1. Home
  2. Tips and Tricks
  3. Inspecting DNS traffic via tcpdump

Inspecting DNS traffic via tcpdump

If you ever wondered what is going on at the DNS level on your computer (or network), tcpdump can be a useful tool for you.

🚀 Power Your Web Infrastructure with NOC

NOC combines authoritative DNS, a global CDN, and an intelligent WAF into one high-performance platform. Protect your sites, reduce latency, and gain full control over your delivery stack.

Visit NOC →

TCPdump basics

Tcpdump is a tool that allows you to inspect any packet (TCP, UDP, etc) and its content as they pass through an interface through the libpcap module. The syntax is very simple, but the basics of the command require the network interface name, the protocol and the restrictions of what you are trying to inspect (more on that later):

tcpdump -nnni INTERFACE PROTOCOL (tcp, udp) [RESTRICTIONS]

So if you want to see all UDP traffic on the eth0 interface, for example, you would do:

tcpdump -nnni eth0 udp

Note that we used -nnn, which we generally recommend as it means that it won’t do a reverse DNS resolution of the IP addresses and ports. It makes tcpdump a lot faster.

Inspecting DNS Traffic with TCPDump

With that in mind, if we want to inspect DNS traffic, we need to restrict tcpdump to only UDP and port 53 (default by DNS). For example:

tcpdump -nnni eth0 udp port 53

On my Mac, I run it as:

$ sudo tcpdump -nnnni en0 udp port 53

Which shows me the DNS traffic

20:35:37 IP 192.168.0.2.49182 > 1.1.1.1.53: 60078+ [1au] A? google.com. (39) 20:35:37 IP 1.1.1.1.53 > 192.168.0.2.49182: 60078 1/0/1 A 172.217.11.78 (55)

In this case, you can see my IP – 192.168.0.2, doing a DNS request for the A record of google.com.

🛡️ CleanBrowsing: Internet Safety Made Simple

Filter harmful websites, block adult content, and protect your entire network. All with fast, privacy-respecting DNS.

Start Filtering Here →
Updated on July 31, 2025
Was this article helpful?

Related Articles

Leave a Comment