 |
STAY ON TOP OF YOUR DNS TRAFFIC
dnsdump is a Perl script that captures and displays DNS messages on your network. Think of it as an alternative to running tcpdump port domain. You can control dnsdump's output using a printf-like format string.
Get The Code
You can download the latest version of dnsdump here.
dnsdump requires the following usually-not-installed-by-default Perl modules:
- Net::Pcap
- Net::Packet
- Net::DNS
Usage
dnsdump -i ifname [-q] [-a] "%field %field ..."
dnsdump -r savefile [-q] [-a] "%field %field ..."
Either the -i ifname or -r savefile command line argument is required. If you don't know the name of your network interface, use netstat -i or ifconfig -a to see a list.
The -q option instructs dnsdump to print only queries. Similarly, the -a option prints only answers (replies).
dnsdump prints the fields that you specify in the format string. The fields and their meanings are:
| Field | Description |
|---|---|
| time | Time that the packet was received |
| src | Source IP address |
| dst | Destination IP address |
| sport | Source port |
| dport | Destination port |
| id | Query ID |
| qr | Query or Response (Query = 0, Response = 1) |
| opcode | Opcode (QUERY, NOTIFY, UPDATE, etc) |
| rcode | Response code (NOERROR, NXDOMAIN, REFUSED, etc) |
| aa | Authoritative Answer bit |
| tc | Truncation bit |
| rd | Recursion Desired bit |
| ra | Recrusion Available bit |
| ad | Authenticated Data bit |
| qcount | Count of records in the Question section |
| ancount | Count of records in the Answer section |
| nscount | Count of records in the Authority section |
| adcount | Count of records in the Additional section |
| qname | Query Name (first Question only) |
| qtype | Query Type (first Question only) |
| ans | List of Answers (short form) |
| auth | List of Authority records (short form) |
| addl | List of Additional records (short form) |
| question | List of Questions (long form) |
| answer | List of Answers (long form) |
| authority | List of Authority records (long form) |
| additional | List of Additional records (long form) |
Note that the format string may include literal text as well.
You may control the width of fields (in the style of printf) by inserting numbers between the "%" and field name. For example:
%5id %16src %-5dport
The question/answer/authority/additional fields often contain multiple resource records. To assist with parsing (both by humans and machines) you may tell dnsdump to print delimiters around individual RRs. To do so, add parentheses, brackets, braces, or angle brackets around the field name. For example:
%{question}
%[answer]
%<addl>
Examples
Here are some typical ways to run dnsdump:
# dnsdump -i fxp0 "%time %src %dst %qtype? %qname %ans"
# dnsdump -i eth0 "%src:%sport > %dst:%dport %question %answer"
If you want the IP address and port fields to always line up, you might use:
# dnsdump -i eth0 \ "%16src:%-5sport %16dst:%-5dport %question %answer"
You can label fields with literal text in the format string: you might use:
# dnsdump -i em0 \ "%05id aa=%aa tc=%tc rd=%rd ra=%ra " \ QUERY: %qtype %qname ANSWERS: %[answer]"
Bugs
dnsdump does not support DNS over TCP at this time.
License
dnsdump is licensed under the BSD license.
Author
dnsdump is written and maintained by Duane Wessels of The Measurement Factory. Please send bug reports and other feedback to wessels at measurement dash factory dot com.
© 2020 The Measurement Factory.