If you’re a Linux system administrator, then you’re probably familiar with DNS, which is a critical component of networking.
TCPdump is a powerful Linux command that can help you capture and filter network packets. With TCPdump, you can analyze DNS query traffic which gives you greater insights into how DNS works.
In this article, we’ll explore how TCPdump can be used to capture DNS packets and how it can help you in your Linux admin tasks. So, let’s dive in and learn more about this essential tool.
- How DNS works?
- Capture DNS zone transfer Packets with Tcpdump
- How to use tcpdump to filter DNS Query packets?
Table of Contents
How DNS works?
DNS is short for Domain Name System. It is simply a database that links meaningful names (known as host names), such as www.howtouselinux.com, to a specific IP address, such as 185.230.63.171.
Get Your Free Linux training!
Join our free Linux training and discover the power of open-source technology. Enhance your skills and boost your career! Learn Linux for Free!Whenever you type a domain name into your web browser, your computer queries DNS servers to find out the IP address for that domain. The DNS servers query other DNS servers until they eventually find the IP address for the domain.
This process can take some time if there is not an exact match for the domain name in one of the DNS servers’ cache.
DNS is a hierarchical system. The top of the hierarchy is called the root zone, and under it are zones for each of the top-level domains (TLDs). There are six TLDs: .com, .net, .org, .info, .biz, and .us. Each TLD has its own zone file that contains information about all of the domains in that TLD.
DNS uses both TCP and UDP port 53. The most frequently used port for DNS is UDP 53. This is used for DNS queries on the client side. Check more info about DNS port here.
Use tcpdump to filter port 53 for DNS Query packets
The tcpdump command can be used to filter network packets from a network stream.
To filter port 53 for DNS query packets using TCPdump, you can use the following command:
sudo tcpdump -i <interface> port 53
Here’s what each part of the command does:
- sudo: Run the command with superuser privileges
- tcpdump: The command we’re running
- -i <interface>: Specify the interface to capture packets on (e.g., eth0, wlan0)
- port 53: Filter packets on port 53 (DNS)
If you are not sure about the interface name, you can type “tcpdump -D” into your terminal. This will display a list of all of the available interfaces. Or you can refer to this article to get more details.
Once you run this command, TCPdump will capture all DNS packets on port 53 and display them in the terminal. This includes both DNS query packets and DNS response packets. You can stop the capture by pressing CTRL+C.
Keep in mind that capturing all DNS traffic on a busy network interface can generate a large amount of data very quickly. To filter the packets and reduce the amount of data captured, you can use additional filters, such as filtering by source or destination IP address, protocol, or DNS query type.
DNS and DevOps
DevOps is a methodology that aims to improve communication and collaboration between development and operations teams. One of the primary goals of DevOps is to automate tasks so that they can be completed more quickly and efficiently. By automating tasks, teams can focus on more important work and avoid potential human errors.
DNS and DevOps work together to create a more efficient workflow. DNS resolution can be automated so that it is completed quickly and efficiently. In addition, by automating tasks, development and operations teams can focus on more important work and avoid potential human errors.
Query DNS record with dig and nslookup command
dig is a powerful DNS query tool that can be used to perform a variety of different queries. To use it, type “dig <name_of_domain> <type_of_query>”. For example, to query the MX records for a domain, you would type “dig example.com MX”. This will return a list of all of the MX records for the domain.
If you want to see the reverse DNS record for a domain, you can type “dig -x <ip_address>”. This will return a list of all of the domains that are hosted on the given IP address.
Here are the steps to query a DNS record with the dig command and capture these DNS packets with tcpdump:
- Open a terminal window on your computer.
- Type the following command to capture the DNS packets with tcpdump: sudo tcpdump -i <network_interface> -n -vvv port 53
- Press Enter to run the command. tcpdump should start capturing packets on the specified network interface.
- Open another terminal window on your computer.
- Type the following command to query a DNS record using dig: dig <domain_name> <record_type>. Replace <domain_name> with the domain name you want to query (e.g., google.com), and <record_type> with the type of DNS record you want to query (e.g., A, MX, NS, etc.). For example, to query the A record of google.com, you can type: dig google.com A
- Press Enter to run the command. You should see the DNS response with the IP address of the domain name you queried.
- Go back to the terminal window where you ran the tcpdump command. You should see the captured DNS packets displayed in the terminal window.
- Press Ctrl+C to stop the command.
Let’s see an example.
We can get the IP address of google.com with the following command.
dig google.com +short
We can get the following output from the tcpdump command.
20:11:00.466866 IP 10.79.98.233.54127 > 64.104.76.247.53: 60712+ [1au] A? google.com. (39)
20:11:00.560294 IP 64.104.76.247.53 > 10.79.98.233.54127: 60712 6/4/1 A 74.125.24.113, A 74.125.24.102, A 74.125.24.139, A 74.125.24.138, A 74.125.24.100, A 74.125.24.101 (207)
By default, the dig command query the A record for that domain name with UDP protocol.
The nslookup command can also be used to query DNS records for a domain. To use it, type “nslookup” into your terminal, followed by the name of the domain that you want to query. For example, to query the MX records for a domain, you would type “nslookup -type=mx example.com “. This will return a list of all of the MX records for the domain.
If you want to see the reverse DNS record for a domain, you can type “nslookup -type=PTR” followed by the IP address that you want to query. This will return a list of all of the domains that are hosted on the given IP address.
Check this post to learn more about other DNS records like AAAA, MX, PTR etc.
Capture DNS zone transfer Packets with Tcpdump
Zone transfer is a process that is used to copy the contents of a DNS zone file from one DNS server to another. This can be used to copies the contents of a TLD’s zone file to all of the DNS servers in the domain.
DNS zone transfer uses TCP port 53. We can filter TCP and port 53 in tcpdump command to capture all these packets. In the following example, we use eth0 as the network interface. Please change it to adapt to your environment.
# tcpdump -i eth0 tcp port 53
Check here to learn more about how to use tcpdump command to capture packets.
More options in tcpdump command
TCPdump is a powerful tool that offers many options and filters to capture and analyze network traffic. Here are some additional options you can use with TCPdump.
For example:
tcpdump -i <interface> -n -v -t -c <count>
The “-i” option specifies the interface that you want to monitor. The “-n” option displays IP addresses instead of hostnames
The “-v” option displays the verbosity level to show more details. The “-t” option displays the timestamp for each packet. The “-c” option specifies the number of packets that you want to capture.
We can also write these packets to a file using the following command.
tcpdump -i eth0 -w /tmp/dns.pcap port 53
we’ve added the -w option to specify the file name and format for the captured packets. The file name we’ve chosen is “dns.pcap”, and the “.pcap” extension indicates that the file is in the pcap format, which is a common format for packet capture files.
Once you run this command, TCPdump will start capturing DNS query packets on port 53 and write them to the “dns.pcap” file. You can stop the capture by pressing CTRL+C.
You can use a packet analysis tool such as Wireshark to analyze the captured packets. Simply open the pcap file in Wireshark, and you’ll be able to see the captured DNS packets and analyze them in detail.
Related Post:
Linux Troubleshooting Guide:
- Troubleshooting Disk Usage In Linux
- Troubleshooting High Load Average on Linux
- Troubleshoot Network Slow Problems In Linux
- Troubleshoot high iowait issue on Linux
Linux Learning Guide:
Mendy W
Saturday 27th of July 2024
I've found the tips on filtering DNS packets particularly useful for monitoring and debugging DNS-related issues in our network. One thing I've learned is to combine multiple filter expressions for more refined capture. For example, tcpdump -i eth0 'port 53 and src or dst x.x.x.x' helps me focus on DNS traffic to and from a specific host on my network.
For those interested in real-time monitoring, tcpdump can be piped into tools like grep to search for specific patterns in the output, which can be a game-changer for spotting anomalies quickly.
Kudos for shedding light on this powerful tool, and I'm looking forward to more in-depth network analysis techniques!
Daniel Lim
Thursday 20th of June 2024
DNS uses both TCP and UDP port 53. The most frequently used port for DNS is UDP 53. This is used for DNS queries on the client side.