Calculate DNS Response Times Using Wireshark
In this post, we’ll use Wireshark to identify DNS server response times. We’ll start by using Wireshark to open a network capture of a simple DNS request. Using the DNS analysis tools built into Wireshark, we’ll calculate the time it took for the response to come back from the server. Once we’ve done that, we’ll walk through creating a filter to display DNS response times that take longer than expected.
How Does DNS Work?
First, it’s important to have a high-level understanding of how DNS works. DNS is an address resolution protocol that allows systems to translate a friendly hostname to an IP address that the TCP/IP stack can use. DNS primarily uses UDP port 53 as the transport protocol and port for hostname resolutions.
There are occasions when DNS will use TCP for name resolution. Typically, TCP is only used when the response size is greater than 512 bytes or if the request is actually a zone transfer. For the purposes of this post, we’ll only focus on UDP.
Calculate DNS Response Time
Wireshark natively calculates the response time of DNS servers for us. To view DNS traffic in your capture, use this filter:
This will display all DNS traffic (both TCP and UDP) in your capture. Once you’ve displayed the DNS queries, you can display the DNS server response times in a column. This GIF shows how to add the DNS response time column to Wireshark:
Add DNS Response Time Column to Wireshark:
Once the column for DNS response time is added, you are able to sort by that column. This will allow you to view the longest and shortest response times.
Wireshark Filter to Display High DNS Response Times:
Since Wireshark calculates the DNS response time, we’re able to build filters based on these times. This would allow us to quickly identify which servers or queries are taking a long time.
This filter displays all responses that take longer than 100ms to complete:
dns.time > 0.100
Graphing DNS Response Times Using Wireshark
Using the Wireshark graphing capabilities, we can visualize the response time of DNS over a period of time. This can be very helpful in presenting this type of data to non-technical users.
First, you’ll need to open the Wireshark I/O Graph: Statistics (from the menu bar) > I/O Graph
Once you’re in the I/O graph, you will need to create 3 new graph items. One will be minimum response time, one will be average response time, and one will be max response time. The max response time chart is intended to show the outliers.
Match the settings in the below chart:
In this chart, the left axis shows the response time in microseconds. That can be a little confusing… Remember, there are 1,000 microseconds in a millisecond. So in this chart, we can see that that the max response times (red line) spike up to 180 milliseconds. The average response times (blue line) are typically around 25-30 milliseconds.