howtouselinux

Filtering DNS with Tcpdump Port 53

Table of Contents

 

Tcpdump is a very powerful Linux command to capture DNS packets. DNS is a basic part of the Linux admin task. We can use tcpdump to filter DNS query traffic and DNS zone transfer packets to learn more about how DNS works.

  • How DNS works?
  • Capture DNS zone transfer Packets with Tcpdump
  • How to use tcpdump to filter DNS Query packets?

How DNS works?

DNS is short for Domain Name System. It is simply a database that links meaningful names (known as host names), such as howtouselinux.com, to a specific IP address, such as 185.230.63.171.

DNS uses both TCP and UDP port 53. The most frequently used port for DNS is UDP 53. This is used for DNS queries on the client side. Check more info about DNS port here.

Use tcpdump to filter port 53 for DNS Query packets

We can use this tcpdump command to filter DNS query packets.

# tcpdump -i eth0 udp port 53

We can write these packets to a file with this tcpdump command.

# tcpdump -i eth0 -w /tmp/dns.pcap udp port 53

We can read these packets from dns.pcap file to get more details about the DNS query.

# tcpdump -vvv -r /tmp/dns.pcap port 53

2 Ways to Check DNS Speed

DNS and DevOps

DevOps is a methodology that aims to improve communication and collaboration between development and operations teams. One of the primary goals of DevOps is to automate tasks so that they can be completed more quickly and efficiently. By automating tasks, teams can focus on more important work and avoid potential human errors.

DNS and DevOps work together to create a more efficient workflow. DNS resolution can be automated so that it is completed quickly and efficiently. In addition, by automating tasks, development and operations teams can focus on more important work and avoid potential human errors.

DNS Packet Analysis

We can get the A record for google.com with the flowing command.

dig google.com +short

This is the output of tcpdump command after we run the above dig command. Check more info about how to use dig command to query DNS records here.

20:11:00.466866 IP 10.79.98.233.54127 > 64.104.76.247.53: 60712+ [1au] A? google.com. (39)

This is the packet we get from the DNS server for this DNS query.

20:11:00.560294 IP 64.104.76.247.53 > 10.79.98.233.54127: 60712 6/4/1 A 74.125.24.113, A 74.125.24.102, A 74.125.24.139, A 74.125.24.138, A 74.125.24.100, A 74.125.24.101 (207)

By default, the dig command query the A record for that domain name with UDP protocol. Check this post to learn more about other DNS records like AAAA, MX, PTR etc.

How to Make Money with Domain name

Like real-world real estate, in the virtual world, domain can be purchased for profit and developed to increase its values.

Words that specifically describe a product or service, names of cities or countries, community portals can be taken to create a solid domain portfolio, and these can be major investments that can be sold to web developers.

Capture DNS zone transfer Packets with Tcpdump

DNS zone transfer uses TCP port 53. We can filter TCP and port 53 in tcpdump command to capture all these packets. In the following example, we use eth0 as the network interface. Please change it to adapt to your environment. Check here to learn more about how to use tcpdump command to capture packets.

# tcpdump -i eth0 tcp port 53

Related Post:

Linux Troubleshooting Guide:

Linux Learning Guide:

Share on facebook
Facebook
Share on twitter
Twitter
Share on linkedin
LinkedIn
Liquid Web Managed Word Press