TCPdump is a powerful command-line packet analyzer, which may be used for analyzing of DNS question/answer process. TCPdump is preinstalled on many Linux distributions. For debian it can be installed directly from the debian repository:
apt-get install tcpdump
TCPdump allows write a sniff to file or display it realtime. It provides several ways how to use it for DNS analysis. Now I will write a few examples. Deeper description is at the bottom of the page.
Example 1) Capture DNS on the fly:
tcpdump -i eth0 udp port 53 14:42:12.989067 IP 10.0.2.15.11008 > castor.kis.fri.uniza.sk.domain: 17791+ [1au] A? voip.kis.fri.uniza.sk. (50) 14:42:12.989655 IP castor.kis.fri.uniza.sk.domain > 10.0.2.15.11008: 17791* 1/1/2 A 18.104.22.168 (99)
where -i is the interface, UDP is the transport protocol and port is the communication port of DNS
Example 2) Shorter alternative of example 1
tcpdump -nt -i eth0 udp port 53 IP 10.0.2.15.44182 > 22.214.171.124.53: 50466+ [1au] A? voip.kis.fri.uniza.sk. (50) IP 126.96.36.199.53 > 10.0.2.15.44182: 50466* 1/1/2 A 188.8.131.52 (99)
where -n does not convert IP address to DNS names and -t does not print timestamps
Example XY) use tcpdump capture data and write them to a pcap file
then we are able to do post analysis, for example using both previous commands
tcpdump -i eth0 udp port 53 -w example.cap
then we may read back from the file
tcpdump -v -r example.cap udp port 53
Detailed description and additional information
Here I’m providing a closer look.
Be able to observe something we need a DNS lookup tool, which help us generate DNS queries on demand. Debian for example has preinstalled the host and nslookup tool. However, I personally prefer dig, which is part of dnsutils deb package.
I will use the same DNS query usually for all examples:
which will ask a question for translating the Address record A of voip.kis.fri.uniza.sk server to its IP address. Answer is 184.108.40.206
dig voip.kis.fri.uniza.sk ; <<>> DiG 9.9.3-rpz2+rl.13214.22-P2-Ubuntu-1:9.9.3.dfsg.P2-4ubuntu1 <<>> voip.kis.fri.uniza.sk ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46977 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;voip.kis.fri.uniza.sk. IN A ;; ANSWER SECTION: voip.kis.fri.uniza.sk. 3600 IN A 220.127.116.11 ;; AUTHORITY SECTION: kis.fri.uniza.sk. 3600 IN NS ns.kis.fri.uniza.sk. ;; ADDITIONAL SECTION: ns.kis.fri.uniza.sk. 3600 IN A 18.104.22.168 ;; Query time: 7 msec ;; SERVER: 127.0.1.1#53(127.0.1.1) ;; WHEN: Wed Nov 05 14:54:33 CET 2014 ;; MSG SIZE rcvd: 99
Otherwise I will highlight difference.
Examples of usage
TCPdump allows write a sniff to a file or display it realtime. It provides several ways how to use it for DNS analysis.
1) Detailed description of the example one: capturing DNS on the fly
tcpdump -i eth0 udp port 53
this example display lines of UDP datagrams exchanged on the UDP port number 53 (dns service) captured on the eth0 interface (-i eth0 specify it)
root@palo-Xubuntu:~# tcpdump -i eth0 udp port 53 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 14:42:12.989067 IP 10.0.2.15.11008 > castor.kis.fri.uniza.sk.domain: 17791+ [1au] A? voip.kis.fri.uniza.sk. (50) 14:42:12.989655 IP castor.kis.fri.uniza.sk.domain > 10.0.2.15.11008: 17791* 1/1/1 A 22.214.171.124 (99)
A DNS query is generally formatted as
src > dst: id op? flags qtype qclass name (len)
- src is a host with IP address 10.0.2.15,
- dst is a destination, i.e. an IP address or a dns name of your preconfigured DNS server, here castor.kis.fri.uniza.sk, this resolving can be turned of using the -n swtich. Then we would see an IP addres there, here 126.96.36.199.
- id is the query ID, 17991 here
- op is ommited here
- qtype means the type of DNS query here A? means the Address Resoruce Record
- (len) is the query length not including transport headers, 50B here
DNS server responses are formatted as
src > dst: id op rcode flags a/n/au type class data (len)
where in our example we can see
castor.kis.fri.uniza.sk.domain > 10.0.2.15.11008: 17791* 1/1/1 A 188.8.131.52 (99)
- src is a dns server name or an IP address, here castor.kis.fri.uniza.sk, this resolving can be turned of using the -n switch. Then we would see an IP address there, here 184.108.40.206.
- dst is a destination, i.e. asking node IP address or a dns name, here 10.0.2.15,.
- id is the answer on a query with number, here 17991
- a/ the number of answer records
- /n the number of name server records
- au the number of additional records
- here we have 1 answer 1 name server and 2 additional records
- type means the type of DNS query. HEre it was A
- (len) is the query length not including transport headers, 99B here
DNS resolution is an important service, without it functioning properly domain names will not be correctly resolved to IP addresses preventing other network services from working correctly. Therefore it is equally important to know how to troubleshoot DNS issues on a Linux client and fix any problems to reduce disruption.