Using Tcpdump to monitor DNS requests
if not already installed simply run this:
apt-get install tcpdump
The run the tool listening only to port 53 / DNS:
tcpdump -l -vvvv dst port 53
This will display a running list of queries like this:
12:11:04.141754 IP (tos 0x0, ttl 64, id 34042, offset 0, flags [DF], proto UDP (17), length 72) server.com.58167 > cachens1.lon.rackspace.com.domain: [bad udp cksum 7ba4!] 39673+ PTR? 32.207.254.54.in-addr.arpa. (44) 12:11:09.144608 IP (tos 0x0, ttl 64, id 34543, offset 0, flags [DF], proto UDP (17), length 72) server.com.41240 > cachens1.lon.rackspace.com.domain: [bad udp cksum ef82!] 414+ PTR? 80.151.138.83.in-addr.arpa. (44) 12:11:14.104750 IP (tos 0x0, ttl 64, id 35039, offset 0, flags [DF], proto UDP (17), length 71) server.com.58152 > cachens1.lon.rackspace.com.domain: [bad udp cksum 2585!] 46234+ PTR? 52.56.46.202.in-addr.arpa. (43) 12:12:10.842800 IP (tos 0x0, ttl 64, id 40712, offset 0, flags [DF], proto UDP (17), length 45) server.com.54472 > cachens1.lon.rackspace.com.domain: [bad udp cksum 2dae!] 59944+ A? . (17) 12:12:10.843088 IP (tos 0x0, ttl 64, id 40712, offset 0, flags [DF], proto UDP (17), length 45) server.com.51985 > cachens1.lon.rackspace.com.domain: [bad udp cksum cb0b!] 38466+ A? . (17)
Having monitored this on multiple machines the above PTR queries are quite common. One way of testing DNS queries is to run the apt-get update command which will contact various repo's and use DNS to lookup the names.
Analysis of the [bad udp cksum xx] reveals that this is a common issue with virtual/cloud servers.