Using Tcpdump to Filter DNS Packets

Updated: Apr 14

Tcpdump is a very powerful Linux command to capture DNS packets. DNS is short for Domain Name System. It is a database that links meaningful names to a specific IP address. We can use tcpdump to filter DNS packets to learn more about how DNS works.

What is DNS?

DNS or Domain Name System basically translates those domain names into IP addresses and points our device in the right direction. A domain name and its matching IP address is called a “DNS record”.

DNS service uses both TCP and UDP port 53. On the client-side, the frequently used port for DNS is UDP 53. We can capture packets on this port to get the DNS query info.

Query DNS record on Linux

Dig command on Linux can be used to query DNS records. By default, dig sends the DNS query to name servers listed in the resolver(/etc/resolv.conf) unless it is asked to query a specific name server.

The following command is used to query the A record for Check this post to know how to use dig command.

# dig

Filter DNS Packets with Tcpdump

We can use this tcpdump command to filter DNS query packets. In the following examples, we capture packets on port eth0. Please change it to adapt to your environment.

# tcpdump -i eth0 udp port 53 or tcp port 53

We can write these packets to a file with this tcpdump command and analyze these packets with Wireshark. -w means write.

# tcpdump -i eth0  -w /tmp/dns.pcap udp port 53 or tcp port 53

Pcap file can be opened by tcpdump command to get more details about the DNS query like the hostname, A record info etc.

# tcpdump -vvv -r /tmp/dns.pcap port 53 

Related Post:

20 Advanced Tcpdump Examples On Linux

Linux Command: Use Dig to query DNS


Join our newsletter. Get a free Linux account on Cloud.

Get a Free Cloud Server! 

We can use this cloud server to practice Linux commands. Never miss a post!

Thanks for submitting!