Filtering for DNS queries does not yield an answer?

[rbjorklin]

I've tried filtering for DNS queries and can't see an IP in the response, what am I doing wrong?

sudo ngrep -W single -l -q -d any -i "" udp and port 53
interface: any
filter: ( udp and port 53 ) and (ip || ip6)

U 10.0.0.2:53278 -> 10.0.0.1:53 "k...........duckduckgo.com.....

U 10.0.0.2:53278 -> 10.0.0.1:53 .............duckduckgo.com.....

U 10.0.0.1:53 -> 10.0.0.2:53278 .............duckduckgo.com..............<.B.ns-175.awsdns-21...awsdns-hostmaster.amazon......... ......u...Q.                                                                                  

U 10.0.0.1:53 -> 10.0.0.2:53278 "k...........duckduckgo.com..............<..2..j.........<..6...

[buxel]

I'm in the same boat. It is possible to see the answers in tcpdump but not in ngrep. I would like to use ngrep to filter out all the DNS responses which resolve to a certain IP (192.167.178.4 in the example below).

tcpdump for reference

# tcpdump -nnlvi any "udp src port 53 and udp[10] & 0x80 = 128"
13:39:22.189673 eth0  Out IP (tos 0x0, ttl 64, id 35371, offset 0, flags [DF], proto UDP (17), length 71)
    192.168.178.2.53 > 192.168.178.21.60634: 2 1/0/0 server.lan. A 192.168.178.4 (43)