Exercise: Analyzing DHCP and DNS

Watching Core Services in Action

A hands-on exercise to observe the DHCP and DNS processes using live network capture and query tools.
Author

Chuck Nelson

Published

November 13, 2025

1 Purpose

This exercise pulls back the curtain on two of the most important but invisible network services: DHCP and DNS. You will learn how to see the messages your computer sends and receives to get an IP address (DHCP) and how it translates human-readable names into IP addresses (DNS). This provides a much deeper understanding of what’s happening when you connect to a network and browse the internet.

2 What You’ll Accomplish

By the end of this exercise, you will be able to:

  • Use tcpdump to capture live DHCP network traffic.
  • Use nmcli to trigger a DHCP lease renewal.
  • Identify the DORA (Discover, Offer, Request, Acknowledge) process in a live network capture.
  • Use nslookup to perform manual DNS queries.
  • Use dig for a more detailed view of DNS records.

This exercise maps to the following program and course learning outcomes:

  • Program Learning Outcomes (PLOs):
    • 3. Apply terminology and numeric or system concepts: This exercise directly exposes you to the DORA process and DNS record types, reinforcing core networking terminology.
  • Course Learning Outcomes (CLOs):
    • 3. Troubleshoot hardware and basic network components: Understanding how to verify DNS and DHCP is a critical troubleshooting skill.

This exercise develops the following skills, which align with the O*NET SOC Code 15-1232.00 for Computer User Support Specialists.

Learning Objective O*NET KSAs Technologies Used
Observe the DHCP DORA process in a live capture. Knowledge: Telecommunications, Computers & Electronics
Skills: Systems Analysis		 tcpdump, nmcli, DHCP
Perform manual DNS lookups for domain names. Knowledge: Telecommunications
Abilities: Information Ordering, Deductive Reasoning		 nslookup, dig

3 Prerequisites

This exercise requires a running Fedora 42 virtual machine with internet access and a user account with sudo privileges.

4 Step-by-Step Guide

For this exercise, you will need two terminal windows open at the same time.

4.1 Step 1: Identify Network and Install Tools

First, you need to install the necessary tools and identify your primary network interface.

  1. In your first terminal, install the tcpdump and bind-utils packages.

    sudo dnf install -y tcpdump bind-utils

  2. Next, find the name of your primary network interface (e.g., enp1s0). The easiest way is to find which interface is on the same network as your default gateway.

    ip route

    Look for the default via line to find your router’s IP. Then, use ip -br addr to find the interface with an IP in that same range.

In your student notebook, write down the name of your primary network interface. You will need it in the next step.

WarningA Note on Wireless vs. Wired Interfaces

For this exercise, it is strongly recommended to use a wired Ethernet interface (like enp1s0) or the primary interface of a virtual machine.

Capturing broadcast traffic on a wireless (Wi-Fi) adapter is often unreliable. This is because many wireless drivers and chipsets have security features that make it difficult for tools like tcpdump to enter “promiscuous mode,” which is needed to see all packets on the network. You may not be able to see the DHCP traffic if you are on a Wi-Fi connection.

4.2 Step 2: Observe the DHCP Process with tcpdump

Now, you will capture the live DHCP DORA process. This requires two terminals: one to listen for the traffic, and one to trigger it.

  1. In your FIRST terminal, run the tcpdump command below. This tells your computer to listen for DHCP traffic (which uses ports 67 and 68) on your primary interface and display the results. The command will appear to hang as it waits for traffic—this is normal.

    # Replace 'enp1s0' with your interface name from Step 1
sudo tcpdump -i enp1s0 -v port 67 or port 68

When you filter for port 67 or port 68, you are telling tcpdump to listen on two specific “well-known ports” used for the DHCP service. Port numbers are used to direct network traffic to the correct application on a server. Ports 0 through 1023 are reserved for common, standardized services.

  • Port 67 (BootP Server): DHCP servers listen on this port for messages from clients.
  • Port 68 (BootP Client): DHCP clients listen on this port for replies from servers.

By watching both ports, you can see the full conversation.

  1. In your SECOND terminal, you will force a full DHCP renewal by taking your network interface down and bringing it back up. This is the command-line equivalent of unplugging and replugging your network cable. Run the following two commands, one after the other.

    # Replace 'enp1s0' with your interface name
sudo nmcli device disconnect enp1s0
sudo nmcli device connect enp1s0

The nmcli command is the tool for controlling NetworkManager, which is the standard networking service on most desktop and laptop Linux distributions, including Fedora Workstation.

However, on many Linux servers, networking is managed by a different service called systemd-networkd. On those systems, you would use the networkctl command instead of nmcli to perform similar actions. It’s important to know which networking service your system is using.

TipDid You See All Four Packets? (Broadcast vs. Unicast)

Don’t worry if you only saw two packets (Discover and Request) instead of all four. This is a perfect example of how networking works in the real world!

  • DHCPDISCOVER and DHCPREQUEST packets are sent as broadcasts, meaning your computer shouts them out to every device on the local network. Your tcpdump will always see these.
  • DHCPOFFER and DHCPACK packets are often sent back as unicasts, meaning the server sends them directly to your computer’s specific MAC address. Sometimes tcpdump doesn’t show these incoming unicast packets in the same way.

Seeing only the broadcast packets is a very common and normal result. The disconnect/connect sequence gives you the best chance to see all four, but observing only two is also a correct observation.

  1. Go back to your FIRST terminal. You should see a sequence of DHCP packets appear. A full, four-part DORA negotiation will look like this:
    • DHCPDISCOVER: Your computer shouting, “Is there a DHCP server out there?”
    • DHCPOFFER: A DHCP server replying, “Yes, I’m here! You can have this IP address.”
    • DHCPREQUEST: Your computer saying, “Great, I’ll take that IP address you offered.”
    • DHCPACK: The server replying, “Excellent. That IP address is now officially yours for a set amount of time (the lease).”
  2. You can now stop the tcpdump command by pressing Ctrl+C in the first terminal.

Take a screenshot of the DORA process output in your tcpdump terminal and add it to your notebook.

4.3 Step 3: Perform a Basic DNS Lookup

The nslookup command is the classic tool for performing a DNS query.

  1. Run nslookup on a common domain name:

    nslookup www.google.com

  2. Analyze the output. The first two lines show the DNS server that answered your query. The section below that, labeled “Non-authoritative answer,” shows the IPv4 (A record) and IPv6 (AAAA record) addresses for www.google.com.

In your notebook, write down the name of the DNS server that responded and one of the IPv4 addresses for www.google.com.

4.4 Step 4: Perform a Detailed DNS Lookup with dig

The dig (Domain Information Groper) command is a more modern and powerful tool than nslookup. It provides much more detailed information.

  1. Run dig on the same domain:

    dig www.google.com

  2. Analyze the output:

    • QUESTION SECTION: Shows the query you made (for the A record of www.google.com).
    • ANSWER SECTION: This is the key part. It shows the domain name, the “Time to Live” (TTL) for the record, and the IP address.
    • At the bottom, you can see details about the query time and the server that responded.

4.5 Step 5: Query for Different Record Types

DNS can hold more than just IP addresses. For example, an MX (Mail Exchange) record tells mail servers where to send email for a domain.

  1. Use dig to ask specifically for the MX records for google.com.

    dig google.com MX

  2. Look at the ANSWER SECTION. You will see a list of hostnames (like smtp.google.com) that are responsible for handling email for the google.com domain.

In your notebook, write down the name of one of the mail servers listed in the MX record for google.com.

5 Reflect and Review

ImportantReflection: 3-2-1

Now that you have completed this exercise, reflect on your experience in your Microsoft Teams Student Notebook:

  • 3 new commands or command variations you used in this exercise.
  • 2 types of DNS records you learned about.
  • 1 question you still have about how DNS servers are organized.
TipCheck on Learning

Answer these questions in your notebook to solidify your understanding:

  1. What are the four steps of the DHCP process?
  2. What nmcli command sequence can you use to force a full DHCP renewal?
  3. What is the purpose of the nslookup command?
  4. You need to find out which servers handle email for a specific domain. What DNS record type would you query for?
Back to top