% DNSMonitor.app/Contents/MacOS/DNSMonitor
...
PROCESS:
{
processID = 17357;
processPath = "/usr/bin/nslookup";
processSigningID = "com.apple.nslookup";
}
PACKET:
Xid: 10948
QR: Query
Server: -nil-
Opcode: Standard
AA: Non-Authoritative
TC: Non-Truncated
RD: Recursion desired
RA: No recursion available
Rcode: No error
Question (1):
objective-see.org IN A
Answer (0):
Authority (0):
Additional records (0):
Note:
DNSMonitor is currently in beta.
As such, don't run it on production systems!
Running DNSMonitor
After copying DNSMonitor to the /Applications directory, launch it by executing its binary (DNSMonitor.app/Contents/MacOS/DNSMonitor) via the Terminal:
% DNSMonitor.app/Contents/MacOS/DNSMonitor -h
DNSMonitor usage:
-h or -help display this usage info
-json output is formatted as JSON
-pretty JSON output is 'pretty-printed'
When run with no arguments, DNSMonitor will begin monitoring for and printing out DNS packets:
% DNSMonitor.app/Contents/MacOS/DNSMonitor
PROCESS:
{
processID = 17357;
processPath = "/usr/bin/nslookup";
processSigningID = "com.apple.nslookup";
}
PACKET:
Xid: 10948
QR: Query
Server: -nil-
Opcode: Standard
AA: Non-Authoritative
TC: Non-Truncated
RD: Recursion desired
RA: No recursion available
Rcode: No error
Question (1):
objective-see.org IN A
Answer (0):
Authority (0):
Additional records (0):
When run with the -json command-line option DNS packets will be output as JSON. The -pretty option will cause the JSON to be "pretty printed":
% DNSMonitor.app/Contents/MacOS/DNSMonitor -json -pretty
[{
"Process" : {
"processPath" : "\/usr\/bin\/nslookup",
"processSigningID" : "com.apple.nslookup",
"processID" : 17493
},
"Packet" : {
"Opcode" : "Standard",
"QR" : "Query",
"Questions" : [
{
"Question Name" : "objective-see.org",
"Question Class" : "IN",
"Question Type" : "A "
}
],
"RA" : "No recursion available",
"Rcode" : "No error",
"RD" : "Recursion desired",
"XID" : 63159,
"TC" : "Non-Truncated",
"AA" : "Non-Authoritative"
}
},
...
Note:
Though DNSMonitor is distributed as an application (in order to satisfy Apple's codesigning, notarization, and System/Network extension requirements), it is a CLI utility. As such, it should be executed from the commandline, by specifying the path to its application binary:
DNSMonitor.app/Contents/MacOS/DNSMonitor
Moreover, it must remain in its application bundle (which contains required codesigining and provisioning profile information).
DNSMonitor leverages Apple's System/Network Extensions Framework to capture system-wide DNS events. Apple places several restrictions on such extensions. Specifically such extensions must first be copied to the /Applications
directory. And the user must manually approve any extension before it is allowed to begin capturing (network) events.
Thus, to run DNSMonitor.app
, you must:
- Ensure the application bundle
DNSMonitor.app
, has been copied into the /Applications
directory. If not an error will be displayed:
% ~/Downloads/DNSMonitor.app/Contents/MacOS/DNSMonitor
...
ERROR: As DNSMonitor uses a System Extension,
Apple requires it must be located in /Applications
- Approve the System Extension. First, macOS will display a prompt:
Click "Open Security Preferences" to open the System Preferences application (it should load the "Security & Privacy" pane).
Click "Allow", then authenticate to allow the DNSMonitor
extension to load:
- Once the extension has been approved it will load. However, macOS will then request approval to allow it to monitor DNS traffic.
Click "Allow" to allow DNSMonitor
to monitor DNS traffic.
Now, all DNS requests and response will be displayed in the terminal.
To terminate DNSMonitor
, simply hit control+c
. This will trigger a prompt from the operating system to unload the extension:
...authenticate by entering your user name password and click "OK". This will remove DNSMonitor
's extension and cause it to cleanly terminate.