205.188.157.37. Using a whois tool you can > lookup who has registered ownership of the IP block. Now we're getting > off on a spam fighting tangent.... > > if you want to script nslookup to do auditing you can use the tool like > this to query one address at a time. Now you can loop over a whole block > of IPs that you might own in a batch file or powershell or whatever: > > C:\>nslookup -type=ptr 37.157.188.205.in-addr.arpa dns-01.ns.aol.com > > The last argument (dns server to query) is optional. By default, nslookup > should be querying the first dns server listed in your ipconfig /all > output. If you're at the nslookup prompt the command "server > <serverName|IP> will do the same thing. Check the ? command to see other > commands. Note: -type=a would be redundant since it's the default query > type assumed and obviously -type=mx could be useful in the email world as > well. > > ~JasonG > > -- > > ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ > ~ http://www.sunbeltsoftware.com/Ninja ~ > ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http://www.sunbeltsoftware.com/Ninja ~
