Troubleshooting : Tracking down DNS requests

Author: MtheK
Subject: Tracking down DNS requests
Posted: 19 February 2014 at 3:49pm

I use Network Monitor w/a DNS Display filter, such as:

---
786     125     {DNS:71, UDP:70, IPv4:1}     09:23:06.8832068                         DNS     0x1                    192.168.1.2     8.8.8.8          DNS:QueryId = 0xCDB4, QUERY (Standard query), Query for www.indycar.com of type Host Addr on class Internet
789     227     {DNS:71, UDP:70, IPv4:1}     09:23:07.1481597                    DNS     0x2                    8.8.8.8     QCD3-HP           DNS:QueryId = 0xCDB4, QUERY (Standard query), Response - Success, 184.72.246.252, 50.19.113.40 ...
---

and its' 1st data packet (by IPaddr):

---
790     116     {TCP:73, IPv4:72}     09:23:07.1495177     iexplore.exe          0xc2c     TCP     0x1     Half Connected     Disregarded          QCD3-HP      184.72.246.252     Flags=......S., SrcPort=50335, DstPort=HTTP(80), PayloadLen=0, Seq=1922571013, Ack=0, Win=8192 ( Negotiating scale factor 0x2 ) = 8192     TCP:Flags=......S., SrcPort=50335, DstPort=HTTP(80), PayloadLen=0, Seq=1922571013, Ack=0, Win=8192 ( Negotiating scale factor 0x2 ) = 8192
---

and the Network Conversations window matching that packet to give the PID. I then use Process Explorer/Process Monitor from there.