<h3 id="heading-overview">Overview</h3>
<ul>
<li>In the internet world, requests for external data start with <strong>DNS Queries</strong> for domains. In environments with firewalls installed, <strong>DNS Queries</strong> themselves may be blocked. To understand this, it is necessary to know the current <strong>DNS Queries</strong> being made. This document outlines how to monitor <strong>DNS</strong> queries using <code>tshark</code>.</li>
</ul>
<h3 id="heading-installing-tshark">Installing tshark</h3>
<pre><code class="lang-bash"><span class="hljs-comment"># Installing tshark on Ubuntu</span>
$ sudo apt-get install tshark -y

<span class="hljs-comment"># Installing tshark on macOS</span>
$ brew install --cask wireshark

<span class="hljs-comment"># Installing tshark on Windows</span>
$ choco install wireshark -y

<span class="hljs-comment"># Verifying installation</span>
$ tshark -v
TShark (Wireshark) 3.6.2 (Git v3.6.2 packaged as 3.6.2-2)
</code></pre>
<h3 id="heading-monitoring-dns-queries">Monitoring DNS Queries</h3>
<pre><code class="lang-bash"><span class="hljs-comment"># Running DNS query monitoring with tshark, then executing nslookup www.google.com</span>
$ sudo tshark -f <span class="hljs-string">"port 53"</span>
Capturing on <span class="hljs-string">'eth0'</span>
 ** (tshark:138272) 17:38:22.224025 [Main MESSAGE] -- Capture started.
    1 0.000000000 172.30.159.111 → 8.8.8.8      DNS 74 Standard query 0x5ba5 A www.google.com
    2 0.064698077      8.8.8.8 → 172.30.159.111 DNS 90 Standard query response 0x5ba5 A www.google.com A 142.250.66.100
</code></pre>
<h3 id="heading-references">References</h3>
<ul>
<li><a target="_blank" href="https://www.oasys.net/posts/filtering-a-packet-capture-by-dns-qname/">Filtering a packet capture by DNS Query Name</a></li>
</ul>


### Overview

* In the internet world, requests for external data start with **DNS Queries** for domains. In environments with firewalls installed, **DNS Queries** themselves may be blocked. To understand this, it is necessary to know the current **DNS Queries** being made. This document outlines how to monitor **DNS** queries using `tshark`.
    

### Installing tshark

```bash
# Installing tshark on Ubuntu
$ sudo apt-get install tshark -y

# Installing tshark on macOS
$ brew install --cask wireshark

# Installing tshark on Windows
$ choco install wireshark -y

# Verifying installation
$ tshark -v
TShark (Wireshark) 3.6.2 (Git v3.6.2 packaged as 3.6.2-2)
```

### Monitoring DNS Queries

```bash
# Running DNS query monitoring with tshark, then executing nslookup www.google.com
$ sudo tshark -f "port 53"
Capturing on 'eth0'
 ** (tshark:138272) 17:38:22.224025 [Main MESSAGE] -- Capture started.
    1 0.000000000 172.30.159.111 → 8.8.8.8      DNS 74 Standard query 0x5ba5 A www.google.com
    2 0.064698077      8.8.8.8 → 172.30.159.111 DNS 90 Standard query response 0x5ba5 A www.google.com A 142.250.66.100
```

### References

* [Filtering a packet capture by DNS Query Name](https://www.oasys.net/posts/filtering-a-packet-capture-by-dns-qname/)

Monitoring DNS Queries using tshark

I am Software Engineer with 15 years of experience, working at Gentle Monster. I specialize in developing high-load, large-scale processing APIs using Kotlin and Spring Boot. I live in Seoul, Korea.
