how to monitor traffic at port 53 (DNS)
Solution 1
You can use this command: tcpdump -n -s 1500 -i eth0 udp port 53 (Replace 'eth0' with the name of your ethernet interface, e.g. 'fxp0') This shows all packets going in and out of your machine for UDP port 53 (DNS) Source:DNS exercise 1
Solution 2
If you only want to see who is talking with whom on port udp/tcp 53 without requiring to have the detailed payload of such conversation, your best bet is to use netflow.
I would dare to guess that you are using linux. If so, you could use ulogd to generate the netflow information from the traffic you are receiving and then process it using nfdump (if you are command-line oriented) and/or nfsen (if you are more of the visual type) (nfdump/nfsen are part of the same opensource project).
As an example, ulogd is enabled with only one iptables rule:
-A INPUT -j ULOG --ulog-cprange 48 --ulog-qthreshold 50
and having fprobe-ulog running so each and every flow generated by ulogd goes to the netflow collector (in this case nfdump) listening on the port you have configured nfdump to listen for (in this case port 9995):
29040 ? Ssl 65:55 /usr/sbin/fprobe-ulog -Xeth0:100 localhost:9995
So if you want to know, who has trying to talk to your server on port udp/tcp 53, you could query your flows using nfdump:
root@my_machine:/usr/local/nfdump/bin/nfdump -R 2011 'dst port 53 && dst ip XXX.XXX.212.184' | more
Date flow start Duration Proto Src IP Addr:Port Dst IP Addr:Port Packets Bytes Flows
2011-01-07 06:23:28.031 0.000 UDP 200.80.42.244:54 -> XXX.XXX.212.184:53 1 63 1
2011-01-07 20:34:07.287 0.000 UDP 38.229.1.72:42196 -> XXX.XXX.212.184:53 1 119 1
2011-01-08 04:29:53.287 0.000 UDP 194.199.24.101:45274 -> XXX.XXX.212.184:53 1 57 1
2011-01-28 08:47:45.171 0.000 UDP 38.229.1.72:42914 -> XXX.XXX.212.184:53 1 119 1
2011-02-18 04:56:48.359 22.335 UDP 200.186.243.203:60808 -> XXX.XXX.212.184:53 3 211 1
2011-02-18 04:57:07.363 9.026 TCP 200.186.243.203:60970 -> XXX.XXX.212.184:53 3 144 1
2011-02-18 04:58:48.845 2.389 UDP 200.186.243.203:60808 -> XXX.XXX.212.184:53 2 116 1
2011-02-18 04:58:48.844 8.385 TCP 200.186.243.203:61051 -> XXX.XXX.212.184:53 3 144 1
2011-02-18 04:59:00.829 32.490 UDP 200.146.126.135:39171 -> XXX.XXX.212.184:53 5 339 1
2011-02-18 04:59:22.738 9.132 TCP 200.146.126.135:57213 -> XXX.XXX.212.184:53 3 152 1
...
...
...
Summary: total flows: 310, total bytes: 47456, total packets: 839, avg bps: 0, avg pps: 0, avg bpp: 56
Time window: 2011-01-07 06:23:28 - 2011-03-03 05:57:55
Total flows processed: 3087449, Blocks skipped: 0, Bytes read: 161058180
Sys: 0.966s flows/second: 3193300.5 Wall: 0.854s flows/second: 3611887.9
For this specific issue you are describing, installing ulogd and nfdump/nfsen may sound overkill but experience tells me that having your infrastructure netflow enabled will greatly help you in any kind of traffic/security troubleshooting you may need to do in the future so it may very well worth the effort.
Related videos on Youtube
jarzyn
Updated on September 17, 2022Comments
-
jarzyn almost 2 years
I am a bit confused with the abundant tcpdump tutorials on internet. I am having a few of the virtual machines running on a virtualization server.Where I am debugging a problem.Port 53 is the one in problem. I have a bridged setup where out of 4 LAN cards on the machine in question one is active and it is xen-br0 I want to check if there is any request coming on port 53 on the server by other machines on LAN in question. I also want to see if the guest operating systems on LAN or any other machine is sending traffic at port 53.Due to abundant messages being generated via tcpdump I am finding it difficult to grep the output at desired port.
So how can I use it if some one can give an example that would be helpful. Thanks in advance.
-
jarzyn over 13 yearsyour suggestion is good I will try it out.But the machine where I want to use is a non GUI server which is on SSH access.I am trying to debug an issue with out Apache Reverse Proxy where the vhosts are querying the DNS which is itself proxied.So I want to know the use of tcpdump.I have been very confused with tcpdump tutorials on net.
-
jarzyn over 13 yearsthanks for your tip.It solved my problem I just have one more doubt you used 1500 what is that used for I read the man page for -s option but I could not understand this option.
-
Guido van Brakel over 13 yearsThat's for reading the whole packet (otherwise tcpdump only reads the headers)