DNS is short for Domain Name System. It is simply a database that links meaningful names (known as hostnames), such as howtouselinux.com, to a specific IP address, such as 220.127.116.11.
Each device connected to the Internet has a unique IP address. With the system of DNS, we don't have to memorize IP addresses.
All domains are required to have at least a few essential DNS records for a user to be able to access their website using a domain name. This is the key concept of DNS.
Here are 4 commonly used DNS records.
A record - A record is used to map a domain (e.g., howtouselinux.com) or a sub-domain (e.g., blog.howtouselinux.com) to an IP address or many ips.
PTR record - Provides a domain name in reverse-lookups. eg. (18.104.22.168 -- howtouselinux.com)
CNAME record - also known as canonical name records, are used to create aliases that point to other names. They are commonly used to map WWW, FTP and MAIL sub-domains to a domain.
MX record - MX (Mail Exchange) records control how incoming email is routed for your domain.
Check this post to learn more about DNS records.
How to query DNS record
Each application like Chrome has its own mechanism to get the DNS record. We will explain how to use the Linux command to query DNS records.
We can use dig name + record type + @dns server to query the DNS info from a DNS server. By default, dig performs a lookup for an A record if no type argument is specified.
server – the IP address or hostname of the name server to query. It is optional and if we don’t provide a server argument then dig uses the name server listed in /etc/resolv.conf.
name – the name of the resource record that is to be looked up.
record type – the type of query requested by dig. For example, it can be an A record, MX record, SOA record or any other types.
Example of DNS record
We can see that google.com has 6 A records with the following example. The main purpose of this is for load balance and fault tolerance.
$ dig google.com +short
Which port does DNS use?
DNS uses both TCP and UDP port 53. The most frequently used port for DNS is UDP 53. This is used for DNS queries on the client-side. Check more info about DNS port here.
How to use tcpdump to filter DNS Query packets?
We can use this tcpdump command to filter DNS query packets.
# tcpdump -i eth0 udp port 53
We can write these packets to a file with this tcpdump command and analyze these packets with Wireshark GUI.
# tcpdump -i eth0 -w /tmp/dns.pcap udp port 53
We can read these packets from dns.pcap file to get more details about the DNS query.
# tcpdump -vvv -r /tmp/dns.pcap port 53
Example of DNS Packet Analysis
We can get the A record for google.com with the flowing command.
dig google.com +short
This is the output of tcpdump command after we run the above dig command. Check more info about how to use dig command to query DNS records here.
20:11:00.466866 IP 10.79.98.233.54127 > 22.214.171.124.53: 60712+ [1au] A? google.com. (39)
This is the packet we get from the DNS server for this DNS query.
20:11:00.560294 IP 126.96.36.199.53 > 10.79.98.233.54127: 60712 6/4/1 A 188.8.131.52, A 184.108.40.206, A 220.127.116.11, A 18.104.22.168, A 22.214.171.124, A 126.96.36.199 (207)
By default, the dig command query the A record for that domain name with UDP protocol. Check this post to learn more about other DNS records like AAAA, MX, PTR etc.