general🌐InternationalSANS ISC
Analyst Debugs Slow DNS Response Times Using Tshark
Friday, January 2, 2026
What
An analyst investigated intermittent slow website loading by analyzing DNS traffic with tshark, uncovering high maximum DNS response times and excessive PTR queries. This highlights the importance of detailed network traffic analysis for identifying subtle performance bottlenecks.
Where
A personal homelab network and its connected devices, utilizing various public DNS resolvers.
When
Published and last updated on 2026-01-02.
Key Factors
- •Tshark's DNS statistics capabilities were instrumental in identifying an average DNS response time of 33ms but a critical maximum of nearly 8 seconds.
- •Excessive PTR record lookups from an NTP server significantly contributed to DNS timeouts and overall network latency before being reconfigured.
- •Specific domains, including `isc.sans.edu` and `firmware.zwave-js.io`, experienced sporadic multi-second DNS delays across multiple major public resolvers.
Takeaways
- →Utilize tshark's advanced DNS analysis features (`-z dns,tree`, `dns.time` field) for in-depth network troubleshooting of performance issues.
- →Regularly review and optimize DNS query types and configurations on network devices to prevent unnecessary lookups and potential timeouts.
Read Full Article
Opens original article on SANS ISC
