Tcpdump is a very powerful Linux command to capture DNS packets. DNS is short for Domain Name System. It is a database that links meaningful names to a specific IP address. We can use tcpdump to filter DNS packets to learn more about how DNS works.
- What is DNS?
- Query DNS record on Linux
- Filter DNS Packets with Tcpdump
Table of Contents
What is DNS?
DNS or Domain Name System basically translates those domain names into IP addresses and points our device in the right direction. A domain name and its matching IP address is called A DNS record.
DNS service uses both TCP and UDP port 53. On the client-side, the frequently used port for DNS port is UDP 53. We can capture packets on this port to get the DNS query info.
Query DNS record on Linux
dig example.com
dig is a powerful DNS query tool that can be used to perform a variety of different queries. To use it, type “dig <name_of_domain> <type_of_query>”.
For example, to query the MX records for a domain, you would type “dig example.com MX”. This will return a list of all of the MX records for the domain.
If you want to see the reverse DNS record for a domain, you can type “dig -x <ip_address>”. This will return a list of all of the domains that are hosted on the given IP address.
By default, dig sends the DNS query to name servers listed in the resolver(/etc/resolv.conf) unless it is asked to query a specific name server.
The following command is used to query the A record for www.howtouselinux.com. Check this post to know how to use dig command.
# dig www.howtouselinux.com
The nslookup command can be used to query DNS records for a domain in Linux
To use it, type “nslookup” into your terminal, followed by the name of the domain that you want to query.
For example, to query the MX records for a domain, you would type “nslookup -type=mx example.com “. This will return a list of all of the MX records for the domain.
If you want to see the reverse DNS record for a domain, you can type “nslookup -type=PTR” followed by the IP address that you want to query.
This will return a list of all of the domains that are hosted on the given IP address.
Filter DNS Packets with Tcpdump
The tcpdump command can be used to filter packets from a network stream. To use it, type “tcpdump -D” into your terminal. This will display a list of all of the available interfaces.
To filter network packets, use the “tcpdump -i <interface> -n -v -t -c <count>” command. The “-i” option specifies the interface that you want to monitor. The “-n” option prevents tcpdump from resolving IP addresses to hostnames.
The “-v” option displays all of the packets that are received on the interface. The “-t” option displays the timestamp for each packet. The “-c” option specifies the number of packets that you want to capture.
We can use this tcpdump command to filter DNS query packets. In the following examples, we capture packets on port eth0. Please change it to adapt to your environment.
# tcpdump -i eth0 udp port 53 or tcp port 53
We can write these packets to a file with this tcpdump command and analyze these packets with Wireshark. -w means write.
# tcpdump -i eth0 -w /tmp/dns.pcap udp port 53 or tcp port 53
Pcap file can be opened by tcpdump command to get more details about the DNS query like the hostname, A record info, txt record etc. #
tcpdump -vvv -r /tmp/dns.pcap port 53
Tcpdump provides several options that enhance or modify its output. The following are the commonly used options for tcpdump command.
| Option | Description |
|---|---|
| -i | Listen on the specified interface. |
| -n | Don’t resolve hostnames. You can use -nn to don’t resolve hostnames or port names. |
| -t | Print human-readable timestamp on each dump line, -tttt: Give maximally human-readable timestamp output. |
| -X | Show the packet’s contents in both hex and ascii. |
| -v, -vv, -vvv | enables verbose logging/details (which among other things will give us a running total on how many packets are captured |
| -c N | Only get N number of packets and then stop. |
| -s | Define the snaplength (size) of the capture in bytes. Use -s0 to get everything, unless you are intentionally capturing less. |
| -S | Print absolute sequence numbers. |
| -q | Show less protocol information. |
| -w | Write the raw packets to file |
| -C file_size(M) | tells tcpdump to store up to x MB of packet data per file. |
| -G rotate_seconds | Create a new file every time the specified number of seconds has elapsed. |