how to monitor traffic at port 53 (DNS)

Solution 1

You can use this command: tcpdump -n -s 1500 -i eth0 udp port 53 (Replace 'eth0' with the name of your ethernet interface, e.g. 'fxp0') This shows all packets going in and out of your machine for UDP port 53 (DNS) Source:DNS exercise 1

Solution 2

If you only want to see who is talking with whom on port udp/tcp 53 without requiring to have the detailed payload of such conversation, your best bet is to use netflow.

I would dare to guess that you are using linux. If so, you could use ulogd to generate the netflow information from the traffic you are receiving and then process it using nfdump (if you are command-line oriented) and/or nfsen (if you are more of the visual type) (nfdump/nfsen are part of the same opensource project).

As an example, ulogd is enabled with only one iptables rule:

-A INPUT -j ULOG --ulog-cprange 48 --ulog-qthreshold 50

and having fprobe-ulog running so each and every flow generated by ulogd goes to the netflow collector (in this case nfdump) listening on the port you have configured nfdump to listen for (in this case port 9995):

29040 ?        Ssl   65:55 /usr/sbin/fprobe-ulog -Xeth0:100 localhost:9995

So if you want to know, who has trying to talk to your server on port udp/tcp 53, you could query your flows using nfdump:

root@my_machine:/usr/local/nfdump/bin/nfdump -R 2011 'dst port 53 && dst ip  XXX.XXX.212.184' | more
Date flow start          Duration Proto      Src IP Addr:Port          Dst IP Addr:Port   Packets    Bytes Flows
2011-01-07 06:23:28.031     0.000 UDP      200.80.42.244:54    ->  XXX.XXX.212.184:53           1       63     1
2011-01-07 20:34:07.287     0.000 UDP        38.229.1.72:42196 ->  XXX.XXX.212.184:53           1      119     1
2011-01-08 04:29:53.287     0.000 UDP     194.199.24.101:45274 ->  XXX.XXX.212.184:53           1       57     1
2011-01-28 08:47:45.171     0.000 UDP        38.229.1.72:42914 ->  XXX.XXX.212.184:53           1      119     1
2011-02-18 04:56:48.359    22.335 UDP    200.186.243.203:60808 ->  XXX.XXX.212.184:53           3      211     1
2011-02-18 04:57:07.363     9.026 TCP    200.186.243.203:60970 ->  XXX.XXX.212.184:53           3      144     1
2011-02-18 04:58:48.845     2.389 UDP    200.186.243.203:60808 ->  XXX.XXX.212.184:53           2      116     1
2011-02-18 04:58:48.844     8.385 TCP    200.186.243.203:61051 ->  XXX.XXX.212.184:53           3      144     1
2011-02-18 04:59:00.829    32.490 UDP    200.146.126.135:39171 ->  XXX.XXX.212.184:53           5      339     1
2011-02-18 04:59:22.738     9.132 TCP    200.146.126.135:57213 ->  XXX.XXX.212.184:53           3      152     1
...
...
...
Summary: total flows: 310, total bytes: 47456, total packets: 839, avg bps: 0, avg pps: 0, avg bpp: 56
Time window: 2011-01-07 06:23:28 - 2011-03-03 05:57:55
Total flows processed: 3087449, Blocks skipped: 0, Bytes read: 161058180
Sys: 0.966s flows/second: 3193300.5  Wall: 0.854s flows/second: 3611887.9

For this specific issue you are describing, installing ulogd and nfdump/nfsen may sound overkill but experience tells me that having your infrastructure netflow enabled will greatly help you in any kind of traffic/security troubleshooting you may need to do in the future so it may very well worth the effort.

Related videos on Youtube

06 : 07

How do I view traffic passing through an Amazon Route 53 resolver outbound endpoint?

Amazon Web Services

445

13 : 35

Nmap - DNS Enumeration

HackerSploit

13

07 : 53

Remote Shell Access over port 53 via dnscat2

Yaksas CSC

6

02 : 45

DevOps & SysAdmins: How to monitor traffic at port 53 (DNS)? (3 Solutions!!)

Roel Van de Paar

5

01 : 01

DNS UDP Port 53 - port number and services series

xxoozero

1

Author by

jarzyn

Updated on September 17, 2022