Filtering DNS with Tcpdump

Updated: Feb 9

Tcpdump is a very powerful Linux command to capture DNS packets. DNS is a basic part of the Linux admin task. We can use tcpdump to filter DNS query traffic and DNS zone transfer packets to learn more about how DNS works.

How DNS works?

DNS is short for Domain Name System. It is simply a database that links meaningful names (known as host names), such as, to a specific IP address, such as

DNS uses both TCP and UDP port 53. The most frequently used port for DNS is UDP 53. This is used for DNS queries on the client-side.

Capture DNS zone transfer Packets with Tcpdump

DNS zone transfer uses TCP port 53. We can filter TCP and port 53 in tcpdump command to capture all these packets. In the following example, we use eth0 as the network interface. Please change it to adapt to your environment.

# tcpdump -i eth0 tcp port 53

How to use tcpdump to filter DNS Query packets?

We can use this tcpdump command to filter DNS query packets.

# tcpdump -i eth0 udp port 53 or tcp port 53

We can write these packets to a file with this tcpdump command.

# tcpdump -i eth0  -w /tmp/dns.pcap udp port 53 or tcp port 53

We can read these packets from dns.pcap file to get more details about the DNS query.

# tcpdump -vvv -r /tmp/dns.pcap port 53 

Related Post:

20 Advanced Tcpdump Examples On Linux

Linux Command: Use Dig to query DNS


Join our mail group. Get a free Linux account on Cloud.

Never miss a post!

Want a free Linux account?  This account can be used to login to our cloud server and practice Linux commands.


✔ Linux Commands   ✔ Linux Skills    ✔ LinuxPerformance   ✔ Linux Interview

Some articles are from the public internet. If you find your article misused or undesired here and you don't want us to display it, please let us know and we'll remove it immediately.