Menu Close

Using tcpdump for diagnostics of DNS – debian

admin 1 Comment

TCPdump is a powerful command-line packet analyzer, which may be used for analyzing of DNS question/answer process. TCPdump is preinstalled on many Linux distributions. For debian it can be installed directly from the debian repository:

apt-get install tcpdump

TCPdump allows write a sniff to file or display it realtime. It provides several ways how to use it for DNS analysis. Now I will write a few examples. Deeper description is at the bottom of the page.

Example 1) Capture DNS on the fly:

tcpdump -i eth0 udp port 53

14:42:12.989067 IP 10.0.2.15.11008 > castor.kis.fri.uniza.sk.domain: 17791+ [1au] A? voip.kis.fri.uniza.sk. (50)
14:42:12.989655 IP castor.kis.fri.uniza.sk.domain > 10.0.2.15.11008: 17791* 1/1/2 A 158.193.152.2 (99)

where -i is the interface, UDP is the transport protocol and port is the communication port of DNS

Example 2) Shorter alternative of example 1

tcpdump -nt -i eth0 udp port 53

IP 10.0.2.15.44182 > 158.193.152.2.53: 50466+ [1au] A? voip.kis.fri.uniza.sk. (50)
IP 158.193.152.2.53 > 10.0.2.15.44182: 50466* 1/1/2 A 158.193.152.2 (99)

where -n does not convert IP address to DNS names and -t does not print timestamps

Example XY) use tcpdump capture data and write them to a pcap file

then we are able to do post analysis, for example using both previous commands

tcpdump -i eth0 udp port 53 -w example.cap

then we may read back from the file

tcpdump -v -r example.cap udp port 53

Detailed description and additional information

Here I’m providing a closer look.

Be able to observe something we need a DNS lookup tool, which help us generate DNS queries on demand. Debian for example has preinstalled the host and nslookup tool. However, I personally prefer dig, which is part of dnsutils deb package.

I will use the same DNS query usually for all examples:

dig voip.kis.fri.uniza.sk

which will ask a question for translating the Address record A of voip.kis.fri.uniza.sk server to its IP address. Answer is 158.193.152.2

dig voip.kis.fri.uniza.sk

; <<>> DiG 9.9.3-rpz2+rl.13214.22-P2-Ubuntu-1:9.9.3.dfsg.P2-4ubuntu1 <<>> voip.kis.fri.uniza.sk
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46977
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;voip.kis.fri.uniza.sk.        IN    A

;; ANSWER SECTION:
voip.kis.fri.uniza.sk.    3600    IN    A    158.193.152.2

;; AUTHORITY SECTION:
kis.fri.uniza.sk.    3600    IN    NS    ns.kis.fri.uniza.sk.

;; ADDITIONAL SECTION:
ns.kis.fri.uniza.sk.    3600    IN    A    158.193.152.2

;; Query time: 7 msec
;; SERVER: 127.0.1.1#53(127.0.1.1)
;; WHEN: Wed Nov 05 14:54:33 CET 2014
;; MSG SIZE  rcvd: 99

Otherwise I will highlight difference.

Examples of usage

TCPdump allows write a sniff to a file or display it realtime. It provides several ways how to use it for DNS analysis.

1) Detailed description of the example one: capturing DNS on the fly

tcpdump -i eth0 udp port 53

this example display lines of UDP datagrams exchanged on the UDP port number 53 (dns service) captured on the eth0 interface (-i eth0 specify it)

root@palo-Xubuntu:~# tcpdump -i eth0 udp port 53

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
14:42:12.989067 IP 10.0.2.15.11008 > castor.kis.fri.uniza.sk.domain: 17791+ [1au] A? voip.kis.fri.uniza.sk. (50)
14:42:12.989655 IP castor.kis.fri.uniza.sk.domain > 10.0.2.15.11008: 17791* 1/1/1 A 158.193.152.2 (99)

A DNS query is generally formatted as

              src > dst: id op? flags qtype qclass name (len)

where:

  • src is a host with IP address 10.0.2.15,
  • dst is a destination, i.e. an IP address or a dns name of your preconfigured DNS server, here castor.kis.fri.uniza.sk, this resolving can be turned of using the -n swtich. Then we would see an IP addres there, here  158.193.152.2.
  • id is the query ID, 17991 here
  • op is ommited here
  • qtype means the type of DNS query here A? means the Address Resoruce Record
  • (len) is the query length not including transport headers, 50B here

DNS server responses are formatted as

src > dst:  id op rcode flags a/n/au type class data (len)

where in our example we can see

castor.kis.fri.uniza.sk.domain > 10.0.2.15.11008: 17791* 1/1/1 A 158.193.152.2 (99)
  • src is a dns server name or an IP address, here castor.kis.fri.uniza.sk, this resolving can be turned of using the -n switch. Then we would see an IP address there, here  158.193.152.2.
  • dst is a destination, i.e. asking node  IP address or a dns name, here 10.0.2.15,.
  • id is the answer on a query with number, here 17991
    • a/ the number of answer records
    • /n the number of name server records
    • au the number of additional records
  • here we have 1 answer 1 name server and 2 additional records
  • type means the type of DNS query. HEre it was A
  • (len) is the query length not including transport headers, 99B here
5/5 - (1 vote)
Tweet
Pin
Share
0 Shares

1 Comment

  1. tcp ip protocol
    Reply

    DNS resolution is an important service, without it functioning properly domain names will not be correctly resolved to IP addresses preventing other network services from working correctly. Therefore it is equally important to know how to troubleshoot DNS issues on a Linux client and fix any problems to reduce disruption.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

The reCAPTCHA verification period has expired. Please reload the page.