Inspecting DNS traffic via tcpdump

If you ever wondered what is going on at the DNS level on your computer (or network), tcpdump can be a useful tool for you.

TCPdump basics

Tcpdump is a tool that allows you to inspect any packet (TCP, UDP, etc) and its content as they pass through an interface through the libpcap module. The syntax is very simple, but the basics of the command require the network interface name, the protocol and the restrictions of what you are trying to inspect (more on that later):

tcpdump -nnni INTERFACE PROTOCOL (tcp, udp) [RESTRICTIONS]

So if you want to see all UDP traffic on the eth0 interface, for example, you would do:

tcpdump -nnni eth0 udp

Note that we used -nnn, which we generally recommend as it means that it won’t do a reverse DNS resolution of the IP addresses and ports. It makes tcpdump a lot faster.

Inspecting DNS traffic with tcpdump

With that in mind, if we want to inspect DNS traffic, we need to restrict tcpdump to only UDP and port 53 (default by DNS). For example:

tcpdump -nnni eth0 udp port 53

On my Mac, I run it as:

$ sudo tcpdump -nnnni en0 udp port 53

Which shows me the DNS traffic:

20:35:37 IP 192.168.0.2.49182 > 1.1.1.1.53: 60078+ [1au] A? google.com. (39)
20:35:37 IP 1.1.1.1.53 > 192.168.0.2.49182: 60078 1/0/1 A 172.217.11.78 (55)

In this case, you can see my IP – 192.168.0.2, doing a DNS request for the A record of google.com.

And that’s it. Try it out and let us know if it works.

Sharing is caring!

Leave a Reply

Your email address will not be published. Required fields are marked *