At the Internet era, the computer's safe operation is no longer limited to a single system. In the face of attacks and illegal intruders, the "detective" work of the network manager is always in-depth in "Digital Matrix". In these "detective" work, we usually use monitoring software to collect system information, and these softwares are mostly integrated into advanced operating systems. However, some Internet protocols depend on by these software are not very "sturdy", often unable to provide powerful authentication of the information transfer (such as the Email service, using simple text-based protocols), which leads to the investigation work complicated. Therefore, the better the inherent protocols and related procedures, the more accurate evaluation of Internet information and address legality. This article will detaract the relevant protocols and procedures from multiple aspects to help "detective" more accurate, more comprehensive positioning goals, and effectively defend network security!
First, a must know the basic framework of the INTERNET
To become an excellent network detective, you need to have a thorough understanding of the Internet protocol. The following text may appear to talk to the old man, but I think it will have new inspiration as the most basic roots, whenever they revisit.
1, the basic concepts and origins of TCP / IP
Internet and many private networks are running TCP / IP protocol, namely the transmission control protocol and internet protocol. In fact, TCP / IP is a short-related form of related network protocols. It has been developing since the late 1960s, and it is still expanding today. A more accurate TCP / IP is an Internet protocol, which is a set of communication agreements, and a device must follow these agreements to participate in the Internet home. TCP / IP does not particularly target a single operating system, programming language or network hardware, which is a set of opportunities, MACS systems, Windows systems, UNIX systems, and routers, switches, and hosts can use it to communicate with each other. . Moreover, TCP / IP can also be able to use it for certain network topology, Ethernet, token and wireless networks. But remember: It is this characteristic of this "Wanjin" to become the innate advantage of computer crime. The seven-layer network reference model of open system interconnection (OSI) is very familiar with network administrators. The following figure shows the relationship between OSI and TCP / IP:
OSI model diagram
The original seven-layer model is an abstract concept and is not applied to any technique at the time, especially if there is a Internet protocol applied to the germination state, for example, the exact name of the Internet service and protocol has many controversies, especially the session layer. (Session) and representation. However, technology is constantly developing, and the Internet protocol has also been constantly improving. It seems that the services supported in these layers are like the buildings that are grouped with a housing, a stack in the other. To become a good respondent, you must understand the levels where the relevant data is in the accumulated service.
2, MAC address and IP address
Each NIC has a unique MAC address, which was imprisoned in front of the network card. The MAC address enables all devices on a network segment to reference each other. In the network layer, the communication data belongs to which device belongs to the MAC address, because the MAC address is merged in a large block of packets. Since the device on the Internet is completely impossible to reference devices other than its network segment through the MAC address, you must establish a new reference method, which is the IP address. An IP address is a sequence consisting of four 0-255 ranges, and the intermediate is divided, such as 192.188.18.18. Some IP addresses or some IP addresses are reserved for special purposes. E.g:
* Represents a network address at 0, such as 192.168.0.0 * represents a broadcast address in the IP address ending at 255, such as 192.168.0.255 from 192.168.0.0 to 192.168.255.255 IP addresses belonging to private address, special For enterprise internal networks, it cannot be used to connect directly to other businesses or Internet. When tracking intruders, if you find an address within this range, you don't look at it all, please take the quarter to the inside, because the enemy is likely to come from private networks. One thing note: Everyone generally believes that the MAC address can never be changed. But in fact, the sea will, the stone will be broken, the MAC address can also be modified, for example, in the UNIX system, you can perform a modification of the MAC address through the ifconfig command. Be careful, it seems to be a lot discount.
3, component of IP address, assignment agency and allocation type
The Internet address contains two parts: network addresses and host addresses, which make up a world unique address. Two mutually incompatible private networks can use the same "private address space". Uniqueness of the address and the difference between the network and the host part in the address make the router know where the data is sent, and the smart router always assigns the data transmission route in the most advantageous manner. At this point, it is completely different from the public switched telephone network (PSTN). When you call, the PSTN swap device will establish a circuit from one end to the other and keep this circuit throughout the call. On the Internet, it seems that you have been using a circuit, but it is actually determined by the intermediate router via the intermediate router. The network part of the Internet address is in charge of IANA (Internet Assigned Numbers Authority) and assigned to each network owner, and the host part is assigned to each host and device by the network owner. The network may be run by an organization (commercial or government), or by the Internet Service Provider (ISP) to provide an Internet access service to its users. The IP address can be static or dynamically assigned. Computers with static IP addresses typically use the same IP address until it is manually changed to a new address. Using a static IP address is not conducive to the IP address information of multiple computers in an organization, because sometimes the gateway, DNS changes. Therefore, using DHCP, the dynamic host configuration protocol is increasingly common. When the user logs in to a network, the PC is automatically assigned a dynamic IP address and with other network information. For network administrators, DHCP has cleverly solves the trouble and confusion brought by the manual assignment of the address for the constant mobile Internet device. In fact, all ISPs use DHCP to assign addresses for their dial-up users, and many permanently connected home users also have dynamically allocated addresses when their cable modem is turned off and boot. DHCP has increased its application scope due to significant advantages, but the Rabbit three caves, one machine, DHCP increased the difficulty of computer case detection.
4, IP address guess
People who send spam always want to hide their true identity, with a means of adopting: use a forged response Email address, or contain confusing URL information. This URL information is neither a well-understood text, nor an IP address information such as 135.17.243.191, usually a 10-based integer of 256, such as http: // 2280853951. Such mysterious numbers are really confusing, but there is a fairly simple way to identify its true face, which Web site is displayed from spam. This trick is to execute the following command at the command line:
IP address guess
Hey, the corresponding IP address is clearly in the world. How simple!
5, ARP protocol
When communicating between devices on the same network segment, it does not directly use the IP address, but to translate IP addresses into a MAC address to actually "intimate contact". This translation process needs to query the ARP table to complete, this table is automatically generated by ARP (Address Resolution Protocol). Briefly, the basic function of the ARP protocol is through the IP address of the target device, query the MAC address of the target device, thereby ensuring the smooth progress of the communication. ARP is a member of a large background running network service, although it is not visible to most users, but it is necessary for the operation of the network. As can be seen from ARP, the computer in the network is very loved, and they constantly compare the information in the routing table, determine the status of the network and the existence of each other. 6, excellent network tools ping and what's up
Undoubtedly, the most common command of network administrator is ping, it is small but practical, called the Swiss army should not be too much. Ping uses the ICMP protocol (Internet Control Packet Protocol) From the source machine to the target machine to the target machine, when the target machine receives this packet, return a echo_reply (return reply) packet, so you can verify The connectivity between the two machines. In addition, Ping can also be used to determine the DNS name of the machine. But we have to clear, ping is a relatively easy exposure program, which is easy to identify the source machine address of the PING command. Therefore, don't pay more attention to the connection of the PING command to test the connectivity of the host, otherwise it will explain the trouble. If you want to continue check if a machine is "activated", you can use programs such as Whatsup Gold, which can automatically check the input IP addresses and determine if the particular service on a particular host is available in a predetermined time interval. Additional features include: Automatically found and produce a local area network connection diagram, monitor network equipment issues, including hosts, servers, routers, hubs, workstations, bridges, printers, and services and applications; When the problem, the administrator is automatically reminded by a variety of ways, including alert, 呼, email and telephone; generates audit reports for various network issues; monitoring various situations in browsers; found and repair network problems in a very short time . All in all, whatSUP is definitely a very powerful network kit.
Whatsup
Second, fully understand domain name service DNS
1, what is DNS?
The computer needs to communicate with each other, but because digital information is not easy to book, not easy to read, and not easy to enter significant disadvantages, people are more desirable to use the name to identify communication, and the domain name service DNS is thereby emerged. Internet DNS is a big global database that will be mapped to a corresponding digital IP address, and any node on the Internet can use it. This mapping process is called domain name analysis.
2, DNS allocation agencies and scope
The allocation of the domain name and related IP address range is controlled by ICANN (Internet Corporation for Assigned Names and Numbers), and the owner of each domain name is responsible for putting all host names and corresponding IP addresses to a name server. Name Server) to enable the outside world to resolve these names. Most name servers also support Reverse Lookups, namely, from the IP address to the domain name. Reverse lookups can be implemented as a simple but effective security measures, because by determining a related IP address attempting to invading the connection, it can be queried to its registration domain name, and the registration domain name has a significant meaning. In fact, a domain name server that supports a particular domain can resolve any IP address, which may not be distributed to the IP address range of the organization. For example, the owner of a domain can use other people's devices as the host of its Web site, at this time, this particular machine does not have a similar IP address similar to other machines located. This treatment has great flexibility, so that the machine can move between the network, so that the IP address of the ISP is changed without changing its domain name. 3, DNS utility
One useful network tool in the domain name is NSLookup, which can be used to handle domain names or reverse lookups, can be used on UNIX, WinNT, and Win2k systems. The following is the implementation in the Win2K operating system:
Nslookup
Whether to apply for a registration domain name or change the domain name to ISP or online service providers, all of the domains need to report the names, Email, etc. of the domain administrator. To get this information, you can execute the whois command on the server maintained by the Internet Named Keitigen. However, remember that WHOIS information is decorated with people who provide registration information, and their accuracy has not been verified, so please take this information carefully. There are a lot of ways to implement WHOIS, and many sites can implement whois on the web, such as http://www.samspade.org/ and http://www.netsol.com/cgi-bin/whois/whois:
Samspade
Netsol
After executing WHOIS, you can follow the reverse domain name lookup work to see what information it provides, and compares with the result of WHOIS output. The commands that complete the reverse lookup on the UNIX or Linux machine are NSLookup or Dig -x, which can be used on Windows, such as NetScantools Pro, using the network kit: Third, the address in the application is next to discuss the problem about the application address. . Internet software such as Email, Web browser, OICQ, and IRC has its own dedicated address information. For example, when sending email, you need to know the username and domain names, such as god@heaven.com. There is also a URL address that is exposed every day, which contains two parts of the domain name and private program information, such as http://www.mynet.com/myservices, which provides three types of information: "http: //" is expressed The application used by the application, that is, hypertext transmission protocol http; "http://www.mynet.com/" represents a specific IP address; "Services" represents a particular page. 4. It is best to keep in mind when using ping and general scanning tools to perform probes: Even if it is a computer hacker just started to be aware of his machine in an investigation. Smart attackers will always try to cover their own footprints and will reverse whether someone is tracking them. Moreover, they will carefully monitor the system they control and observe if there is no pleasure. If the purpose is to track and capture the prey, do not bomb the suspect's equipment, especially if those machines that can be easily parsed. In general, monitoring technology is divided into active and passive. Ping and Tracert are active and cannot conceal the scan object. But even so, we can also take an indirect way to implement concealment purposes, such as implementing probes from systems with no obvious contact with the company. A specific example is: When investigating, set the PC network configuration as DHCP, and then log in to ISP, which is detached from the network. 5. Detailed disclosure of dial-up network current, dial-up online or main Internet access means, but few people really understand what happened from starting dial-up to connection success. Therefore, it is necessary to understand the specific details of the dial-up Internet access for management and probe. Below is a typical Internet dial-up network flow chart: dialing process diagram
When using MODEM dials to an ISP, the 3rd layer protocol is generally used, that is, point-to-point protocol PPP. And the chart of this article, it can be seen that PPP replaces IP in the case of dial-up connection. Connecting is not automatic, when a connection attempt occurs, first is a user-end MODEM with an MODEM in the ISP POP (local dialing device), then connect the latter directly to a dial-up router, dial the router prompt the user to enter the login name And password, after correct, this router allocates a PPP connection and an IP address. This IP address is almost always linked to a DNS name such as ppp188.mycity.myisp.com, allowing reverse search. An ISP may have hundreds of POP distribution in the world, requiring each dial-up router to maintain a list of all users and their encryption passwords. Therefore, there must be a centralized directory containing this list. This list is generally referred to as the RADIUS server, identifying the protocol between the dial-up router and the centralized user directory is called the RADIUS protocol. In addition to identification, RADIUS can also be used for accounting. Typically, the records held by the RADIUS server can be used to track intruders, and it is the only ISP device, so it is very important for the investigation! The recorded contents include: * Each time login attempt, whether it is successful login or failed login * Related information each time the logoff or session ends. This information helps the ISP tracking time
The IP address allocated in each session and the login ID name, the phone number. This way ISP can determine which IP address is using which IP address is used on a certain time. However, please note that the login user name information here can only be referred to, as computer crimes stealing the username and password incidents. Radius's accounting function is not strong enough to exceed your imagination! Moreover, ISP generally retains the RADIUS record information at least one month or even a year, so, unless the means is very high, no one is tried! 6. Email Insider Dialect Email is the origin of the Unix system before the Internet, which has the following basic characteristics:
* Simple Internet Application Protocol * "Storage-Forward" mechanism allows information to be composed of a series of media intercourse * The information body is completely composed of printable characters, and is 7 bits of non-8 * information heads, The path between the sender and the recipient
Now, not only normal email applications are getting wider, and spam, malicious emails are also flooded. Therefore, it is important to understand each detail of Email to track attackers.
1. Several Email's implementation agreements and workflows
Email client software such as Outlook Express, EUDORA or THE_BAT! At work, you usually have to deal with two different servers, one for sending emails called STMP servers, and the other for collecting mail called POP servers. When collecting Email, client software typically contacts one of the following three protocols:
* Post Office Protocol POP (Post Office Protocol) * Internet Mail Access Protocol IMAP (Internet Mail Access Protocol) * MAPI (Microsoft's Mail API)
For network detectors, knowing which protocol to use is not important from server collection information, it is important to understand how these protocols are stored in how to control mail information. Let's take a look at the following table:
Comparison of various email protocols
Typically, all receiving messages are originally stored on a mail server, then the mail server is classified into each mailbox according to the email address. Users using the POP protocol can choose to download the mail copy from the server, or automatically delete the original after selecting the download, so that you have read or saved to the computer where the Email client software is located. Users who use IMAP protocols and MAPI protocols can choose to keep all messages on the mail server, which also brings two advantages: administrators can back up all Email from a central location; users can A PC accesss your own mailbox. 2, SMTP and MTAS
Use the simple mail transfer protocol SMTP when sending Email. At first, the use of SMTP services does not require additional authentication, but as spamcomes, the current SMTP service is in line with the POP service that receives Email, and the authentication is required to refuse the mail forwarding of non-local address. Please see the mail customer software THE_BAT! About SMTP verification settings:
Advanced SMTP option
Receive mail and transfer it to other mail servers called Mail Transfer Agents MTAS, which also uses SMTP protocols. In general, we can learn the name of its SMTP server from the public information of ISP, this name is similar to SMTP.MYNET.com. The SMTP server is responsible for passing the mail to the destination. If the message is sent to the local user, it is placed directly into the user's mailbox, otherwise, the message is continued according to a set of rules. SMTP is a very simple protocol, like many Internet protocols such as HTTP, contains some simple text-based commands. Therefore, the primary attacker only needs to log in to the SMTP server default port 25 through the Telnet command. For fake sources and return addresses in the Email information header, you can simply produce malicious email.
Run Telnet Access MailServer
Moreover, more convenient is that there is now many ready-made tools to hide the real address to send spam. In addition, the mail sent by the SMTP protocol does not have a strong authentication function. If you do not use a digital signature without using the PGP or S / MUIME (Secure Multipurpose Internet Mail Extension) technology, a message can be Letter will be great!
3, forgery for mail
Below is an example, how simple is in an Internet mail message, and the premise provided is to install SMTP services on a UNIX machine, we use Telnet to generate emails. Note that the black body in the following steps represents the actual output result:
Telnet Access Mail Server Response Information
After performing the above command, you will get the following email:
MailResult
It can be seen that the false FROM information TESWT@test.com is nothing else! Compared with the forged delivery address (from), the identification information related to the message header is relatively difficult to make. For example, the following message header information is truly indicated by the message sent from 208.164.95.173:
Real sender email header information
When the message is forwarded by the relay host, the host's IP address is also increased to the information head. If you want to know which computers from the message, the best way is to check all the paths that appear in the mail expansion information.
Mail information header content
WEB-based Email transmission and reception is increasingly popular, which has convenient way to accommodate anytime, anywhere, it also enables computer criminals to easily hide their identity, because in general, email sent in this way does not have special personal information. But there is a good news, some free Web Mail service providers have started to include the sender's IP address in the mail message header. 4, email, where did you come from?
To investigate a case involving Email, the "secret" in the Email information head must be deciphered. The information head seems to be messy, but once the work principle of SMTP is understood, it will soon understand the meaning of SMTP. How to view the file head? Taking the client mail program I have been using THE_BAT! Take an example, open an email, then select "RFC-822 Headers" in the View menu to display the file header content:
Show mail header information
The content of the information head is very rich, it is simply "underground treasure"! From this, we can see the sender, recipient, send time, receive time, send place, receive location, and via server address, etc.
Mail header information
The most important clues in the file head are located at the beginning of the position, which is "Received: from ...", which indicates which computer is originally derived from. In addition, multiple "received: from ..." information lines indicate that this message has passed multiple relay servers because each SMTP server receives a message, and then forwards a "received" information after the message header is forwarded. Mail to the next address. Please note: In the many contents of the file header, in addition to the first "Received: from ...", other other fake, verify that they can only rely on our flames! Let's take a look at a mail file header information, which is taken from the Microsoft Outlook Express mail program:
Analyze mail header information
Please note the information header of the two arrows pointed over the figure, we see the domain name "Monmouth.com" in the last "ReceiveD" "Test.org" in "wind" is inconsistent, thereby speculating Either the user is incorrectly configured from information, or you want to hide its true identity. At this time, we can perform a nslookup operation on each domain, especially the initial domain on behalf of the name, which is the field in the last "ReceiveD". The purpose is to see if they really exist. Then perform WHOIS work on these domains to see who its administrator is in further relationship. But please leave your eyes, if the administrator is the initiator of the counterfeit or illegal mail, then he will not work together.
5, retain the case
About the inside of the message, there is a thing that must be mentioned. If you need you to help email victims, you can't visit the victim to get the original information from personally, you can send you the original information copy of the victim email to you in the form of an email. Remember, must be an attachment form, and if it is just a simple forwarding, it will be doped into many unnecessary content. Moreover, to tell the victim, when you encounter Moming Mail to invade, don't panic, don't rashly delete, keep the scene is the most important!
6, SMTP server log
The ISP email server has logging, which is more reliable than mail information headers from the client mail program, plus the RADIUS log and phone record, which can be said: With the help of ISP, detection Email's criminal case is very simple! Seven, the sword is not old NetBIOS
1, NetBIOS concept and role
For historical reasons, computers running a Windows operating system often communicate with NetBIOS protocols. The NetBIOS protocol is only available for LAN LAN, but it has now been extended to run on TCP / IP, allowing an organization to provide Windows files and print shared services on WAN WANs. It can be said that Netbios is a treasure knife, and it has glow in the "new society". TCP / IP attribute NetBIOS
2, NetBIOS utility nbtstat
For administrators, a frequent job is to determine if there is a user who uses the NetBIOS protocol on the network, further detecting its machine name, IP address, etc. At this time, the NBTSTAT command is the most suitable. This command is primarily used to use NBT (ie TCP / IP's NetBIOS) display protocol and current TCP / IP connection, and only after the TCP / IP protocol is installed. Now, NBTSTAT has become a standard built-in component of the Windows platform. After the system is installed, you can run directly on the command line status. In addition, NBTSTAT also expands to the Linux world, the following is the NBTSTAT package under the Linux system: http://razor.bindview.com/tools/files/nbtstattattattat.tar.gz. Because NBTSTAT is so important, network detectors should be familiar with all of its functions. Below we use the Windows system as an example, list the main features of the nbtstat command:
* Nbtstat -a ipaddress: Using the IP address to know the name table of the PC (Name Table) * nbtstat -a pcName: Based on the computer name * nbtstat -c: Enume the NetBIOS name buffer content, contain IP address information
NBTSTAT-C
* NBTSTAT-N: Enumeral NetBIOS Name * nbtstat -r: Enumeral NetBIOS Name Resolution and Registration Status
NBTSTAT-R
* NBTSTAT -R: Clear and reload NetBIOS name cache * nbtstat -s ipaddress: Replace the session information of this unit and target IP address
NBTSTAT-S
* Nbtstat -s: Enumerally listing the session information connected to this machine and attempts to convert the IP address of the remote computer to the host name. * NBTSTAT -A PCNAME INTERVAL: Follow the interval time interval (in seconds) refresh display statistics, press CTRL C to stop displaying the exit program.
If this parameter is omitted, NBTSTAT prints only the relevant statistics.
NBTSTAT_INTERVAL
3, NBTSTAT application example
If you have a user log in to a Windows system field, you can get the output information similar to the following picture when we perform the nbtstat command to his PC:
NBTSTAT output results analysis
As you can see, NBTSTAT's output information is very rich, including machine name, computer login domain name, log in to the username or even machine MAC addresses. Since the MAC address is generally unique, it is a very good evidence after doubting a computer, its MAC address is a very good evidence. In addition, because the NBTSTAT command is issued as a UDP (User Data Ravel Agreement) request, most firewall products in the default state are outside the door of the UDP request, so NBTSTAT is usually applied to the internal network. When you find that the Ping an address is OK, NBTSTAT is also the same address to return "no host", you probably not feel confused! (Ping is used by ICMP protocol) Eight, more commercial software has a very good business software available for many commands that need to be manually implemented. The following classification. 1, network search and positioning tools
There are many tools, such as NEOTRACE, and Netscan mentioned earlier, both contain many tracking functions, which are completely competent. Moreover, NEOTRACE also automatically displays its geographical location on a world map based on the input IP address or domain information: Routing information from this unit to the destination:
NEOTRACE_1
NEOTRACE_2
It is recommended that the network detective is good to taste NEOTRACE, very practical, very interesting.
2, Netbios Tools Essential NetTools
On the network formed by Microsoft Windows operating system, you cannot support the NetBIOS protocol. Essential NetTools is a very good network kit that replaces the original text mode by replacing the original text mode, used to analyze and monitor network online status on your computer:
Essential_netTools
The main features of Essential NetTools include:
* NBSCAN: Execute the nbtstat -a ipaddress command in a sequence of IP address range to search on a computer that shares resources on the network.
Essential_nbscan
* Natshell: It is a NAT (NetBIOS Audit Tool) with a good user interface.
Essential_natshell
* NetStat: Displays all the network connections connected to the computer and monitors external connections to using the computer shared resource.
Essential_NetStat
3, WHOIS tool SmartWhois
More famous in the WHOIS tool is SmartWhois10, which automatically queries multiple WHOIS databases to retrieve information from more than 20 servers throughout the world. SmartWhois is mainly to help unreportable researchers find what information is registered on the Internet, and experienced users can define their own configuration.
SmartWhois10_1
SmartWhois10_2
Nine, more practical Web resources
Finally, let's take a look at what web detectors must also know which Web "friends", as the saying goes, many friends!
1, international registration body
There are three international organizations responsible for IP address management within the region, and they are usually considered authoritative organizations. These organizations have a Web site that provides a WHOIS service and a function of finding its owner according to IP addresses. They are:
* Arin (American Registry for Internet Numbers) - located in the western hemisphere, the URL address is: http://www.arin.net/whois/arinwhois.html* APNIC (Asia Pacific Network Information Center) - is located in the Asia Pacific, URL address To http://www.apnic.net* Ripe (Reseaux IP Europeens) - in Europe, URL address is http://www.ripe.net2, network diagnostics and research sites
* Adhoc IP Tools Set: This site is the real Swiss army in the Internet tool, many practical network tools such as WHOIS, NSLOOKUP, PING, DNS DIG, etc. can be selected from http://tatumweb.com/iptools.htm. carried out.
iptools
* SAM SPADE: Another good site that also provides a variety of research tools, which has already mentioned the WHOIS function of the web mode, and the address is http://www.samspade.org/.
Samspade
* Internet Service Provider Site: This type of site allows the name to search for ISP, view the business characteristics of ISP, such as http://www.webisplist.com/.
Webisplist
3, Email Secure Site
* Advisers to malicious Email: This type of site is to track Email, how to read information heads in many different mail clients, how to contact the resignificance department has detailed guidance information. But they generally have no fashionable appearances, which contain rich wisdom in simple text. It is hoped that the network detectors can get a kitmith. Site Example: http://ddi.digital.net/~gandalf/spamfaq.html or http://www.stopspam.org/email/headers/headers.html. * Garbage spam: This type of site is now very practical, such as http://eddie.cis.uoguelph.ca/tburgess/local/spam.html or http://spam.abuse.net/.
Ten, conclusion
To become an excellent network security case "Detective", in addition to understanding and proficienting the principles and software applications of these protocols, more importantly, it is constantly being applied to practice. Ok, I still hesitate, boldly start your network "detect" journey, do Holmes on the Internet!
Netscantools
The use examples of the DIG command under the UNIX system are as follows:
DIG -X @ 123.456.789.000 or dig-x% domainname.com
DIG is an alternative to Nslookup, which is usually running again to compare with the results of all the queries in front. Another utility is Tracert, that is, tracking routing information, which can view the packet via which route finally reaches the destination. Like ping, Tracert sent the packet to the target machine, so if you don't want to be monitored, it is best not to use it easily.
Tracert
