How to troubleshoot DNS Issues with Wireshark
June 17, 2020 at 2:23 pm Leave a comment
Hi Folks
Until recently I was a big fan Microsoft Message Analyzer. Unfortunately , Microsoft deprecated the product.So I decided to switch to Wireshark. I will not be going through the basic operations of wireshark as there are plenty of good video tutorials on the Internet.
In this article , I will focus on how to capture DNS packets on a BIND server and filter the packets for known queries and the response codes.
Step1: Start the capture on the BIND server
Step2: After running sample queries , Press CTRL & C to end the capture and transfer the .pcap file to the wireshark.
Once you open the .pcap file in the Wireshark , you can use the below filters to display the required data.
** To filter based on the queried domain name **
dns.qry.name == “hotmail.com”
** To filter MX queries **
dns.qry.type == 15
** To filter SERVFAIL response **
dns.flags.rcode == 2
You could use ! to exclude a filter in the search for example to exclude dns.qry.type == 15
!dns.qry.type == 15
For detailed list of DNS Response Codes & other DNS parameters refer the below URL’s.
https://www.iana.org/assignments/dns-parameters/dns-parameters.xhtml
Good Luck.
Entry filed under: DNS and Bind. Tags: dns, wireshark.
Hope you like it.. 
Trackback this post | Subscribe to the comments via RSS Feed