11

I am working in a bank where 'netcat' is not there. I am having problem wherein one DNS server of the two going down is causing impact. In order to troubleshoot, I need to catch the request (incoming and outgoing) from the DNS clients (AIX). How can I do it? Netstat does not do with the options, I used

Biman Roy
  • 157
  • 1
  • 6
  • You can also strace/truss the clients. But typically you have to use tcpdump like tools. Netstat is not used for request contents and may not even show udp sockets as they are too short lived. – eckes Jan 19 '20 at 13:34
  • 2
    netstat only shows whether a port is open. You need to use a tool such as tcpdump to inspect traffic. If you're in a high secure environment, you may need to find out how to get permission to use it. – scuba_mike Jan 19 '20 at 13:50
  • 2
    Perhaps you can turn on good enough logging at the DNS server? – Hagen von Eitzen Jan 19 '20 at 16:48
  • 1
    If you have two DNS servers configured and one goes down, it's quite normal that it will have an impact on clients configured to use both (at the very least random slow downs as the DNS clients waits for a timeout before moving on to the other server). If you want high availability, you need to make sure the IPs the client use are moved to another active server whenever one goes down. – jcaron Jan 20 '20 at 13:45
  • Other tools that may be useful in diagnosing things are of course `nslookup` and `dig`. – jcaron Jan 20 '20 at 13:46
  • Make sure you know if you're looking for TCP or UDP requests... Most DNS runs on UDP. – djsmiley2kStaysInside Jan 20 '20 at 18:11
  • Jcaron, You wrote "If you have two DNS servers configured and one goes down, it's quite normal that it will have an impact on clients configured to use both". I do not understand why. Please note that both the DNS servers have same data. Also note that there is no reported impact from Solaris or Windows desktops – Biman Roy Jan 20 '20 at 22:55

3 Answers3

20

Netstat almost certainly won't be able to help you.

Netstat displays open sockets and active connections at the moment you execute the program. A DNS request will happen entirely too quickly for you to catch it because it'll be gone and done in less time than it takes to type out the command parameters. Moreover, UDP is stateless, so there isn't an active connection to see to begin with.

What you want instead is tcpdump. This program allows you to record network traffic depending on the parameters you give it.

tcpdump -w dnsrequests.pcap -i any udp and port 53 will capture all UDP traffic on port 53 on all interfaces and save it to the file dnsrequests.pcap. You can then open that file in wireshark and study it at your leisure.

Shadur
  • 1,297
  • 1
  • 10
  • 20
  • 4
    For the sake of completeness, `netstat` also shows recently completed TCP connections (in `TIME_WAIT` state, usually), and DNS can in some cases use TCP. It is most likely using UDP and would indeed not be visible using `netstat`, though. – jcaron Jan 20 '20 at 13:40
19

I don't think netstat will let you inspect the actual traffic but tcpdump will if you don't have access to netcat. tcpdump udp port 53 should show you the traffic.

sidprak
  • 400
  • 4
  • 9
3

I saw tcpdump mentioned elsewhere here and while it is very suitable for the task some people might prefer to use a graphical application such as Wireshark!

Richard Jansson
  • 31
  • 1
  • wireshark is not available in secured environments like bank. I am surprised the 'netstat' does not catch even with -u option – Biman Roy Jan 19 '20 at 11:54
  • 3
    @BimanRoy: netstat never was a packet capture tool (on AIX or any other Unix I've come across). – Mat Jan 19 '20 at 12:53
  • @bimanroy netstat doesn't do packet capture. Also, if `tcpdump` is available, you can output the dump to a file and read the file with wireshark on another system. – Shadur Jan 20 '20 at 13:41
  • 1
    @BimanRoy: well if wireshark ought to be blocked then tcpdump ought to be blocked as well right? – Richard Jansson Jan 20 '20 at 19:28