Dnstop allows you to make a list of hosts that most send requests to the DNS server, so you can detect viruses on the network and understand who is attacking.
The utility is installed in Ubuntu/Debian by the command:
sudo apt-get install dnstop
Startup example (where 192.168.2.2 is the IP address of the DNS server):
sudo dnstop
sudo dnstop -n google.com eth0
Top domains for queries, after executing the command, press the “c” key, and then “2” (where 192.168.2.2 is the IP address of the DNS server):
sudo dnstop eth0 -i 192.168.2.2
I’ll describe the list of possible startup keys:
-4 (number of IPv4 packets)
-6 (number of IPv6 packets)
-Q (number of requests)
-R (number of answers)
-a (anonymous IP addresses)
-i ADDRESS (ignoring the specified IP address)
-n NAME (number of requests for the specified address only)
-l NUMBER (monitoring up to the specified number of requests)
-f (filter name)
See also my article:
Configuring Fail2Ban for Bind9