As a prerequisite the following post would be nice to be consulted first:
https://latebits.com/2019/12/05/useful-wireshark-filters/
DNS tricks
For finding DNS errors you can use this filter: “dns.flags.rcode > 0”
We used “>0 ” because any Standard DNS query response that has a reply code of 0 is a reply with no error . That means it is returning an IP or CNAME or some other valid DNS response.
In this case, as an example see how a DNS error will look like we are searching for a domain that does not exist and we get the obvious error code 0011 “No such name”:
One nice thing to do is to add the “DNS Time” to your Wireshark as a column to see the response times of the DNS queries. You can do this by right-clicking on the Time and adding it as a Column. You can call it as you like it does not have to be “DNS time”
Now you will be able to see the response times in a Column and it would be easier to spot which queries are slower or which DNS server is busy. In this example i am looking for responses that have response time greater than 0.5 seconds: “dns.time > 0.5”
Other filters that you can use for DNS are (values and names are just for example):
dns.a
dns.cname
dns.qry.name == example.com
dns.resp.name == example.com
dns.resp.name == example.com and dns.time > 0.01
