Using Tcpdump to monitor DNS requests

Written by Peter Davies on .

if not already installed simply run this:

apt-get install tcpdump

The run the tool listening only to port 53 / DNS:

tcpdump -l -vvvv dst port 53

This will display a running list of queries like this:

12:11:04.141754 IP (tos 0x0, ttl 64, id 34042, offset 0, flags [DF], proto UDP (17), length 72) server.com.58167 > cachens1.lon.rackspace.com.domain: [bad udp cksum 7ba4!] 39673+ PTR? 32.207.254.54.in-addr.arpa. (44)
12:11:09.144608 IP (tos 0x0, ttl 64, id 34543, offset 0, flags [DF], proto UDP (17), length 72) server.com.41240 > cachens1.lon.rackspace.com.domain: [bad udp cksum ef82!] 414+ PTR? 80.151.138.83.in-addr.arpa. (44)
12:11:14.104750 IP (tos 0x0, ttl 64, id 35039, offset 0, flags [DF], proto UDP (17), length 71) server.com.58152 > cachens1.lon.rackspace.com.domain: [bad udp cksum 2585!] 46234+ PTR? 52.56.46.202.in-addr.arpa. (43)
12:12:10.842800 IP (tos 0x0, ttl 64, id 40712, offset 0, flags [DF], proto UDP (17), length 45) server.com.54472 > cachens1.lon.rackspace.com.domain: [bad udp cksum 2dae!] 59944+ A? . (17)
12:12:10.843088 IP (tos 0x0, ttl 64, id 40712, offset 0, flags [DF], proto UDP (17), length 45) server.com.51985 > cachens1.lon.rackspace.com.domain: [bad udp cksum cb0b!] 38466+ A? . (17)

Having monitored this on multiple machines the above PTR queries are quite common. One way of testing DNS queries is to run the apt-get update command which will contact various repo's and use DNS to lookup the names.

Analysis of the [bad udp cksum xx] reveals that this is a common issue with virtual/cloud servers.

  1. http://blog.kaffenews.com/2010/03/04/detecting-malware-infections-with-snort-dns-monitoring/
  2. http://serverfault.com/questions/2783/how-do-i-know-if-my-linux-server-has-been-hacked