17

I need to record all outgoing A records on a RedHat PC. I tried using tcpdump:

tcpdumpdns=OUTPUT-FILENAME-HERE
nohup tcpdump -K dst port 53 -w $tcpdumpdns > /dev/null 2>&1 &

It makes an output file like:

19:26:12.185392 IP 172.16.0.6.57977 > google-public-dns-a.google.com.domain: 51198+ A? yahoo.com. (27)

So I need to process that to get the yahoo.com:

echo $tcpdumpdns | awk '/ A\? / {u = NF - 1; print $u}' | sed 's/^www.//g; s/.$//g' | sort -u

Is there any better solution to gather all the outgoing A record requests?

p.s.: collecting DNS A records is only needed to have an up-to-date list of websites that are reachable via HTTPS. So I can generate xml files for HTTPSEverywhere Firefox Add-on. So this is just a part of a script.

LanceBaynes
  • 40,135
  • 97
  • 255
  • 351

2 Answers2

17

If you don't have wireshark installed then

tcpdumpdns=/tmp/tcpdumps
tcpdump -lvi any "udp port 53" | tee $tcpdumpdns

should work for you. As you wanted to limit the output to the second to last value then I would parse your log file with:

grep -E 'A\?' $tcpdumpdns |sed -e 's/^.*A? //' -e 's/ .*//'|sort -u

If you want it live then:

tcpdump -lvi any "udp port 53" 2>/dev/null|grep -E 'A\?'|awk '{print $(NF-1)}'

should do it, (here sed and awk are interchangeable; and I would pick awk.)

Anthon
  • 79,293
14

Use Wireshark:

tshark -f "udp port 53" -Y "dns.qry.type == A and dns.flags.response == 0"
  • 4
    I get tshark: "A" cannot be found among the possible values for dns.qry.type. – Jack O'Connor Feb 07 '17 at 18:49
  • 5
    To address @JackO'Connor issue, the decimal value for a type A DNS record is 1. Therefore, this should work: tshark -f "udp port 53" -Y "dns.qry.type == 1 and dns.flags.response == 0" – Rolinh Mar 14 '17 at 08:54