Skip to Content

Filtering DNS with Tcpdump on Port 53

If you’re a Linux system administrator, then you’re probably familiar with DNS, which is a critical component of networking. 

TCPdump is a powerful Linux command that can help you capture and filter network packets. With TCPdump, you can analyze DNS query traffic which gives you greater insights into how DNS works.

In this article, we’ll explore how TCPdump can be used to capture DNS packets and how it can help you in your Linux admin tasks. So, let’s dive in and learn more about this essential tool.

  • How DNS works?
  • Capture DNS zone transfer Packets with Tcpdump
  • How to use tcpdump to filter DNS Query packets?

How DNS works?

DNS is short for Domain Name System. It is simply a database that links meaningful names (known as host names), such as www.howtouselinux.com, to a specific IP address, such as 185.230.63.171.

Whenever you type a domain name into your web browser, your computer queries DNS servers to find out the IP address for that domain. The DNS servers query other DNS servers until they eventually find the IP address for the domain.

This process can take some time if there is not an exact match for the domain name in one of the DNS servers’ cache.

DNS is a hierarchical system. The top of the hierarchy is called the root zone, and under it are zones for each of the top-level domains (TLDs). There are six TLDs: .com, .net, .org, .info, .biz, and .us. Each TLD has its own zone file that contains information about all of the domains in that TLD.

DNS uses both TCP and UDP port 53. The most frequently used port for DNS is UDP 53. This is used for DNS queries on the client side. Check more info about DNS port here.

Use tcpdump to filter port 53 for DNS Query packets

The tcpdump command can be used to filter network packets from a network stream.

To filter port 53 for DNS query packets using TCPdump, you can use the following command:

sudo tcpdump -i <interface> port 53 

Here’s what each part of the command does:

  • sudo: Run the command with superuser privileges
  • tcpdump: The command we’re running
  • -i <interface>: Specify the interface to capture packets on (e.g., eth0, wlan0)
  • port 53: Filter packets on port 53 (DNS)

 

If you are not sure about the interface name, you can type “tcpdump -D” into your terminal. This will display a list of all of the available interfaces. Or you can refer to this article to get more details.

Once you run this command, TCPdump will capture all DNS packets on port 53 and display them in the terminal. This includes both DNS query packets and DNS response packets. You can stop the capture by pressing CTRL+C.

Keep in mind that capturing all DNS traffic on a busy network interface can generate a large amount of data very quickly. To filter the packets and reduce the amount of data captured, you can use additional filters, such as filtering by source or destination IP address, protocol, or DNS query type.

 

2 Ways to Check DNS Speed

DNS and DevOps

DevOps is a methodology that aims to improve communication and collaboration between development and operations teams. One of the primary goals of DevOps is to automate tasks so that they can be completed more quickly and efficiently. By automating tasks, teams can focus on more important work and avoid potential human errors.

DNS and DevOps work together to create a more efficient workflow. DNS resolution can be automated so that it is completed quickly and efficiently. In addition, by automating tasks, development and operations teams can focus on more important work and avoid potential human errors.

Query DNS record with dig and nslookup command

dig is a powerful DNS query tool that can be used to perform a variety of different queries. To use it, type “dig <name_of_domain> <type_of_query>”. For example, to query the MX records for a domain, you would type “dig example.com MX”. This will return a list of all of the MX records for the domain.

If you want to see the reverse DNS record for a domain, you can type “dig -x <ip_address>”. This will return a list of all of the domains that are hosted on the given IP address.

Here are the steps to query a DNS record with the dig command and capture these DNS packets with tcpdump:

  • Open a terminal window on your computer.
  • Type the following command to capture the DNS packets with tcpdump: sudo tcpdump -i <network_interface> -n -vvv port 53
  • Press Enter to run the command. tcpdump should start capturing packets on the specified network interface.
  • Open another terminal window on your computer.
  • Type the following command to query a DNS record using dig: dig <domain_name> <record_type>. Replace <domain_name> with the domain name you want to query (e.g., google.com), and <record_type> with the type of DNS record you want to query (e.g., A, MX, NS, etc.). For example, to query the A record of google.com, you can type: dig google.com A
  • Press Enter to run the command. You should see the DNS response with the IP address of the domain name you queried.
  • Go back to the terminal window where you ran the tcpdump command. You should see the captured DNS packets displayed in the terminal window.
  • Press Ctrl+C to stop the command.

 

Let’s see an example.

We can get the IP address of google.com with the following command.

dig google.com +short

  We can get the following output from the tcpdump command.

20:11:00.466866 IP 10.79.98.233.54127 > 64.104.76.247.53: 60712+ [1au] A? google.com. (39)

20:11:00.560294 IP 64.104.76.247.53 > 10.79.98.233.54127: 60712 6/4/1 A 74.125.24.113, A 74.125.24.102, A 74.125.24.139, A 74.125.24.138, A 74.125.24.100, A 74.125.24.101 (207)

By default, the dig command query the A record for that domain name with UDP protocol. 

The nslookup command can also be used to query DNS records for a domain. To use it, type “nslookup” into your terminal, followed by the name of the domain that you want to query. For example, to query the MX records for a domain, you would type “nslookup -type=mx example.com “. This will return a list of all of the MX records for the domain.

If you want to see the reverse DNS record for a domain, you can type “nslookup -type=PTR” followed by the IP address that you want to query. This will return a list of all of the domains that are hosted on the given IP address.

Check this post to learn more about other DNS records like AAAA, MX, PTR etc.

Capture DNS zone transfer Packets with Tcpdump

Zone transfer is a process that is used to copy the contents of a DNS zone file from one DNS server to another. This can be used to copies the contents of a TLD’s zone file to all of the DNS servers in the domain.

DNS zone transfer uses TCP port 53. We can filter TCP and port 53 in tcpdump command to capture all these packets. In the following example, we use eth0 as the network interface. Please change it to adapt to your environment.

# tcpdump -i eth0 tcp port 53

 Check here to learn more about how to use tcpdump command to capture packets

More options in tcpdump command

TCPdump is a powerful tool that offers many options and filters to capture and analyze network traffic. Here are some additional options you can use with TCPdump.

For example: 

tcpdump -i <interface> -n -v -t -c <count>

The “-i” option specifies the interface that you want to monitor. The “-n” option displays IP addresses instead of hostnames

The “-v” option displays the verbosity level to show more details. The “-t” option displays the timestamp for each packet. The “-c” option specifies the number of packets that you want to capture.

We can also write these packets to a file using the following command.

 tcpdump -i eth0 -w /tmp/dns.pcap port 53

we’ve added the -w option to specify the file name and format for the captured packets. The file name we’ve chosen is “dns.pcap”, and the “.pcap” extension indicates that the file is in the pcap format, which is a common format for packet capture files.

Once you run this command, TCPdump will start capturing DNS query packets on port 53 and write them to the “dns.pcap” file. You can stop the capture by pressing CTRL+C.

You can use a packet analysis tool such as Wireshark to analyze the captured packets. Simply open the pcap file in Wireshark, and you’ll be able to see the captured DNS packets and analyze them in detail.

Related Post:

Linux Troubleshooting Guide:

Linux Learning Guide:

Daniel Lim

Thursday 20th of June 2024

DNS uses both TCP and UDP port 53. The most frequently used port for DNS is UDP 53. This is used for DNS queries on the client side.