Wondering how DNS really works? Watch it in action with this free app


Use the web for more than five minutes and you’ll definitely hear about DNS, the domain name system.

Indeed, you may already know that it is a vital internet technology that translates domains like techradar.com into IP addresses like But unless you’re a networking geek, it might seem too complicated and theoretical to be really useful.

DNSQuerySniffer proves that it doesn’t have to be. It’s a free Windows tool anyone can use to watch DNS in action and see how it really works. And there are some very real practical benefits, too: you can spot apps accessing the internet without your knowledge, perhaps detect malware, and even help confirm that your VPN is working properly.


Getting started with DNSQuerySniffer (opens in a new tab) starts by downloading the version you need from the NirSoft developer site. There are 32 and 64 bit versions; 64-bit should cover all but the oldest Windows systems, so choose that option if you’re not sure.

By clicking on the link, you get a small zip file (136 KB) and you can extract the contents in the usual way (right-click on the file in Explorer, select Extract all… and accept the folder by default).

And that’s it, you’re done. There is no downloader to grab 500MB of other files, no installation required, no network drivers conflict with anything else. Just switch to the folder you just created, run DNSQuerySniffer as administrator (right click, choose Run as administrator) and you’re good to go.

Run DNSQuerySniffer for the first time and it will ask you which network adapter you want to monitor. There may be several options listed, especially if you have installed a few free VPNs on this system. But normally all you have to do is choose the adapter with the connection name Ethernet if you have a wired connection, or WiFi for wireless.

NirSoft's DNSQuerySniffer GUI

(Image credit: NirSoft)

DNS in action

To get a taste of how DNS works on the web, simply point your browser to a popular ad-filled website that you haven’t visited today (because your system may have stored the results of previous DNS queries and you won’t see them this time). Newspaper websites are often a good choice:.

DNSQuerySniffer can display a large number of queries – 20, 30, 40, more – from a single page, since large websites often contact many other domains. Some may store their own content – images, videos, comments, scripts – but they may also link to ad servers, trackers, all sorts of other third-party sites.

This works as a quick and easy demonstration of why some sites are really, really slow: they need to access content from a long list of other domains before they can finish loading.

But it can also be interesting if you look at exactly which domains they access. Do you recognize any? Do some sites query a large number of ad, tracking, or social media domains? Maybe others look really clean by comparison: they load their own HTML, images, and scripts from their own servers, but don’t try to share your information with the rest of the world. Try a few of your favorite websites, see how they compare.

(Note that DNSQuerySniffer keeps adding new queries to the end of the array, which can create a very long list in a very short time. Click File > Clear All Current if you want to empty the array and start over.)

What is using your internet connection?

DNS queries are not only used for browsers. They are created each time an application accesses a website. This means you can also use DNSQuerySniffer to show you which of your apps are doing web queries in the background and which domains they’re trying to reach.

You don’t have to do any extra work to make it happen. Simply close any other open applications, leave DNSQuerySniffer running, and examine the HostName and CNAME columns for any new queries that appear.

Most PCs always have a lot of Internet activity in the background. We saw requests from our password manager (Dashlane), backup app (Backblaze), chat tools (Slack) and Windows VPN, for example, as well as requests to Windows Update and the Office URL (Outlook and others). of this: many applications will regularly check servers, sync data, and generally continue with their usual tasks.

But you might also see more surprising traffic. Maybe an app you’ve installed is regularly uploaded, when you’d rather it wasn’t? Maybe there is a “check for updates” switch you can turn off. Other apps may be trying to access ad servers, Google Analytics, or strange domains that indicate they’re doing something you didn’t expect.

You might even spot a malware infection, if there’s a lot of unusual traffic, but run the domains through a Google or two before you panic. We spotted many encrypted domain names that turned out to be completely legitimate.

NordVPN Windows App

(Image credit: NordVPN)

A quick VPN test

Just looking at normal DNS activity can tell you a lot about your system, but stick with DNSQuerySniffer and there’s a lot more to discover.

We will only cover one tip here. If you use a VPN, you’ll probably know that it’s supposed to redirect all your internet traffic, including DNS queries, through a secure encrypted tunnel.

In some cases, you can see this in action just by watching DNSQuerySniffer in action. Run the program normally, navigate to a few sites, confirm that it shows DNS queries. Then connect to your VPN, visit more sites, and if DNSQuerySniffer shows no DNS queries, that indicates queries are being redirected as expected.

This test is not conclusive and does not absolutely prove that your VPN handles DNS requests correctly (or not). But it gives you an indication and is quick and easy to perform. We tried the test with the ExpressVPN and NordVPN apps, and in each case, DNSQuerySniffer neither detected nor displayed any DNS queries while the VPN was connected: an ideal result and exactly what we expect from two of the best VPNs in the world. .


Comments are closed.