DNS analysis


To filter out the specific dns query packets, you can type dns contains "domain_name" in the display filter.

Note that there must be the double quotation around the name, the domain_name should not contain the top domain name, e.g. if you want to search query about cnn.com, you should type dns contains "cnn"

dns.flags.response==0 , respond area 0 means all the queries sent from client to DNS server.

In the Domain Name System > Flags > Response: you will see Message is a query

dns.flags.response==1 means the answer to the queries.

In the Domain Name System > Flags > Response: you will see Message is a response.

crl: certificate revocation list, some browser will automatically check mscrl.microsoft.com

Reply code: No such name

Filter the dns record by transaction ID:



To troubleshoot unsuccessful DNS query:

The last line in the Domain Name System > Flags  is the reply code, the 0 of which means no error.

RCODE  Name  Description  Reference 
0 NoError No Error [RFC1035]
1 FormErr Format Error [RFC1035]
2 ServFail Server Failure [RFC1035]
3 NXDomain Non-Existent Domain [RFC1035]
4 NotImp Not Implemented [RFC1035]
5 Refused Query Refused [RFC1035]
6 YXDomain Name Exists when it should not [RFC2136][RFC6672]
7 YXRRSet RR Set Exists when it should not [RFC2136]
8 NXRRSet RR Set that should exist does not [RFC2136]
9 NotAuth Server Not Authoritative for zone [RFC2136]
9 NotAuth Not Authorized [RFC2845]
10 NotZone Name not contained in zone [RFC2136]
11-15 Unassigned
16 BADVERS Bad OPT Version [RFC6891]
16 BADSIG TSIG Signature Failure [RFC2845]
17 BADKEY Key not recognized [RFC2845]
18 BADTIME Signature out of time window [RFC2845]
19 BADMODE Bad TKEY Mode [RFC2930]
20 BADNAME Duplicate key name [RFC2930]
21 BADALG Algorithm not supported [RFC2930]
22 BADTRUNC Bad Truncation [RFC4635]
23 BADCOOKIE Bad/missing Server Cookie [RFC7873]
24-3840 Unassigned
3841-4095 Reserved for Private Use [RFC6895]
4096-65534 Unassigned
65535 Reserved, can be allocated by Standards Action [RFC6895]

You can use the expression:


  • !(dns.flags.rcode==0) means the reply code does not match “no error”
  • dns.flags.response==1 means match all the query answer packet.