# Monitoring DNS Queries using tshark

### Overview

* In the internet world, requests for external data start with **DNS Queries** for domains. In environments with firewalls installed, **DNS Queries** themselves may be blocked. To understand this, it is necessary to know the current **DNS Queries** being made. This document outlines how to monitor **DNS** queries using `tshark`.
    

### Installing tshark

```bash
# Installing tshark on Ubuntu
$ sudo apt-get install tshark -y

# Installing tshark on macOS
$ brew install --cask wireshark

# Installing tshark on Windows
$ choco install wireshark -y

# Verifying installation
$ tshark -v
TShark (Wireshark) 3.6.2 (Git v3.6.2 packaged as 3.6.2-2)
```

### Monitoring DNS Queries

```bash
# Running DNS query monitoring with tshark, then executing nslookup www.google.com
$ sudo tshark -f "port 53"
Capturing on 'eth0'
 ** (tshark:138272) 17:38:22.224025 [Main MESSAGE] -- Capture started.
    1 0.000000000 172.30.159.111 → 8.8.8.8      DNS 74 Standard query 0x5ba5 A www.google.com
    2 0.064698077      8.8.8.8 → 172.30.159.111 DNS 90 Standard query response 0x5ba5 A www.google.com A 142.250.66.100
```

### References

* [Filtering a packet capture by DNS Query Name](https://www.oasys.net/posts/filtering-a-packet-capture-by-dns-qname/)
