Quick, precise packet captures that show only DNS activity so you can spot resolution problems fast. 25.12.2025 | reading time: 2 min Want to see just DNS on the wire and nothing else? This short guide shows how to capture only DNS packets with tcpdump, save them, and inspect results for troubleshooting name resolution issues. Hands-on capture and inspect Case: a server cannot resolve example.com; reproduce and capture: ```bash sudo tcpdump -i eth0 -n port 53 -s 0 -w dns.pcap ``` Stop after a few queries with Ctrl+C and inspect the saved file: ```bash sudo tcpdump -r dns.pcap -nn -vvv ``` Example output line: ``` 15:03:12.123456 IP 192.0.2.10.56789 > 203.0.113.53.domain: 12345+ A? example.com. (28) ``` This shows a client query to port 53; follow the timestamps and flags to confirm request and response behavior. Trim and tune with filters Use concise BPF filters to be precise: capture UDP and TCP on port 53 with "port 53", restrict to queries only with "udp port 53 and udp[10] & 0x80 = 0", limit packet size with "-s 0" to avoid truncation, write with "-w" to analyze later, and capture on loopback with "-i lo" when testing locally; remember that encrypted DNS like DoT and DoH will not appear as port 53 DNS payloads. Where this fits in a workflow After capture, open the pcap in Wireshark or use tshark for scripted analysis, correlate DNS queries with application logs and system resolver settings, and combine with server logs from bind or dnsmasq to find mismatches between queries and answers. Next practical steps Try filtering for a single client or name, practice capturing only queries vs responses, and build small scripts that run tcpdump with rotation and limits so he gets reproducible, focused traces for troubleshooting and reporting. Join Bits & Bytes Academy First class LINUX exam preparation. network security utilities troubleshooting
