Žilinská univerzita > Fakulta riadenia a informatiky > Katedra informačných sietí

Using tcpdump for diagnostic of DNS - debian

TCPdump is a powerful command-line packet analyzer, which may be used for analyzing of DNS question/answer process. TCPdump is preinstalled on many linux distributions. For debian it can be installed directly from the debian repository:

apt-get install tcpdump

TCPdump allows write a sniff to file or display it realtime. It provides several ways how to use it for DNS analysis. Now I will write a few examples. Deeper description is at the bottom of the page.

 

Example 1) Capture DNS on the fly:

tcpdump -i eth0 udp port 53

14:42:12.989067 IP 10.0.2.15.11008 > castor.kis.fri.uniza.sk.domain: 17791+ [1au] A? voip.kis.fri.uniza.sk. (50)
14:42:12.989655 IP castor.kis.fri.uniza.sk.domain > 10.0.2.15.11008: 17791* 1/1/2 A 158.193.152.2 (99)

where -i is the interface, udp is the transport protocol and port is the communication port of DNS

 

Example 2) Shorter alternative of example 1

tcpdump -nt -i eth0 udp port 53

IP 10.0.2.15.44182 > 158.193.152.2.53: 50466+ [1au] A? voip.kis.fri.uniza.sk. (50)
IP 158.193.152.2.53 > 10.0.2.15.44182: 50466* 1/1/2 A 158.193.152.2 (99)

where -n do not convert IP address to DNS names and -t do not print timestamps

 

Example XY) use tcpdump capture data and write them to a pcap file

then we are able to do post analysis, for example using both previous commands

tcpdump -i eth0 udp port 53 -w example.cap

then we may read back from the file

tcpdump -v -r example.cap udp port 53

 

Detailed description and additional information

Here I'm providing a closer look.

Be able to observe something we need a DNS lookup tool, which help us generate DNS queries on demand. Debian for example has preinstalled the host and nslookup tool. However I personally prefer dig, which is part of dnsutils deb package.

I will use the same dns query usually for all examples:

dig voip.kis.fri.uniza.sk

which will ask a question for translating Address record A of voip.kis.fri.uniza.sk server to its IP address. Answer is 158.193.152.2

dig voip.kis.fri.uniza.sk

; <<>> DiG 9.9.3-rpz2+rl.13214.22-P2-Ubuntu-1:9.9.3.dfsg.P2-4ubuntu1 <<>> voip.kis.fri.uniza.sk
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46977
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;voip.kis.fri.uniza.sk.        IN    A

;; ANSWER SECTION:
voip.kis.fri.uniza.sk.    3600    IN    A    158.193.152.2

;; AUTHORITY SECTION:
kis.fri.uniza.sk.    3600    IN    NS    ns.kis.fri.uniza.sk.

;; ADDITIONAL SECTION:
ns.kis.fri.uniza.sk.    3600    IN    A    158.193.152.2

;; Query time: 7 msec
;; SERVER: 127.0.1.1#53(127.0.1.1)
;; WHEN: Wed Nov 05 14:54:33 CET 2014
;; MSG SIZE  rcvd: 99

Otherwise I will highlight difference.

Examples of usage

TCPdump allows write a sniff to a file or display it realtime. It provides several ways how to use it for DNS analysis.

1) Detailed description of the example one: capturing DNS on the fly

tcpdump -i eth0 udp port 53

this example display lines of UDP datagrams exchanged on the UDP port number 53 (dns service) captured on the eth0 interface (-i eth0 specify it)

root@palo-Xubuntu:~# tcpdump -i eth0 udp port 53

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
14:42:12.989067 IP 10.0.2.15.11008 > castor.kis.fri.uniza.sk.domain: 17791+ [1au] A? voip.kis.fri.uniza.sk. (50)
14:42:12.989655 IP castor.kis.fri.uniza.sk.domain > 10.0.2.15.11008: 17791* 1/1/1 A 158.193.152.2 (99)

A DNS query is generally formatted as

              src > dst: id op? flags qtype qclass name (len)

where:

  • src is a host with IP address 10.0.2.15,
  • dst is a destination, i.e. an IP address or a dns name of your preconfigured DNS server, here castor.kis.fri.uniza.sk, this resolving can be turned of using the -n swtich. Then we would see an IP addres there, here  158.193.152.2.
  • id is the query ID, 17991 here
  • op is ommited here
  • qtype means the type of DNS query here A? means the Address Resoruce Record
  • (len) is the query length not including transport headers, 50B here

DNS server responses are formatted as

              src > dst:  id op rcode flags a/n/au type class data (len)

where in our example we can see

castor.kis.fri.uniza.sk.domain > 10.0.2.15.11008: 17791* 1/1/1 A 158.193.152.2 (99)
  • src is a dns server name or an IP address, here castor.kis.fri.uniza.sk, this resolving can be turned of using the -n swtich. Then we would see an IP addres there, here  158.193.152.2.
  • dst is a destination, i.e. asking node  IP address or a dns name, here 10.0.2.15,.
  • id is the answer on a query with number, here 17991
    • a/ the number of answer records
    • /n the number of name server records
    • au the number of additional records
  • here we have 1 answer 1 name server and 2 additional records
  • type means the type of DNS query. HEre it was A
  • (len) is the query length not including transport headers, 99B here
Groups: