How can you verify if a DNS response was delivered over UDP or TCP in Wireshark?

Prepare for the Wireshark Traffic Analysis Exam. Study with flashcards and multiple choice questions, each question includes hints and explanations. Ace your exam!

Multiple Choice

How can you verify if a DNS response was delivered over UDP or TCP in Wireshark?

Explanation:
DNS responses are normally carried over UDP on port 53. In Wireshark you can verify the transport by looking at the DNS response’s transport layer: a UDP packet means the response used UDP, while a TCP stream means DNS ran over TCP. If DNS is delivered over TCP, you’ll see a TCP stream with the DNS data preceded by the TCP 3‑way handshake. A quick way to check is to filter for dns and then Follow UDP Stream to inspect UDP-based exchanges or Follow TCP Stream for TCP-based exchanges. DNS over TCP is used for large responses or specific cases, otherwise UDP is the default.

DNS responses are normally carried over UDP on port 53. In Wireshark you can verify the transport by looking at the DNS response’s transport layer: a UDP packet means the response used UDP, while a TCP stream means DNS ran over TCP. If DNS is delivered over TCP, you’ll see a TCP stream with the DNS data preceded by the TCP 3‑way handshake. A quick way to check is to filter for dns and then Follow UDP Stream to inspect UDP-based exchanges or Follow TCP Stream for TCP-based exchanges. DNS over TCP is used for large responses or specific cases, otherwise UDP is the default.

More Multiple Choice Questions
Subscribe

Get the latest from Passetra

You can unsubscribe at any time. Read our privacy policy