Hi, > >> tcpdump -s0 -n -i eth0 port domain -w /tmp/domaincapture.pcap > >> > >> You don't need all of the extra stuff because -s0 captures the full packet. > > On 06.09.18 18:42, Alex wrote: > >This is the command I ran to produce the pcap file I sent: > > > ># tcpdump -s0 -vv -i eth0 -nn -w domain-capture-eth0-090518.pcap udp > >dst port domain > > and that is the problem. "dst port domain" captures packets going to DNS > servers, not responses coming back. > > "-vv" and "-nn" are useless when producing packet capture and "-s0" is > default for some time. I often add "-U" so file is flushed wich each packet. > > you can strip incoming queries by using filter > > "(src host 68.195.XXX.45 and dst port domain) or (src port domain and dst > host 68.195.XXX.45)"
I've generated a new tcpdump file using these criteria and uploaded it here: https://drive.google.com/file/d/1F0VML8yPZJbcDZTys2hXDhjzv1UaBHuV/view?usp=sharing The SERVFAIL errors didn't really occur over the weekend. I believe it has something to do with mail volume, link congestion/bandwidth utilization. Thanks, Alex > > >I should also mention that, while eth0 is the physical device, there > >is a bridge set up to support virtual machines (none of which were > >active). Hopefully that's not the reason! (real IP obscured). > > not the reason, but using "-i br0" could be safer then. > > Note that the IP was seen in packet capture you have published, not needed > to hide it now. > > -- > Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ > Warning: I wish NOT to receive e-mail advertising to this address. > Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. > They that can give up essential liberty to obtain a little temporary > safety deserve neither liberty nor safety. -- Benjamin Franklin, 1759 > _______________________________________________ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users