LINUX  ยท  EBPF / RAW SOCKET  ยท  PER-PROCESS

proc-trace-dns

Watch every DNS query your processes make โ€” in real time, with per-process attribution, query types, resolved IPs, and latency. No packet capture tools. No tcpdump. No noise.

๐Ÿ“ฆ Install โญ GitHub Usage โ†’
proc-trace-dns โ€” bash 
$ sudo proc-trace-dns
12341  curl      A      api.github.com          โ†’ 140.82.121.6       1.4ms
12342  python3   A      api.openai.com          โ†’ 104.18.7.192      2.1ms
12342  python3   AAAA   api.openai.com          โ†’ 2606:4700::6812   2.1ms
12343  wget      A      releases.ubuntu.com     โ†’ 185.125.190.36    0.9ms
12344  node      A      registry.npmjs.org      โ†’ 104.16.0.35       1.7ms
12345  apt       A      deb.debian.org          โ†’ NXDOMAIN          0.5ms
CAPABILITIES
๐Ÿ”—

Per-Process Attribution

Every DNS query is tagged with the PID and process name that made it. No more guessing which binary is calling home.

๐Ÿ“‹

Query Type Breakdown

Shows A, AAAA, MX, CNAME, TXT, PTR, and SRV queries โ€” not just hostnames. See the full picture of what's being resolved.

โšก

Response Latency

Measures round-trip time for each query. Spot slow resolvers, high-latency upstreams, or retries caused by timeouts.

๐ŸŒ

System-Wide or Filtered

Watch all DNS traffic across every process at once, or filter to a specific PID, process name, or domain pattern.

โŒ

NXDOMAIN & Errors

Surfaces failed lookups โ€” NXDOMAIN, SERVFAIL, timeouts โ€” alongside successful ones. Debug misconfigured resolvers instantly.

๐Ÿ”Œ

No Packet Capture

Does not require libpcap, tcpdump, or promiscuous mode. Uses eBPF or raw socket interception at the resolver level.

WHY THIS EXISTS

Answer the question: who is resolving what?

When an install script runs, does it phone home? When your app starts up, which DNS queries fail? When something breaks after a network change, which process is hitting the wrong resolver?

Existing tools are painful: tcpdump port 53 shows packets but no process context. strace -e trace=network is verbose and affects performance. System resolver logs are per-query without process attribution.

proc-trace-dns answers these questions with one command โ€” no packet capture, no daemon configuration, no noise from unrelated queries.

How it works in one sentence: proc-trace-dns hooks DNS resolution at the system level โ€” intercepting queries before they hit the wire โ€” and annotates each one with the process that triggered it.
Filter by process name
$ sudo proc-trace-dns -n curl
19201 curl A example.com โ†’ 93.184.216.34
Filter by domain pattern
$ sudo proc-trace-dns -d amazonaws.com
19305 python3 A s3.amazonaws.com โ†’ 52.216.8.176
USE CASES
๐Ÿ”

Supply Chain Auditing

Watch what domains a package installer or build system contacts. Does npm install resolve anything unexpected?

๐Ÿ›

Resolver Debugging

Identify NXDOMAIN failures, retries, and fallback resolver behavior. Find exactly which process is hitting a broken DNS server.

๐Ÿ“Š

Latency Profiling

Measure DNS round-trip times per process. Find slow resolvers adding latency to your app's startup or request path.

๐Ÿ›ก๏ธ

Malware / Beaconing Detection

Watch for unexpected domains being resolved at startup or on a schedule. Catch beaconing behavior before it connects outbound.

๐Ÿ”ง

Service Dependency Mapping

See every hostname a microservice resolves during its lifecycle. Build an accurate picture of external dependencies.

๐ŸŽ“

Learning & Exploration

Understand what DNS lookups your system generates at idle. A great way to audit service discovery and understand your infrastructure.