To list all unique domain names resolved in a capture, which approach is recommended?

The key idea is to use the DNS query data to see exactly which domain names clients asked to resolve. In a capture, each DNS query carries the domain being looked up in the dns.qry.name field. By filtering the traffic to DNS queries and focusing on dns.qry.name, you can collect every domain name that was resolved and then deduplicate to obtain the unique set. This directly captures name resolution activity, independent of how those names are subsequently used (HTTP, TLS, or other protocols). Why the other approaches aren’t as effective: filtering by HTTP host only shows names appearing in HTTP requests, which misses domain names requested solely for DNS resolution or for non-HTTP services. TLS SNI can reveal hostnames, but it only covers TLS connections and depends on clients sending SNI; many connections may be non-TLS, and some clients omit SNI. Looking at IP addresses and deduplicating doesn’t yield domain names at all, and reverse DNS is not consistently available or reliable for all captured hosts.