Hello Mskrissy,
I will divide the answer into two parts
- the DNS question
- tracing email messages
as well as provide some additional information that you may find
helpful.
1. Does the dns query pass its queries through the router and the
firewall out to the internet?
In many corporations, yes. In some corporations, no. It depends upon
the way the network is connected. I'll refer to a few simple diagrams
to help explain.
A router/firewall with ISP connection (shown as dial-up, could be
high speed)
http://www.freebsd.org/doc/en_US.ISO8859-1/books/ppp-primer/c30.html
A similar configuration, with an explanation of "Network Address
Translation" which hides your local machines from the Internet.
http://www.linux-mag.com/1999-08/guru_01.html
Part of a document describing corporate security, a diagram showing
routers and firewalls for a distributed company (at least four sites).
http://www.tavve.com/ePROBE_Security_White_Paper.pdf
In a small company, the firewall, DNS server, and router may all be
the same machine (first two examples). In the larger company, the DNS
server may be in parallel with or outside the firewall (especially
when used with a proxy server).
2. How do I trace an email message from start to finish through a
network with email server, router, firewall, and WAN internet
connection?
There are a few ways to answer this question.
The easiest method is to simply look at the email headers for a
message. I have pasted an example for a spam message I received on a
personal account (names have been changed...)
Return-Path: <m1chthng@nowhere.ch>
Received: from school.k12.co.us (mail.school.k12.co.us
[266.318.399.347]) by myisp.net (Rockliffe SMTPRA 4.5.6) with ESMTP id
<B0007582656@myisp.net>; Tue, 20 Aug 2002 14:29:02 -0500
Received: from nowhere.zzz.ee [311.301.342.444] by school.k12.co.us
(SMTPD32-7.12) id XYZC110OF7; Tue, 20 Aug 2002 13:22:52 -0600
The "return path" is where the message supposedly came from. However,
the "received" lines indicate that the message was sent along the
following path...
nowhere.zzz.ee -> school.k12.co.us -> myisp.net
along with the date, time, and message identification information.
Needless to say, there is likely a public school in Colorado that has
been forwarding spam to my account.
This kind of information is generally displayed in an email program by
selecting "Show all headers" or a similar command. This method does
require that you have a cooperative person to send you a message (or
you send a message to them and they return it to you).
The method above only tells you about the mail servers that were used.
To find out which computers have handled the message between your
company and the destination, you can get an approximate answer with a
program such as traceroute.
For more information on traceroute, including an example, I suggest...
http://www.freesoft.org/CIE/Topics/54.htm
Or for a windows application (free), you can try...
http://www.pingplotter.com/features.html
to get your own answers.
The example shows a number of computers between the two systems. The
next time you run traceroute, you can get a different list of systems.
That is why I said the answer is approximate. However, as far as the
mail server is concerned, those other machines do not exist - it
simply sends the message to the next destination and the other
machines will do the rest.
When you have a firewall or proxy server in the way, you may have to
do the traceroute in pieces. For example, run traceroute from your
mail server to the firewall, from the firewall to the firewall of the
destination, and from that firewall to the end mail server.
To search for more information on this topic, I suggest search phrases
such as...
- DNS router +"corporate firewall" network topology
- email SMTP headers "received by"
- traceroute how works
to get more web sites that describe these methods.
Please let me know if you need the answer clarified. I can provide
more detail or some different methods to describe the methods if
needed.
--Maniac |
,
0 Comments
)