🚜Testing Local DNS with dig, dnstop, & tcpdump on a SD-WAN edge | A Comprehensive Guide👷🏽

🚜Testing Local DNS with dig, dnstop, & tcpdump on a SD-WAN edge | A Comprehensive Guide👷🏽

Learn How to Test DNS Servers with Dig, Dnstop, & Tcpdump on SD-WAN

DNS (Domain Name System) is a crucial component in any network, translating human-readable domain names into IP addresses so that devices can communicate. Ensuring your DNS server is functioning correctly is essential for a reliable network experience, and various tools can help test and troubleshoot DNS configurations. In this article, we’ll explore how to use dig to test a local DNS server, how to use dnstop to verify that network devices are using DNS properly, and how to employ tcpdump to validate DNS requests.

Using Dig to Test a Local DNS Server

The dig (Domain Information Groper) command is a powerful tool to query DNS servers and verify DNS resolution. You can use dig to send DNS queries directly to your local DNS server, ensuring it responds correctly and resolves domain names as expected. It is installed from the dnsutils package on Debian.

Steps to Test Local DNS with Dig:

  1. Query a Domain: To check if your local DNS server is resolving a domain correctly, run the following command:

     dig @localhost fusionsdwan.co.za
    

    In this command:

    • @localhost specifies that you are querying your local DNS server.

    • fusionsdwan.co.za is the domain name you are querying. You can replace this with any domain you wish to test.

The output will show the query results, including the resolved IP address of the domain, query time, and any error messages if the DNS server is not responding.

  1. Query for Specific Record Types: You can also use dig to query specific DNS record types, such as A, MX, CNAME, or NS records. For example:

     dig @localhost fusionsdwan.co.za A
    

    This command queries only the A record (IPv4 address) for the domain.

  2. Check Reverse DNS Lookup: To verify reverse DNS (IP to hostname), use the following command:

     dig @localhost -x 192.168.1.1
    

    Replace 192.168.1.1 with the IP address you want to perform a reverse DNS lookup on.

Using Dnstop to Test if Network Devices are Using DNS Correctly

dnstop is a real-time DNS traffic monitoring tool that captures DNS queries and responses, giving insight into how network devices are interacting with DNS. It is especially useful for detecting misconfigurations, spotting malicious DNS traffic, or verifying that devices are properly using the correct DNS server.

Steps to Use Dnstop:

  1. Install dnstop: If you don’t already have dnstop installed, use the package manager for your system:

     sudo apt-get install dnstop    # For Debian/Ubuntu
    

    Monitor DNS Traffic: Once installed, run dnstop on the network interface that carries DNS traffic (commonly eth0 or ens33):

     sudo dnstop eth0
    

    This command captures all DNS traffic on the eth0 interface. You’ll get a real-time view of the domains being queried, as well as response codes (like NXDOMAIN or SERVFAIL), and information about the network devices querying the DNS server.

  2. Filter Traffic by Query Type: You can filter DNS traffic to show specific query types by pressing t while dnstop is running. This will give you insights into the type of queries devices are sending (A, AAAA, MX, etc.), helping identify issues with DNS resolution.

  3. Sort by Requesting IP: To see which devices are sending the most queries, press s to sort by source IP address. This can help determine if certain devices are making excessive or abnormal DNS requests.

Using Tcpdump to Validate DNS Requests

tcpdump is a versatile packet capture tool that can capture and display network packets in real-time. For DNS troubleshooting, you can use tcpdump to capture DNS queries and responses on the network and validate that the DNS requests are being sent and received correctly.

Steps to Use Tcpdump for DNS Validation:

  1. Capture DNS Traffic: To capture DNS traffic, run the following command:

     sudo tcpdump -i eth0 port 53
    

    In this command:

    • -i eth0 specifies the network interface (replace eth0 with the appropriate interface).

    • port 53 filters for DNS traffic, as DNS uses port 53.

This will display all DNS packets (both queries and responses) passing through the network interface in real-time.

  1. Filter Specific DNS Requests: To capture DNS traffic for a specific domain, you can add a filter to the tcpdump command:

     sudo tcpdump -i eth0 port 53 and host example.com
    

    This command filters DNS queries or responses related to example.com.

  2. Inspect DNS Responses: By examining the output of tcpdump, you can verify that DNS queries are reaching the server and that responses are being sent back. If you notice no response packets, it could indicate a network issue or a problem with the DNS server itself.

  3. Capture DNS Traffic to a File: If you want to analyse DNS traffic later, you can save the captured traffic to a file:

     sudo tcpdump -i eth0 port 53 -w dns_traffic.pcap
    

    You can then open this file with Wireshark or other packet analysis tools to investigate the DNS traffic more thoroughly.

Wrap

By using tools like dig, dnstop, and tcpdump, you can efficiently troubleshoot and monitor DNS performance on your network, ensuring devices are resolving domain names correctly and that DNS traffic is flowing as expected.

  • dig allows you to query DNS servers directly and check resolution accuracy.

  • dnstop provides real-time insight into DNS traffic, helping you monitor how devices use DNS.

  • tcpdump lets you capture and analyse DNS requests and responses at a packet level, giving you a deeper understanding of DNS behaviour on your network.

Together, these tools form a robust suite for ensuring the health of your DNS infrastructure, especially when deployed in complex environments such as SD-WANs, where proper DNS performance is critical for network functionality.