tcpdump: filter DNS queries

2 min read | by Jordi Prats

When a DNS change is involved in an ongoing issue, we need to be sure when we use, for example curl, whether we are hitting the new or the old resource. Is that DNS record still cached locally? One of the best ways of checking this is by sniffing the DNS traffic using tcpdump

To let tcpdump interpret correctly the information that going within a DNS query and response we will have to add the -s option for specifying the amount of data to capture for each packet. By setting it to 0 we will be able to capture the entire packet. This value actually is 262144 which it is far more data than a packet is going to usually handle (1500 would be closer but it also depends on the underlying network)

Also adding -n will prevent tcpdumo to resolve IP addresses which for troubleshooting it is also a good thing to add. The final command would be:

# tcpdump -n -s 0 port 53

The output we will get from this command will look like follows:

19:31:23.062314 IP 10.12.1.40.51435 > 10.58.61.250.53: 18585+ A? pet2cattle.com. (32)
19:31:23.062384 IP 10.12.1.40.51435 > 10.58.61.250.53: 21145+ AAAA? pet2cattle.com. (32)
19:31:23.174448 IP 10.58.61.250.53 > 10.12.1.40.51435: 21145 0/1/0 (86)
19:31:23.180454 IP 10.58.61.250.53 > 10.12.1.40.51435: 18585 1/0/0 A 5.135.162.66 (48)

In this example it is querying pet2cattle.com to it's resolver (10.58.61.250), which is replying back that it is 5.135.162.66


Posted on 30/03/2021