Show all DNS queries from local IP that are for a specific FQDN

dns and ip.src==192.168.1.10 and dns.qry.name == "example.com"

Search Wireshark for packets that contain an IP address that are results of a DNS query.

ip.addr == 1.2.3.4

ip.src == 1.2.3.4

ip.dst == 1.2.3.4

tcp.port eq 25 or icmp

udp.port eq 53

ip.src==192.168.0.0/16 and ip.dst==192.168.0.0/16

udp.stream eq ${udp.stream}

tcp.stream eq ${tcp.stream}

Filter queries based on the client MAC in the “client” field in the DHCP request.

dhcp.hw.mac_addr

Filter just DNS queries

dns

Filter DNS from IP and to IP

dns and (ip.src==10.42.0.174 and ip.dst==10.43.0.10)

Filter both directions of flow from client to server.

dns and (ip.src==10.42.0.174 and ip.dst==10.43.0.10) or  (ip.dst==10.42.0.174 and ip.src==10.43.0.10)

Filter based on IP response to A record request

dns.a == 1.2.3.4

Filter by specific query

dns.qry.name == "sinkhole.paloaltonetworks.com"

Filter by query that contains string

dns.qry.name contains "paloaltonetworks.com"

Filter for DNS queries only

dns.flags.response == 0

Filter for DNS responses only

dns.flags.response == 1

Filter by DNS transaction ID (where XX is the transaction ID)

dns.id eq XX

Filter for Zone Transfers

dns.qry.type in {251 252} or dns.flags.opcode eq 4

Filter by DNS Option Codes standard queries:

dns.flags.opcode == 0

inverse queries:

dns.flags.opcode == 1

server status requests:

dns.flags.opcode == 2

zone change notifications:

dns.flags.opcode == 4

dynamic updates:

dns.flags.opcode == 5 

Filter by recursive query:

dns.flags.recdesired == 1

Filter by non-recursive query:

dns.flags.recdesired == 0