Dnstop – monitoring of requests to the DNS server

Dnstop allows you to make a list of hosts that most send requests to the DNS server, so you can detect viruses on the network and understand who is attacking.

The utility is installed in Ubuntu/Debian by the command:

sudo apt-get install dnstop

Startup example (where 192.168.2.2 is the IP address of the DNS server):

sudo dnstop
sudo dnstop -n google.com eth0

Top domains for queries, after executing the command, press the “c” key, and then “2” (where 192.168.2.2 is the IP address of the DNS server):

sudo dnstop eth0 -i 192.168.2.2

I’ll describe the list of possible startup keys:

-4 (number of IPv4 packets)
-6 (number of IPv6 packets)
-Q (number of requests)
-R (number of answers)
-a (anonymous IP addresses)
-i ADDRESS (ignoring the specified IP address)
-n NAME (number of requests for the specified address only)
-l NUMBER (monitoring up to the specified number of requests)
-f (filter name)

See also my article:
Configuring Fail2Ban for Bind9

Leave a comment

Leave a Reply