Troubleshoot DNS Queries in Tshark

Introduction

In this lab, you will learn to troubleshoot DNS queries using Wireshark's Tshark utility through hands-on exercises. You'll capture DNS traffic with "udp port 53" filters, analyze queries using display filters like "dns.qry.name," and examine timing statistics with "dns,tree" option.

The lab guides you through practical techniques for isolating DNS packets, visualizing query timing, and extracting detailed packet information with the "-V" flag. By completing these exercises, you'll develop essential skills for diagnosing DNS issues using professional packet analysis methods.

Skills Graph

%%%%{init: {'theme':'neutral'}}%%%% flowchart RL wireshark(("Wireshark")) -.-> wireshark/WiresharkGroup(["Wireshark"]) wireshark/WiresharkGroup -.-> wireshark/interface("Interface Overview") wireshark/WiresharkGroup -.-> wireshark/packet_capture("Packet Capture") wireshark/WiresharkGroup -.-> wireshark/display_filters("Display Filters") wireshark/WiresharkGroup -.-> wireshark/capture_filters("Capture Filters") wireshark/WiresharkGroup -.-> wireshark/packet_analysis("Packet Analysis") wireshark/WiresharkGroup -.-> wireshark/commandline_usage("Command Line Usage") subgraph Lab Skills wireshark/interface -.-> lab-548938{{"Troubleshoot DNS Queries in Tshark"}} wireshark/packet_capture -.-> lab-548938{{"Troubleshoot DNS Queries in Tshark"}} wireshark/display_filters -.-> lab-548938{{"Troubleshoot DNS Queries in Tshark"}} wireshark/capture_filters -.-> lab-548938{{"Troubleshoot DNS Queries in Tshark"}} wireshark/packet_analysis -.-> lab-548938{{"Troubleshoot DNS Queries in Tshark"}} wireshark/commandline_usage -.-> lab-548938{{"Troubleshoot DNS Queries in Tshark"}} end

Capture DNS with -f "udp port 53"

In this step, you will learn how to capture DNS traffic using Wireshark's capture filter. DNS (Domain Name System) is like the phonebook of the internet, translating human-readable domain names (like example.com) into machine-readable IP addresses. Most DNS queries use UDP port 53 because they are small and fast, while larger responses may use TCP.

First, open a terminal in your LabEx VM if you haven't already. All commands will be executed in the default working directory ~/project. This is where we'll save our capture files.
Launch Wireshark from the terminal with the following command:

wireshark &

The & symbol runs Wireshark in the background, allowing you to continue using the terminal while Wireshark remains open. This is useful when you need to run other commands during your network analysis.

In Wireshark's main interface:
- Select your active network interface (usually eth1). This tells Wireshark which network connection to monitor.
- In the capture filter field, enter: udp port 53. This filter ensures Wireshark only captures DNS traffic, reducing clutter from other network activity.
- Click the shark fin icon to start capturing packets. You'll see the interface begin to display network activity.
To generate some DNS traffic for testing, open another terminal and run:

nslookup example.com

This command asks your system to look up the IP address for "example.com", creating the DNS traffic we want to capture. Think of it like making a test call to see if our monitoring is working.

In Wireshark, you should now see captured DNS packets. These will appear as lines in the main window, typically showing the query and response. Stop the capture by clicking the red square button when you've seen enough traffic.
Save the capture file for later analysis:
- Go to File → Save As
- Save it as dns_capture.pcapng in your ~/project directory. This file format preserves all the original packet data for detailed examination.

Key points to understand:

-f "udp port 53" is a capture filter that only records DNS traffic, similar to setting up a specialized microphone that only hears DNS conversations.
DNS primarily uses UDP port 53 because it's efficient for small queries, while TCP (Transmission Control Protocol) is used for larger responses that need reliable delivery.
The capture file contains raw network packets in their original form, which we'll analyze in later steps to understand exactly what's happening during DNS resolution.

Filter Queries with -Y "dns.qry.name"

In this step, you will learn how to filter DNS queries in Wireshark using display filters. DNS (Domain Name System) is like the phonebook of the internet, translating human-readable domain names into machine-readable IP addresses. When troubleshooting network issues, examining DNS traffic can reveal important clues.

We'll focus on the dns.qry.name field, which specifically shows the domain names being requested in DNS queries. This is particularly useful when you need to examine traffic related to specific websites or services from the capture we created in the previous step.

First, let's open the capture file we saved earlier in Wireshark. The & at the end runs the command in the background so you can continue using the terminal:

wireshark ~/project/dns_capture.pcapng &

In Wireshark's display filter bar (the empty field just below the toolbar), enter this exact filter to see only DNS queries for "example.com":

dns.qry.name == "example.com"

This strict equality filter (==) will show only packets where the queried domain exactly matches "example.com".

To see all DNS queries regardless of the domain being requested, simply use the field name by itself:

dns.qry.name

This displays all packets that contain DNS query names, which helps you understand what domains are being looked up on your network.

For a more complete view showing both DNS queries (requests) and responses, use this filter that checks the DNS response flag:

dns.flags.response == 0 || dns.flags.response == 1

Here, dns.flags.response == 0 shows queries (requests), while dns.flags.response == 1 shows responses.

Sometimes you might want to find all queries related to a certain organization or service. Try filtering for partial domain matches using the "contains" operator:

dns.qry.name contains "example"

This will match any domain containing "example", like "example.com", "test.example.org", or "example.net".

Key points to understand:

-Y is Wireshark's display filter option (equivalent to typing in the filter bar)
dns.qry.name is a specific field in DNS packets that contains the domain name being queried
Display filters help you focus on specific traffic patterns by hiding unrelated packets
Filters can use different comparison operators:
- == for exact matches
- != for exclusion
- contains for partial matches
The DNS protocol includes flags to distinguish between queries (response == 0) and responses (response == 1)

Analyze Timing with -z dns,tree

DNS (Domain Name System) is like the phonebook of the internet, translating human-readable domain names into machine-readable IP addresses. When troubleshooting network issues, analyzing DNS response times can reveal performance bottlenecks. In this step, we'll use Wireshark's built-in statistics feature with the -z dns,tree option to measure how quickly DNS servers respond to queries.

Before starting, make sure Wireshark isn't running. We'll analyze a pre-captured DNS traffic file from the terminal. The & at the end keeps your terminal usable while Wireshark runs:

wireshark -z dns,tree ~/project/dns_capture.pcapng &

A new window labeled "DNS Statistics" will open, displaying three main pieces of information in a tree structure:
- All DNS queries and their corresponding responses
- The time each query took to get a response
- How frequently each domain was requested
Let's examine the statistics columns carefully:
- "Count" indicates the number of times your system queried each domain
- "Average" shows the typical response time for each domain
- "Min" and "Max" reveal the best and worst case response times
To see more interesting data in our analysis, let's generate fresh DNS queries. Open a new terminal window and run these common lookup commands:

nslookup google.com
nslookup labex.io

After running these commands, return to the DNS Statistics window and click "Reload" to update the statistics with the new queries you just generated.

Key concepts to remember:

The -z dns,tree command activates Wireshark's specialized DNS analysis mode
Response time measurements help pinpoint slow DNS servers or network delays
The tree view groups related queries together for easier analysis
Always reload the capture file to see the latest statistics after new DNS activity

Show Results with -V

In this step, we'll explore how to examine DNS packets in detail using Wireshark's verbose mode with the -V option. When troubleshooting DNS issues, seeing all the protocol details is crucial for understanding exactly what's happening in your network traffic.

Before starting, make sure to close any open Wireshark windows to avoid confusion. Then execute this command to open your capture file with full protocol details:

wireshark -V -r ~/project/dns_capture.pcapng &

The -V flag tells Wireshark to display verbose output, showing all available protocol information rather than just the basic packet summary.

In the Wireshark interface, focus on the middle panel called "Packet Details". Here's how to examine DNS information:
- Click the arrow next to "Domain Name System" to expand it
- You'll see the complete DNS message structure including:
  - Whether it's a query or response
  - Unique transaction IDs that pair requests with replies
  - Status flags indicating success or errors
  - All resource records being exchanged
When looking at a DNS query packet (usually sent from client to server), pay special attention to:
- Query type: This shows what kind of record is being requested (A for IPv4, AAAA for IPv6, MX for mail servers)
- Query class: Almost always "IN" for Internet class
- Transaction ID: A random number that helps match this query with its response
For DNS response packets (from server to client), check these important fields:
- Response code: "0" means no errors occurred
- Answer count: How many records were returned
- TTL values: How long these DNS answers can be cached
- Actual data: Like IP addresses when querying A records
To save this detailed analysis for later review or sharing with colleagues, run this command:

tshark -V -r ~/project/dns_capture.pcapng > ~/project/dns_analysis.txt

This creates a text file containing all the verbose output from your capture.

Key concepts to remember:

The -V option reveals the complete protocol breakdown of each packet
You can see every layer of the DNS protocol stack
This level of detail is necessary when diagnosing complex DNS problems
Combine with filters (like dns) to focus on specific packets while keeping full details

Summary

In this lab, you have learned how to troubleshoot DNS queries using Wireshark's Tshark utility. The exercise demonstrated capturing DNS traffic with UDP port 53 filters and analyzing queries through targeted display filters like dns.qry.name.

You practiced generating test traffic with nslookup and saving captures for analysis, gaining insights into DNS protocol behavior and Wireshark's powerful filtering capabilities for isolating specific domain requests. These skills are essential for network troubleshooting and DNS-related investigations.