One small niggle is this dig is a very old version from the looks of it. For those interested in getting it via Bind9: in addition to dig.exe, also extract libisc.dll, libdns.dll, libbind9.dll, and liblwres.dll into the same place and you're set.
Jason > -----Original Message----- > From: Kurt Buff [mailto:kurt.b...@gmail.com] > Sent: Monday, February 23, 2009 15:38 > To: MS-Exchange Admin Issues > Subject: Re: HOWTO: do reverse lookups (PTR records) with the nslookup > tool > > Google is your friend... > > On Mon, Feb 23, 2009 at 11:45, Jason Gurtz <jasongu...@npumail.com> > wrote: > > Very nice! > > > >> -----Original Message----- > >> From: Kurt Buff [mailto:kurt.b...@gmail.com] > >> Sent: Monday, February 23, 2009 13:52 > >> To: MS-Exchange Admin Issues > >> Subject: Re: HOWTO: do reverse lookups (PTR records) with the nslookup > >> tool > >> > >> A Win32 version of digL http://members.shaw.ca/nicholas.fong/dig/ > >> > >> On Mon, Feb 23, 2009 at 09:23, Jason Gurtz <jasongu...@npumail.com> > >> wrote: > >> > Note: the dig tool is easier and better than nslookup, but > >> unfortunately > >> > doesn't come with windows. You can download the Windows port of the > >> BIND > >> > name server and find dig there, but that's extra steps to find out > > just > >> > what dlls you also need, etc... If you're going to do this a lot I > do > >> > recommend that you take the time to learn dig instead of nslookup. > >> > > >> >> In the reverse DNS section of this tool, do I need to check the > box? > >> I > >> >> don't host my external DNS records, so I don't know what PTR > records, > >> if > >> >> any, are out there. > >> > > >> > Open cmd prompt. Type nslookup and press enter. At the new "> " > prompt > >> > type set type=ptr and press enter > >> > > >> > wacky thing #1: IP addy that you query is backwards from what it is > >> > wacky thing #2: you are querying for the backwards address in this > >> weird > >> > domain called in-addr.arpa. You can think of .in-addr.arpa as being > > to > >> > IP addresses the same as .com. or .org. are to domain names. It is > > the > >> > story of the whale; it's just how it is. > >> > > >> > So, for example let's look up some aol.com PTR records...3 MX > records > > I > >> > see are: > >> > > >> > mailin-01.mx.aol.com internet address = 205.188.156.248 > >> > mailin-02.mx.aol.com internet address = 205.188.249.91 > >> > mailin-03.mx.aol.com internet address = 205.188.252.17 > >> > > >> > Hey, let's see if their ducks are in a row! To query the PTR record > > for > >> > the first one just type this: > >> > > >> >> 248.156.188.205.in-addr.arpa > >> > > >> > After pressing enter you should see something like this : > >> > > >> > Non-authoritative answer: > >> > 248.156.188.205.in-addr.arpa name = dd.mx.aol.com > >> > > >> > What!? dd.mx.aol.com != mailin-01.mx.aol.com. Well that's OK, aol > is > >> > probably not sending any mail out from this box here ;) Likely, > that > >> > "box" is a load balancer of some type... OK, trawling through some > >> logs > >> > here I do see them sending mail from host imo-d05.mx.aol.com which > has > >> an > >> > address of 205.188.157.37. Let's check it out! > >> > > >> >> set type=a > >> >> imo-d05.mx.aol.com > >> > Server: dns-01.ns.aol.com > >> > Address: 64.12.51.132 > >> > > >> > Name: imo-d05.mx.aol.com > >> > Address: 205.188.157.37 > >> > > >> > [Yup, still sitting on the same addy] > >> > > >> >> set type=ptr > >> >> 37.157.188.205.in-addr.arpa > >> > Server: dns-01.ns.aol.com > >> > Address: 64.12.51.132 > >> > > >> > 37.157.188.205.in-addr.arpa name = imo-d05.mx.aol.com > >> > > >> > [This time we have a match! AOL admins know what they're doing.] > >> > > >> > 157.188.205.in-addr.arpa nameserver = dns-02.ns.aol.com > >> > 157.188.205.in-addr.arpa nameserver = dns-01.ns.aol.com > >> > dns-01.ns.aol.com internet address = 64.12.51.132 > >> > dns-02.ns.aol.com internet address = 205.188.157.232 > >> > > >> > So yeppers, all aol.com ducks in a row for that outbound server. As > >> you > >> > can see nslookup also tells you what name servers have authority for > >> the > >> > address space containing 205.188.157.37. Using a whois tool you can > >> > lookup who has registered ownership of the IP block. Now we're > > getting > >> > off on a spam fighting tangent.... > >> > > >> > if you want to script nslookup to do auditing you can use the tool > > like > >> > this to query one address at a time. Now you can loop over a whole > >> block > >> > of IPs that you might own in a batch file or powershell or whatever: > >> > > >> > C:\>nslookup -type=ptr 37.157.188.205.in-addr.arpa dns-01.ns.aol.com > >> > > >> > The last argument (dns server to query) is optional. By default, > >> nslookup > >> > should be querying the first dns server listed in your ipconfig /all > >> > output. If you're at the nslookup prompt the command "server > >> > <serverName|IP> will do the same thing. Check the ? command to see > >> other > >> > commands. Note: -type=a would be redundant since it's the default > >> query > >> > type assumed and obviously -type=mx could be useful in the email > world > >> as > >> > well. > >> > > >> > ~JasonG > >> > > >> > -- > >> > > >> > ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ > >> > ~ http://www.sunbeltsoftware.com/Ninja ~ > >> > > >> > >> ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ > >> ~ http://www.sunbeltsoftware.com/Ninja ~ > > > > ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ > > ~ http://www.sunbeltsoftware.com/Ninja ~ > > ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ > ~ http://www.sunbeltsoftware.com/Ninja ~ ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http://www.sunbeltsoftware.com/Ninja ~
