Inspecting DNS traffic via tcpdump

If you ever wondered what is going on at the DNS level on your computer (or network), tcpdump can be a useful tool for you.

TCPdump basics

Tcpdump is a tool that allows you to inspect any packet (TCP, UDP, etc) and its content as they pass through an interface through the libpcap module. The syntax is very simple, but the basics of the command require the network interface name, the protocol and the restrictions of what you are trying to inspect (more on that later):

tcpdump -nnni INTERFACE PROTOCOL (tcp, udp) [RESTRICTIONS]
                        


So if you want to see all UDP traffic on the eth0 interface, for example, you would do:

tcpdump -nnni eth0 udp
                        

Note that we used -nnn, which we generally recommend as it means that it won't do a reverse DNS resolution of the IP addresses and ports. It makes tcpdump a lot faster.

Inspecting DNS Traffic with TCPDump

With that in mind, if we want to inspect DNS traffic, we need to restrict tcpdump to only UDP and port 53 (default by DNS). For example:

tcpdump -nnni eth0 udp port 53
                        


On my Mac, I run it as:

$ sudo tcpdump -nnnni en0 udp port 53
                        


Which shows me the DNS traffic:

20:35:37 IP 192.168.0.2.49182 > 1.1.1.1.53: 60078+ [1au] A? google.com. (39) 20:35:37 IP 1.1.1.1.53 > 
192.168.0.2.49182: 60078 1/0/1 A 172.217.11.78 (55)
                        


In this case, you can see my IP - 192.168.0.2, doing a DNS request for the A record of google.com.



Posted in   Networking_Tips   Troubleshooting   Linux   TCPDump     by noc_team

Improve Your Websites Speed and Security