This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

DNS Traffic. Lots of querys little reponses. Is that normal?

0

Hello guys!

I'm trying to find the root cause of a slow wifi network. It's a public wifi hotspot. Before users are free to browse they have to authenticate themselves on a captive portal. The issue is that for some users this captive portal opens very fast and to others are very slow. So slow that they have to try again and voilá! Fast!

I sniffed a lot and one thing that got my attention is the amount of DNS querys and response ratio. Uder "Statistics --> DNS". Se the image below:

alt text

Is my understanding correct? Does that mean that in this particular capture there were 227 querys but only 101 responses? And if that's right is this DNS normal behavior? To ignore some querys for no good reason?

Because that would explain what we experience. When users try to connect to the wifi they have to be redirected to a portal to create an account. And on some captures I saw (one that the user couldn't open the portal) there were a query for the captive portal but there was no answer.

Thanks in advance, Rafael

asked 02 Jun '16, 19:03

rafaelbn's gravatar image

rafaelbn
11335
accept rate: 0%

2 Answers:

1

Lacking more detailed information I think you've answered it already.

And on some captures I saw (one that the user couldn't open the portal) there were a query for the captive portal but there was no answer.

answered 02 Jun '16, 23:37

Jaap's gravatar image

Jaap ♦
11.7k16101
accept rate: 14%

But is my reading on that statistics panel correct?

(03 Jun '16, 04:00) rafaelbn

1

I think the DNS statistic is a bit misleading - you expect it to cover DNS, while it also seems to cover other name resolution protocols, e.g. LLMNR. I tested this with a capture where 4 DNS packets are present, and it showed 12 packets in the statistics. It turned out I had 8 LLMNR packets in the trace, which changed the statistic.

if you want to see the real DNS stats (meaning, the stuff on port 53), apply a Display Filter at the bottom saying "dns".

answered 03 Jun '16, 04:33

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

I just added an enhancement request in the bug tracker to rename the statistic to "Name Resolution" instead of "DNS": https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12492

(03 Jun '16, 04:45) Jasper ♦♦

Since I didn't know if that statistic was what I thought it was I did exactly that and saw that the number was close. Still, I just don't know if that is the normal behavior or something sketchy is going on my DNS infra.

(03 Jun '16, 14:34) rafaelbn