Why Inspect DNS Traffic?
DNS traffic is one of the most fundamental and most abused protocols on the internet. Every web request, email delivery, and API call begins with a DNS lookup. Inspecting DNS traffic helps you troubleshoot resolution failures, detect malicious activity like DNS amplification attacks and DNS tunneling, verify that your DNS infrastructure is working correctly, and understand the traffic patterns on your network.
tcpdump is a command-line packet analyzer available on virtually every Unix and Linux system. It captures network traffic in real time and can filter packets by protocol, port, source, destination, and many other criteria.
Capturing DNS Packets on Port 53
DNS uses port 53 for both UDP and TCP traffic. The simplest way to capture all DNS traffic on a server is:
sudo tcpdump -i any port 53This captures all packets (inbound and outbound) on port 53 across all network interfaces. The -i any flag tells tcpdump to listen on all interfaces. You need root or sudo privileges because packet capture requires access to raw network sockets.
Sample output:
14:23:01.234567 IP 192.168.1.100.45321 > 8.8.8.8.53: 12345+ A? example.com. (29)
14:23:01.256789 IP 8.8.8.8.53 > 192.168.1.100.45321: 12345 1/0/0 A 93.184.216.34 (45)Breaking down the output:
- 14:23:01.234567 — Timestamp with microsecond precision.
- 192.168.1.100.45321 — Source IP and port (client's ephemeral port).
- 8.8.8.8.53 — Destination IP and port (DNS server, port 53).
- 12345+ — DNS transaction ID. The
+means recursion was requested. - A? — Query type (A record query).
- example.com. — The domain being queried.
- (29) — Size of the DNS payload in bytes.
Filtering UDP vs TCP DNS
Most DNS queries use UDP, but TCP is used for zone transfers (AXFR), responses larger than 512 bytes (or 4096 with EDNS), and increasingly for DNS-over-TCP:
# UDP DNS only
sudo tcpdump -i any udp port 53
# TCP DNS only (zone transfers, large responses)
sudo tcpdump -i any tcp port 53
# Both protocols with verbose output
sudo tcpdump -i any port 53 -vvIf you see a lot of TCP DNS traffic that is not zone transfers, it could indicate DNS responses exceeding the UDP limit, which sometimes happens during amplification attacks or when DNSSEC is in use.
Useful tcpdump Options for DNS
# Show more detail (verbose)
sudo tcpdump -i any port 53 -v
# Show full packet content in hex and ASCII
sudo tcpdump -i any port 53 -X
# Limit capture to N packets
sudo tcpdump -i any port 53 -c 100
# Filter by source IP
sudo tcpdump -i any port 53 and src host 192.168.1.100
# Filter by destination DNS server
sudo tcpdump -i any port 53 and dst host 8.8.8.8
# Capture only queries (destination port 53)
sudo tcpdump -i any dst port 53
# Capture only responses (source port 53)
sudo tcpdump -i any src port 53
# Don't resolve hostnames (faster output)
sudo tcpdump -i any port 53 -nnThe -nn flag is particularly important for DNS captures. Without it, tcpdump tries to reverse-resolve every IP address it sees, which generates additional DNS traffic and can confuse your capture.
Saving to PCAP Files
For later analysis, save the raw capture to a PCAP file instead of printing to the terminal:
# Save to file
sudo tcpdump -i any port 53 -w /tmp/dns-capture.pcap
# Save with rotation (new file every 100MB, keep 10 files)
sudo tcpdump -i any port 53 -w /tmp/dns-%Y%m%d-%H%M%S.pcap -C 100 -W 10
# Save with time-based rotation (new file every 3600 seconds)
sudo tcpdump -i any port 53 -w /tmp/dns-capture.pcap -G 3600Read back a saved capture:
tcpdump -r /tmp/dns-capture.pcap -nnAnalyzing Captures with Wireshark
While tcpdump is excellent for command-line capture, Wireshark provides a graphical interface with deep DNS protocol analysis. Transfer the PCAP file to your workstation and open it in Wireshark:
# On the server
scp /tmp/dns-capture.pcap user@workstation:/tmp/In Wireshark, use the display filter dns to show only DNS packets. Wireshark decodes every field of the DNS message, including flags, question count, answer count, authority records, and additional records. You can filter by specific query types:
dns.qry.type == 1— A recordsdns.qry.type == 28— AAAA recordsdns.qry.type == 15— MX recordsdns.qry.type == 255— ANY queries (often used in amplification attacks)dns.qry.name contains "suspicious"— Filter by domain name
Common DNS Traffic Patterns
Normal Traffic
Normal DNS traffic consists of small UDP queries (typically 30-80 bytes) and responses (typically 50-500 bytes). Queries come from clients to resolvers, and the ratio of queries to responses should be close to 1:1.
Excessive NXDOMAIN Responses
A high volume of NXDOMAIN (non-existent domain) responses may indicate:
- Malware trying to contact randomly generated command-and-control domains (DGA — Domain Generation Algorithm)
- Misconfigured applications or DNS settings
- DNS enumeration attempts by an attacker
# Count NXDOMAIN responses
sudo tcpdump -i any src port 53 -nn -c 10000 2>/dev/null | grep -c "NXDomain"Large Response Sizes
DNS responses significantly larger than the query (amplification factor) are a hallmark of DNS amplification attacks. Monitor for responses that are 10x or more the size of the query.
Detecting DNS Tunneling
DNS tunneling encodes data in DNS queries and responses, using the DNS protocol as a covert communication channel. It is used by malware for data exfiltration and by tools like iodine and dnscat2 for tunneling traffic through restrictive firewalls.
Signs of DNS tunneling:
- Unusually long domain names: Normal queries are short (e.g.,
example.com). Tunneled queries encode data in long subdomains (e.g.,dG9ueQ==.aGVsbG8=.tunnel.example.com). - High query volume to a single domain: Tunneling generates many queries to the same base domain.
- TXT record queries: TXT records can contain large amounts of data and are commonly used for tunneling.
- Unusual record types: NULL and PRIVATE record types are sometimes used.
# Look for suspiciously long DNS queries
sudo tcpdump -i any dst port 53 -nn -l | awk '{
for(i=1;i<=NF;i++) {
if($i ~ /\?$/ && length($(i)) > 50) {
print $0
}
}
}'Detecting DNS Amplification
DNS amplification attacks exploit open DNS resolvers by sending queries with a spoofed source IP. The responses (much larger than the queries) are directed at the victim. To detect this on your DNS server:
# Look for ANY queries (commonly used in amplification)
sudo tcpdump -i any dst port 53 -nn -l | grep "ANY?"
# Monitor response sizes — large responses may indicate abuse
sudo tcpdump -i any src port 53 -nn -v | grep -E "length [0-9]{3,}"
# Check for queries from many unique source IPs to your resolver
sudo tcpdump -i any dst port 53 -nn -c 10000 2>/dev/null | \
awk '{print $3}' | cut -d. -f1-4 | sort -u | wc -lIf your server is being used as an amplifier, restrict recursion to authorized clients only, or use iptables to block unauthorized DNS traffic.
Practical Examples
Monitor DNS Queries from a Specific Host
sudo tcpdump -i any port 53 and host 10.0.0.50 -nnCapture DNS Queries for a Specific Domain
sudo tcpdump -i any port 53 -nn -l | grep "example.com"Count Queries Per Second
sudo tcpdump -i any dst port 53 -nn -l 2>/dev/null | \
awk '{print substr($1,1,8)}' | uniq -cIdentify Top Queried Domains
sudo tcpdump -i any dst port 53 -nn -c 1000 2>/dev/null | \
grep -oP 'A\? \K[^ ]+' | sort | uniq -c | sort -rn | head -20Summary
tcpdump is an essential tool for inspecting DNS traffic on Linux servers. It allows you to capture queries and responses in real time, filter by protocol and host, save captures for offline analysis with Wireshark, and detect suspicious patterns like DNS tunneling and amplification attacks. Combined with an understanding of normal DNS traffic patterns, tcpdump gives you the visibility needed to troubleshoot resolution issues and identify security threats. For comprehensive DNS protection, explore NOC.org DNS services.
For ongoing DNS monitoring with a policy dashboard, see CleanBrowsing's DNS activity monitoring guide.
Get
Started