« Back to Networking: Frequently Asked Questions

How to see all DNS requests on the system?

How to see all DNS requests on the system?

On Linux you can use tools like dnstop, firejail, and tcpdump, to see which DNS requests are made by the system and their processes.

Almost any Linux system will be using DNS to translate between hostnames and IP addresses. To find out what DNS requests or queries are being made, there are multiple tools available. Learning about these requests is useful to better understand what incoming and outgoing connections happen or are required for proper functioning. It may help in securing your system or simply troubleshoot any issues.

Tools and examples

Linux has many tools available that can help capturing network traffic, with even a few focused on the DNS itself. Let’s cover a few common options, including examples on its usage and related output.

tcpdump

A common utility to see network traffic is tcpdump. It has many available options available, making it is a useful tool for troubleshooting and monitoring purposes.

To use tcpdump, specify the network interface using the -i option. Not sure what interface? Use ip link and use that instead of enp1s0 in the example below. As we are interested in DNS requests, we define the port 53, so we capture both on UDP and TCP.

# tcpdump -nnni enp1s0 port 53
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on enp1s0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
12:16:22.372195 IP 192.168.123.100.48758 > 192.168.123.1.53: 48112+ SRV? _http._tcp.security.debian.org. (48)
12:16:22.372657 IP 192.168.123.100.33065 > 192.168.123.1.53: 17391+ SRV? _http._tcp.deb.debian.org. (43)
12:16:22.372773 IP 192.168.123.1.53 > 192.168.123.100.33065: 17391 1/0/0 SRV debian.map.fastlydns.net.:80 10 1 (87)
12:16:22.372878 IP 192.168.123.100.50772 > 192.168.123.1.53: 38773+ A? debian.map.fastlydns.net. (42)
12:16:22.372882 IP 192.168.123.100.50772 > 192.168.123.1.53: 34164+ AAAA? debian.map.fastlydns.net. (42)
12:16:22.372908 IP 192.168.123.1.53 > 192.168.123.100.50772: 38773 1/0/0 A 151.101.38.132 (58)
12:16:22.372916 IP 192.168.123.1.53 > 192.168.123.100.50772: 34164 1/0/0 AAAA 2a04:4e42:9::644 (70)
12:16:22.374429 IP 192.168.123.1.53 > 192.168.123.100.48758: 48112 1/0/0 SRV debian.map.fastlydns.net.:80 10 1 (92)
12:16:22.374518 IP 192.168.123.100.57846 > 192.168.123.1.53: 56403+ A? debian.map.fastlydns.net. (42)
12:16:22.374523 IP 192.168.123.100.57846 > 192.168.123.1.53: 42324+ AAAA? debian.map.fastlydns.net. (42)

Firejail

The firejail command is primarily intended for sandboxing, but can also be used to do some monitoring and inspecting. The output of the --dnstrace option is more friendly than that of tcpdump.

# firejail --dnstrace

DNS trace for Sun Dec 15 12:06:07 2024
12:06:13  192.168.123.1    google.com (type 1)
12:06:13  192.168.123.1    google.com (type 28)
12:06:13  192.168.123.1    110.39.251.142.in-addr.arpa (type 12)
12:06:14  192.168.123.1    110.39.251.142.in-addr.arpa (type 12)
12:06:16  192.168.123.1    _http._tcp.security.debian.org (type 33)
12:06:16  192.168.123.1    _http._tcp.deb.debian.org (type 33)
12:06:16  192.168.123.1    debian.map.fastlydns.net (type 28)
12:06:16  192.168.123.1    debian.map.fastlydns.net (type 1)

dnstop

One of the troubleshooting and monitoring tools focused on DNS is dnstop. It can provide various counters related to DNS requests, such as:

  • Requests by source or destination IP
  • Requests by TLD
  • Requests by domain name
  • Query types
  • Response codes
# dnstop enp1s0 -l 3
Queries: 0 new, 6 total

Query Name              Count      %   cum%
------------------- --------- ------ ------
map.fastlydns.net           4   66.7   66.7
deb.debian.org              1   16.7   83.3
security.debian.org         1   16.7  100.0

dnscap

An alternative tool to capture DNS requests is the dnscap utility. It also has a wide range of options available and requires at least the -g option to start the capture.

# dnscap -g
[76] 2024-12-15 13:58:45.235064 [#0 enp1s0 4095] \
	[192.168.123.100].49956 [192.168.123.1].53  \
	dns QUERY,NOERROR,10127,rd \
	1 _http._tcp.security.debian.org.,IN,SRV 0 0 0
[71] 2024-12-15 13:58:45.235501 [#1 enp1s0 4095] \
	[192.168.123.100].46064 [192.168.123.1].53  \
	dns QUERY,NOERROR,27576,rd \
	1 _http._tcp.deb.debian.org.,IN,SRV 0 0 0
[115] 2024-12-15 13:58:45.235632 [#2 enp1s0 4095] \
	[192.168.123.1].53 [192.168.123.100].46064  \
	dns QUERY,NOERROR,27576,qr|rd|ra \
	1 _http._tcp.deb.debian.org.,IN,SRV \
	1 _http._tcp.deb.debian.org.,IN,SRV,112,[32] 0 0
[70] 2024-12-15 13:58:45.235726 [#3 enp1s0 4095] \
	[192.168.123.100].56351 [192.168.123.1].53  \
	dns QUERY,NOERROR,27217,rd \
	1 debian.map.fastlydns.net.,IN,A 0 0 0
[70] 2024-12-15 13:58:45.235730 [#4 enp1s0 4095] \
	[192.168.123.100].56351 [192.168.123.1].53  \
	dns QUERY,NOERROR,27986,rd \
	1 debian.map.fastlydns.net.,IN,AAAA 0 0 0
[86] 2024-12-15 13:58:45.235746 [#5 enp1s0 4095] \
	[192.168.123.1].53 [192.168.123.100].56351  \
	dns QUERY,NOERROR,27217,qr|rd|ra \
	1 debian.map.fastlydns.net.,IN,A \
	1 debian.map.fastlydns.net.,IN,A,112,151.101.38.132 0 0
[98] 2024-12-15 13:58:45.235761 [#6 enp1s0 4095] \
	[192.168.123.1].53 [192.168.123.100].56351  \
	dns QUERY,NOERROR,27986,qr|rd|ra \
	1 debian.map.fastlydns.net.,IN,AAAA \
	1 debian.map.fastlydns.net.,IN,AAAA,112,2a04:4e42:9::644 0 0

Relevant commands in this article

Like to learn more about the commands that were used in this article? Have a look, for some there is also a cheat sheet available.

Other questions related to Networking

Related articles

Like to learn more? Here is a list of articles within the same category or having similar tags.

Feedback

Small picture of Michael Boelen

This article has been written by our Linux security expert Michael Boelen. With focus on creating high-quality articles and relevant examples, he wants to improve the field of Linux security. No more web full of copy-pasted blog posts.

Discovered outdated information or have a question? Share your thoughts. Thanks for your contribution!

Mastodon icon