[dns-operations] Does anybody have a good list of capture filters for DNS traffic - details in email

[Stefan]

Hello, DNS gurus,

Does anybody have a good set of tcpdump/tshark capture filters, associated
with DNS, already prep-ed for specific fields in the payload (so beyond
just the simplistic udp 53 or tcp 53)?

Why am I asking?

- I need to set up traffic captures in various tiers of
servers-hosting-applications whose owners cannot tell where the inter-tiers
reachability depends (and maybe fails) on FWD or REVERSE lookups. This
cannot be done by asking the server or apps folks to use the DNS
traditional tools (dig, nslookup, host, etc.) simply because they cannot
tell which hostnames or IPs make up the functionality of very complex apps,
and have dependency on name resolution (direct or reverse) in order to work
- I would be mostly interested (of course) in DNS packets with no responses
- I would like to avoid re-inventing the wheel by trying to figure out at
which byte offset I would have to start reading a string (is it even
possible to identify that, knowing that certain strings are variable in
length??), and identify no response, if someone has already figured out
such things ;-)

Thanks in advance for directions or "no way - forget about it"
***Stefan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20140702/bfa5f8f7/attachment.html>