How can I see the response of the DNS requests that tcpdump is showing me?

domain-name-system tcpdump

I'm using tcpdump (for the first time) to try to debug a DNS issue:

tcpdump -n udp port 53

It gives me this output:

10:38:30.431467 IP a.b.c.d.56973 > 8.8.8.8.domain: 49179+ A? ocsp.sectigo.com. (34)
10:38:30.431476 IP a.b.c.d.56973 > 8.8.8.8.domain: 38519+ AAAA? ocsp.sectigo.com. (34)
10:40:52.556219 IP a.b.c.d.54185 > 8.8.4.4.domain: 12873+ A? ocsp.sectigo.com. (34)
10:40:52.556233 IP a.b.c.d.54185 > 8.8.4.4.domain: 60917+ AAAA? ocsp.sectigo.com. (34)

How can I view the responses, or the time that they took?


AFAIK Normally you should see incoming packets FROM port 53 of the name server in response to your DNS query. That fact that you don't, is telling and may be the root of your problem. Either the outgoing queries are blocked/discarded and never even make it to your DNS servers, or the responses don't make it back to you.

For me dig serverfault.com @8.8.8.8 generates a trace looking like this below:

12:06:42.664808 IP 10.9.8.107.46372 > 8.8.8.8.domain: 35406+ [1au] A? serverfault.com. (44)
12:06:42.666144 IP 8.8.8.8.domain > 10.9.8.107.46372: 35406 4/0/1 A 151.101.65.69, A 151.101.129.69, A 151.101.193.69, A 151.101.1.69 (108)

Related

Test virtual host configuration [closed]
RANCID, but for arbitrary server configuration files
Simple IP load balancer for web service that runs on Windows XP or Windows 7 Professional?
File base permissions are 666, why and is this a configurable value? [closed]
Forward localhost memcached server on port 12111 to domain.com memcached server
Is a web server required to run a mail server?
ubuntu distribution upgrade got corrupted [closed]
Traceroute: different results [closed]
Iptables rules sometimes are reset automatically
Associate elastic ip automatically to a amazon ec2 instance when the instance start
How can I setup a network connection with Puppet?
ESXi 5.1 ghettoVCB stuck at Clone: 10% done