How to see all DNS requests on the system?
How to see all DNS requests on the system?
On Linux you can use tools like dnstop, firejail, and tcpdump, to see which DNS requests are made by the system and their processes.
Almost any Linux system will be using DNS to translate between hostnames and IP addresses. To find out what DNS requests or queries are being made, there are multiple tools available. Learning about these requests is useful to better understand what incoming and outgoing connections happen or are required for proper functioning. It may help in securing your system or simply troubleshoot any issues.
Tools and examples
Linux has many tools available that can help capturing network traffic, with even a few focused on the DNS itself. Let’s cover a few common options, including examples on its usage and related output.
tcpdump
A common utility to see network traffic is tcpdump. It has many available options available, making it is a useful tool for troubleshooting and monitoring purposes.
To use tcpdump, specify the network interface using the -i option. Not sure what interface? Use ip link
and use that instead of enp1s0 in the example below. As we are interested in DNS requests, we define the port 53, so we capture both on UDP and TCP.
# tcpdump -nnni enp1s0 port 53
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on enp1s0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
12:16:22.372195 IP 192.168.123.100.48758 > 192.168.123.1.53: 48112+ SRV? _http._tcp.security.debian.org. (48)
12:16:22.372657 IP 192.168.123.100.33065 > 192.168.123.1.53: 17391+ SRV? _http._tcp.deb.debian.org. (43)
12:16:22.372773 IP 192.168.123.1.53 > 192.168.123.100.33065: 17391 1/0/0 SRV debian.map.fastlydns.net.:80 10 1 (87)
12:16:22.372878 IP 192.168.123.100.50772 > 192.168.123.1.53: 38773+ A? debian.map.fastlydns.net. (42)
12:16:22.372882 IP 192.168.123.100.50772 > 192.168.123.1.53: 34164+ AAAA? debian.map.fastlydns.net. (42)
12:16:22.372908 IP 192.168.123.1.53 > 192.168.123.100.50772: 38773 1/0/0 A 151.101.38.132 (58)
12:16:22.372916 IP 192.168.123.1.53 > 192.168.123.100.50772: 34164 1/0/0 AAAA 2a04:4e42:9::644 (70)
12:16:22.374429 IP 192.168.123.1.53 > 192.168.123.100.48758: 48112 1/0/0 SRV debian.map.fastlydns.net.:80 10 1 (92)
12:16:22.374518 IP 192.168.123.100.57846 > 192.168.123.1.53: 56403+ A? debian.map.fastlydns.net. (42)
12:16:22.374523 IP 192.168.123.100.57846 > 192.168.123.1.53: 42324+ AAAA? debian.map.fastlydns.net. (42)
Firejail
The firejail command is primarily intended for sandboxing, but can also be used to do some monitoring and inspecting. The output of the --dnstrace option is more friendly than that of tcpdump.
# firejail --dnstrace
DNS trace for Sun Dec 15 12:06:07 2024
12:06:13 192.168.123.1 google.com (type 1)
12:06:13 192.168.123.1 google.com (type 28)
12:06:13 192.168.123.1 110.39.251.142.in-addr.arpa (type 12)
12:06:14 192.168.123.1 110.39.251.142.in-addr.arpa (type 12)
12:06:16 192.168.123.1 _http._tcp.security.debian.org (type 33)
12:06:16 192.168.123.1 _http._tcp.deb.debian.org (type 33)
12:06:16 192.168.123.1 debian.map.fastlydns.net (type 28)
12:06:16 192.168.123.1 debian.map.fastlydns.net (type 1)
dnstop
One of the troubleshooting and monitoring tools focused on DNS is dnstop. It can provide various counters related to DNS requests, such as:
- Requests by source or destination IP
- Requests by TLD
- Requests by domain name
- Query types
- Response codes
# dnstop enp1s0 -l 3
Queries: 0 new, 6 total
Query Name Count % cum%
------------------- --------- ------ ------
map.fastlydns.net 4 66.7 66.7
deb.debian.org 1 16.7 83.3
security.debian.org 1 16.7 100.0
dnscap
An alternative tool to capture DNS requests is the dnscap utility. It also has a wide range of options available and requires at least the -g option to start the capture.
# dnscap -g
[76] 2024-12-15 13:58:45.235064 [#0 enp1s0 4095] \
[192.168.123.100].49956 [192.168.123.1].53 \
dns QUERY,NOERROR,10127,rd \
1 _http._tcp.security.debian.org.,IN,SRV 0 0 0
[71] 2024-12-15 13:58:45.235501 [#1 enp1s0 4095] \
[192.168.123.100].46064 [192.168.123.1].53 \
dns QUERY,NOERROR,27576,rd \
1 _http._tcp.deb.debian.org.,IN,SRV 0 0 0
[115] 2024-12-15 13:58:45.235632 [#2 enp1s0 4095] \
[192.168.123.1].53 [192.168.123.100].46064 \
dns QUERY,NOERROR,27576,qr|rd|ra \
1 _http._tcp.deb.debian.org.,IN,SRV \
1 _http._tcp.deb.debian.org.,IN,SRV,112,[32] 0 0
[70] 2024-12-15 13:58:45.235726 [#3 enp1s0 4095] \
[192.168.123.100].56351 [192.168.123.1].53 \
dns QUERY,NOERROR,27217,rd \
1 debian.map.fastlydns.net.,IN,A 0 0 0
[70] 2024-12-15 13:58:45.235730 [#4 enp1s0 4095] \
[192.168.123.100].56351 [192.168.123.1].53 \
dns QUERY,NOERROR,27986,rd \
1 debian.map.fastlydns.net.,IN,AAAA 0 0 0
[86] 2024-12-15 13:58:45.235746 [#5 enp1s0 4095] \
[192.168.123.1].53 [192.168.123.100].56351 \
dns QUERY,NOERROR,27217,qr|rd|ra \
1 debian.map.fastlydns.net.,IN,A \
1 debian.map.fastlydns.net.,IN,A,112,151.101.38.132 0 0
[98] 2024-12-15 13:58:45.235761 [#6 enp1s0 4095] \
[192.168.123.1].53 [192.168.123.100].56351 \
dns QUERY,NOERROR,27986,qr|rd|ra \
1 debian.map.fastlydns.net.,IN,AAAA \
1 debian.map.fastlydns.net.,IN,AAAA,112,2a04:4e42:9::644 0 0