Tcpdump is a very powerful Linux command to capture DNS packets. DNS is a basic part of the Linux admin task. We can use tcpdump to filter DNS query traffic and DNS zone transfer packets to learn more about how DNS works.
- How DNS works?
- Capture DNS zone transfer Packets with Tcpdump
- How to use tcpdump to filter DNS Query packets?
How DNS works?
DNS is short for Domain Name System. It is simply a database that links meaningful names (known as host names), such as www.howtouselinux.com, to a specific IP address, such as 184.108.40.206.
Whenever you type a domain name into your web browser, your computer queries DNS servers to find out the IP address for that domain. The DNS servers query other DNS servers until they eventually find the IP address for the domain.
This process can take some time if there is not an exact match for the domain name in one of the DNS servers’ cache.
DNS is a hierarchical system. The top of the hierarchy is called the root zone, and under it are zones for each of the top-level domains (TLDs). There are six TLDs: .com, .net, .org, .info, .biz, and .us. Each TLD has its own zone file that contains information about all of the domains in that TLD.
DNS uses both TCP and UDP port 53. The most frequently used port for DNS is UDP 53. This is used for DNS queries on the client side. Check more info about DNS port here.
Use tcpdump to filter port 53 for DNS Query packets
The tcpdump command can be used to filter network packets from a network stream. To use it, type “tcpdump -D” into your terminal. This will display a list of all of the available interfaces.
To filter network packets, use the “tcpdump -i <interface> -n -v -t -c <count>” command. The “-i” option specifies the interface that you want to monitor. The “-n” option prevents tcpdump from resolving IP addresses to hostnames.
The “-v” option displays all of the packets that are received on the interface. The “-t” option displays the timestamp for each packet. The “-c” option specifies the number of packets that you want to capture.
- We can use this tcpdump command to filter DNS query packets. # tcpdump -i eth0 udp port 53
- We can write these packets to a file with this tcpdump command. # tcpdump -i eth0 -w /tmp/dns.pcap udp port 53
- We can read these packets from dns.pcap file to get more details about the DNS query. # tcpdump -vvv -r /tmp/dns.pcap port 53
DNS and DevOps
DevOps is a methodology that aims to improve communication and collaboration between development and operations teams. One of the primary goals of DevOps is to automate tasks so that they can be completed more quickly and efficiently. By automating tasks, teams can focus on more important work and avoid potential human errors.
DNS and DevOps work together to create a more efficient workflow. DNS resolution can be automated so that it is completed quickly and efficiently. In addition, by automating tasks, development and operations teams can focus on more important work and avoid potential human errors.
DNS Packet Analysis
dig is a powerful DNS query tool that can be used to perform a variety of different queries. To use it, type “dig <name_of_domain> <type_of_query>”. For example, to query the MX records for a domain, you would type “dig example.com MX”. This will return a list of all of the MX records for the domain.
If you want to see the reverse DNS record for a domain, you can type “dig -x <ip_address>”. This will return a list of all of the domains that are hosted on the given IP address.
The nslookup command can be used to query DNS records for a domain. To use it, type “nslookup” into your terminal, followed by the name of the domain that you want to query. For example, to query the MX records for a domain, you would type “nslookup -type=mx example.com “. This will return a list of all of the MX records for the domain.
If you want to see the reverse DNS record for a domain, you can type “nslookup -type=PTR
” followed by the IP address that you want to query. This will return a list of all of the domains that are hosted on the given IP address.
Here we will use dig command as an example.
We can get the A record for google.com with the flowing command. dig google.com +short
This is the output of tcpdump command after we run the above dig command. Check more info about how to use dig command to query DNS records here.
20:11:00.466866 IP 10.79.98.233.54127 > 220.127.116.11.53: 60712+ [1au] A? google.com. (39)
This is the packet we get from the DNS server for this DNS query.
20:11:00.560294 IP 18.104.22.168.53 > 10.79.98.233.54127: 60712 6/4/1 A 22.214.171.124, A 126.96.36.199, A 188.8.131.52, A 184.108.40.206, A 220.127.116.11, A 18.104.22.168 (207)
By default, the dig command query the A record for that domain name with UDP protocol. Check this post to learn more about other DNS records like AAAA, MX, PTR etc.
How to Make Money with Domain name
Like real-world real estate, in the virtual world, domain can be purchased for profit and developed to increase its values. Words that specifically describe a product or service, names of cities or countries, community portals can be taken to create a solid domain portfolio, and these can be major investments that can be sold to web developers.
Capture DNS zone transfer Packets with Tcpdump
Zone transfer is a process that is used to copy the contents of a DNS zone file from one DNS server to another. This can be used to copies the contents of a TLD’s zone file to all of the DNS servers in the domain.
DNS zone transfer uses TCP port 53. We can filter TCP and port 53 in tcpdump command to capture all these packets. In the following example, we use eth0 as the network interface.
Please change it to adapt to your environment. Check here to learn more about how to use tcpdump command to capture packets. # tcpdump -i eth0 tcp port 53
Linux Troubleshooting Guide:
- Troubleshooting Disk Usage In Linux
- Troubleshooting High Load Average on Linux
- Troubleshoot Network Slow Problems In Linux
- Troubleshoot high iowait issue on Linux
Linux Learning Guide: