If you ever wondered what is going on at the DNS level on your computer (or network), tcpdump can be a useful tool for you.
TCPdump basics
Tcpdump is a tool that allows you to inspect any packet (TCP, UDP, etc) and its content as they pass through an interface through the libpcap module. The syntax is very simple, but the basics of the command require the network interface name, the protocol and the restrictions of what you are trying to inspect (more on that later):
tcpdump -nnni INTERFACE PROTOCOL (tcp, udp) [RESTRICTIONS]
So if you want to see all UDP traffic on the eth0 interface, for example, you would do:
tcpdump -nnni eth0 udp
Note that we used -nnn, which we generally recommend as it means that it won’t do a reverse DNS resolution of the IP addresses and ports. It makes tcpdump a lot faster.
Inspecting DNS Traffic with TCPDump
With that in mind, if we want to inspect DNS traffic, we need to restrict tcpdump to only UDP and port 53 (default by DNS). For example:
tcpdump -nnni eth0 udp port 53
On my Mac, I run it as:
$ sudo tcpdump -nnnni en0 udp port 53
Which shows me the DNS traffic
20:35:37 IP 192.168.0.2.49182 > 1.1.1.1.53: 60078+ [1au] A? google.com. (39) 20:35:37 IP 1.1.1.1.53 > 192.168.0.2.49182: 60078 1/0/1 A 172.217.11.78 (55)
In this case, you can see my IP – 192.168.0.2, doing a DNS request for the A record of google.com.