Osquery uses basic SQL commands to leverage a relational data-model to describe a device.

osquery

Hey how to get dns-lookup events in Linux osquery and match it with process table.. Anyone tried before?

I haven’t specifically tried it, but you could get some starting point by using the socket events and then looking for dns queries, UDP maybe.. practically all DNS should end up in UDP but some huge ones could fallback to TCP..

or filter out all events with the destination with IPs in the resolv.conf