'%3e%3crect%20x='109.185'%20y='253.397'%20width='350.859'%20height='857.656'%20fill='white'/%3e%3cpath%20d='M274.77%20708.572H233.194V888.205H286.632C302.651%20888.205%20314.635%20883.711%20322.461%20875.088C330.287%20866.465%20334.322%20851.404%20334.322%20830.149V779.138C334.322%20752.539%20329.797%20734.2%20320.382%20723.997C310.966%20713.795%20295.681%20708.451%20274.77%20708.451V708.572Z'%20fill='%23FF5C00'/%3e%3cpath%20d='M310.966%20610.558C320.015%20601.206%20324.539%20585.295%20324.539%20563.19V530.518C324.539%20490.559%20308.887%20470.519%20277.705%20470.033H232.949V624.768H269.512C287.977%20624.768%20302.039%20619.91%20311.088%20610.436L310.966%20610.558Z'%20fill='%23FF5C00'/%3e%3cpath%20d='M277.582%200C124.362%200%200%20123.399%200%20275.704V1069.3C0%201221.48%20124.239%201345%20277.582%201345C430.803%201345%20555.165%201221.6%20555.165%201069.3V275.704C555.165%20123.52%20430.926%200%20277.582%200ZM426.523%20833.064C426.523%20878.367%20414.539%20912.739%20390.817%20936.423C375.898%20951.241%20356.7%20961.322%20333.221%20966.909V987.677C333.221%201002.5%20320.993%201014.64%20306.075%201014.64C291.156%201014.64%20278.805%201002.5%20278.805%20987.677V971.888H232.949V987.677C232.949%201002.5%20220.721%201014.64%20205.803%201014.64C190.884%201014.64%20178.655%201002.5%20178.655%20987.677V971.888H170.218C150.53%20971.888%20140.625%20962.05%20140.625%20942.496V415.743C140.625%20396.188%20150.53%20386.35%20170.218%20386.35H178.655V357.201C178.655%20342.383%20190.884%20330.238%20205.803%20330.238C220.721%20330.238%20232.949%20342.383%20232.949%20357.201V386.35H278.805V357.201C278.805%20342.383%20291.034%20330.238%20306.075%20330.238C321.115%20330.238%20333.221%20342.383%20333.221%20357.201V388.78C333.221%20389.994%20332.977%20391.087%20332.855%20392.18C354.499%20397.524%20371.863%20406.512%20384.703%20419.386C406.469%20441.491%20417.597%20475.377%20417.597%20521.045V544.364C417.597%20604.363%20397.42%20642.743%20357.556%20659.14V660.719C403.656%20676.265%20426.646%20717.074%20426.646%20782.782V833.064H426.523Z'%20fill='%23FF5C00'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='clip0_1_174'%3e%3crect%20width='555'%20height='1345'%20fill='white'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e)
- DNS query tools
- Network Scanning Tools
- Process interrogation tools
- Section Summary
DNS query tools
In the upper layers of the TCP/IP model, especially at the Application layer, it's important to understand how name resolution works. DNS query tools let you check whether a domain name is correctly associated with an IP address, and also help diagnose DNS server issues such as misconfiguration, propagation delays, or unavailability. These tools are essential for any network administrator or any user wanting a deeper understanding of DNS exchanges in an IP environment.
The nslookup command
The simplest DNS query tool is
nslookup. It sends a query to a DNS server and returns the IP address associated with a domain name (or vice versa). By default, it queries the system's configured DNS server, but you can also specify a server directly in the command.Example of a direct lookup:
nslookup mydmn.org
Querying a specific DNS server:
nslookup mydmn.org 192.6.23.4
The request asks the DNS server at
192.6.23.4 to resolve the name mydmn.org. This is particularly useful to check if a given DNS server recognizes a domain name or to verify that the server is working properly.The dig command
dig (Domain Information Groper) is a more modern, complete, and flexible tool than nslookup. It supports complex queries and provides detailed information about the resolution process, the hierarchy of servers involved, the type of record returned (A, AAAA, MX, TXT, etc.), and any errors encountered.Basic query example:
dig mydmn.org
Querying a specific DNS server:
dig @192.6.23.4 mydmn.org
This command checks the availability of a DNS record on a given server.
One of
dig's key advantages is that it shows the details of the DNS response, making it very useful for diagnosing configuration errors.Manual configuration of DNS resolvers
Sometimes its necessary to override the DNS servers used locally, for example, in test environments or to force the use of specific servers. This can be done by editing the
/etc/resolv.conf file, which defines the system's DNS resolution settings.Example configuration:
vi /etc/resolv.conf search mydmn.org nameserver 192.168.1.10 nameserver 192.168.1.11
- The
searchfield specifies a domain to append automatically when resolving short names. - The
nameserverentries define the DNS servers to use, in order of priority.
On many modern distributions (especially those using
systemd-resolved), changes to /etc/resolv.conf are temporary and may be overwritten at reboot or network reconnection. More permanent methods include using resolvconf, systemd-resolved, or modifying NetworkManager configurations.The host command
Another simple but effective DNS tool is
host. It resolves domain names into IP addresses (or the reverse) and can help diagnose DNS failures or misconfigurations on a network interface.Examples:
host mydmn.org
Reverse lookup:
host 192.6.23.4
host is particularly handy for quick checks, especially when used in command-line scripts.Repeated or intensive queries to third-party DNS servers without permission may be interpreted as intrusion attempts or malicious activity. Used improperly, or against networks you don't control, these commands can resemble reconnaissance scans, which are often a first step in an attack. Always restrict their use to environments you administer or where you have explicit authorization.
Network Scanning Tools
When monitoring or securing a local or wide area network, it's crucial to identify active devices and the services they expose. This is exactly what the
nmap (Network Mapper) tool does.
Introducing nmap
nmap allows targeted scanning of one or more hosts to detect open ports, available services (HTTP, SSH, DNS, etc.), and sometimes even the type of operating system in use. Thanks to its many options, nmap provides a precise overview of a network's exposure surface, essential during auditing or hardening phases of infrastructure management.Just like the
host command, nmap must never be used on networks or infrastructures you don’t own, or without explicit authorization. Unauthorized port scans can be flagged as malicious reconnaissance attempts, are often detected by security systems (firewalls, IDS/IPS), and can even lead to legal consequences.Basic use
To scan a specific host and view its open ports:
nmap 192.168.0.1
This command scan the 1000 most common ports on host
192.168.0.1 and display the services accessed and protocols used. If DNS resolution is configured, you can also use the hostname instead of the IP address.Complete network scan
One of
nmap's advantages is its ability to scan an entire range of addresses with a single command. This makes it easy, for example, to quickly inventory all active machines on a network:nmap 192.168.0.0/24
In this case, all hosts in the range
192.168.0.0 to 192.168.0.255 will be queried. For each IP address, the results list the open ports, their status (open, filtered, etc.), and, when possible, the name of the corresponding service.An administrator can rely on
nmap for several tasks:- Detecting active hosts: identify which machines respond within a subnet;
- Service inventory: ensure only the necessary ports are accessible (principle of least privilege);
- Compliance check: compare open ports against the organization's security policy;
- Vulnerability prevention: spot insecure or outdated services running on critical machines.
Process interrogation tools
For in-depth analysis of active processes and open files, especially in a networking context, Linux administrators often turn to the
lsof (List Open Files) command. Despite its name, lsof is not limited to traditional files: on UNIX systems, everything is considered a file, including network sockets, devices, and communication channels.This tool therefore provides a cross-sectional view of the system by correlating active processes, open network ports, accessed files, and the users involved.
Network analysis with lsof
The
-i option restricts the output to network connections (TCP, UDP, IPv4, or IPv6). This makes it easy to see which processes are communicating over the network:lsof -i
This command lists all running processes using a network socket, showing the port in use, protocol (TCP/UDP), connection state, as well as the PID and associated user.
Filtering by IP address or port
You can refine searches by specifying an IP address and a port, isolating a particular network flow. For example, to check an SMTP session (port 25) with a specific host:
lsof -n -i @192.168.2.1:25
This will display only active network connections with host
192.168.2.1 on port 25, useful for diagnosing suspicious activity or SMTP flow issues.Device access tracking
Another strength of
lsof is tracking special files such as disk partitions. For instance, to check which processes have opened files on /dev/sda1:lsof /dev/sda1
This is handy when an unmount attempt fails because the device is still in use, or when investigating which applications are accessing a partition.
Cross-analysis: process and network
Options can be combined for precise insights. For example, to see all network ports opened by a process with PID 1521:
lsof -i -a -p 1521
The
-a option intersects criteria (-i and -p), restricting the output to only network connections of that process.Multi-user tracking
lsof can also be used to analyze activity by specific users, listing all the files they've opened, optionally filtered by PID:lsof -p 1521 -u 500,phil
This shows the files or network connections used by user
phil or UID 500, limited to process 1521.Section Summary
In this final section, we've explored a wide range of indispensable tools for diagnosing, analyzing, and administering computer networks. Structured around the layers of the TCP/IP model, this study not only clarifies how network communications work but also establishes a rigorous methodology for identifying, isolating, and resolving potential issues.
These tools give administrators a coherent set of technical levers to monitor network health, analyze traffic, audit connections and quickly intervene on faulty equipment or services.
Network Access Layer
Tools providing direct visibility into interfaces and frames:
- arp / ip neigh: inspect and modify the ARP/NDP cache to check or correct IP-MAC associations;
- tcpdump: command-line packet capture, filterable and exportable;
- Wireshark: graphical packet analysis with deep protocol decoding;
- ethtool: query and adjust Ethernet card physical parameters (speed, duplex, WoL, etc.).
Network layer
Tools for assessing IP connectivity, routing, and packet traffic:
- ping: test reachability and measure latency with ICMP;
- ip route: inspect and modify the routing table to control packet paths;
- traceroute: hop-by-hop identification of routers along the route to a destination;
- ss: detailed inventory of TCP/UDP sockets and associated processes (successor to netstat).
Transport and Application layers
Tools for diagnosing services and processes:
- nslookup / dig / host: DNS queries to validate name resolution and analyze records;
- nmap: explore open ports and exposed services to assess attack surface;
- lsof: list files and sockets opened by processes, correlating system and network activity.
Mastering these tools, each aligned with a specific stage of the TCP/IP model, enables a methodical approach: starting from the physical layer, moving through routing, and up to application services. This chain of expertise equips administrators to diagnose, secure and optimize their infrastructure, ensuring both network performance and availability.
Quiz
Quiz1/5
net3025.3
Where are DNS servers usually configured on a Linux system?