Calculate DNS Response Times Using Wireshark

Calculate DNS Response Times Using Wireshark

In this post, we'll use Wireshark to identify DNS server response times.  We'll start by using Wireshark to open a network capture of a simple DNS request. Using the DNS analysis tools built into Wireshark, we'll calculate the time it took for the response to come back from the server.  Once we've done that, we'll walk through creating a filter to display DNS response times that take longer than expected. How Does DNS Work? First, it's important to have a high-level understanding of how DNS works.  DNS is an address resolution protocol that allows systems to translate a friendly hostname to an IP address that the TCP/IP stack can use.  DNS primarily uses UDP port 53 as the transport protocol and port for hostname resolutions. There are occasions when DNS will use TCP for name resolution.  Typically, TCP is only used when the response size is greater than 512 bytes or if the request is actually a zone transfer.  For the purposes of this post, we'll only focus on UDP. Calculate DNS Response Time Wireshark natively calculates the response time of DNS servers for us.   To view DNS traffic in your capture, use this filter: dns This will display all DNS traffic (both TCP and UDP) in your capture.  Once you've displayed the DNS queries, you can display the DNS server response times in a column.  This GIF shows how to add the DNS response time column to Wireshark: Add DNS Response Time Column to Wireshark: Once the column for DNS response time is added, you are able to sort by that column. This will allow you to view the longest and shortest response times. Wireshark Filter to Display High DNS Response Times: Since Wireshark calculates the DNS response time, we're able to build filters based on these times.  This would…

Read More