123HELPDESK

IT professionals voor ondernemers

Monitor DNS Network Traffic PDF Afdrukken

How to monitor my dns server traffic?
How to view current DNS queries?
How to see who is querying my DNS?


dnstop can either read packets from the live capture device, or from a tcpdump savefile.

Monitor Dns Server

You can monitor various dns data and queries using command line options.

How to view dns traffic with dnstop

# dnstop {interface-name}
example:
# dnstop eth0

Output:
Queries: 8 new, 127 total                                                                                                                             

Sources            Count      %
-------------- --------- ------
172.22.228.1         109   85.8
172.22.228.9           5    3.9
172.22.227.6           3    2.4
172.22.227.85          3    2.4
1.1.1.1                2    1.6
172.22.208.31          2    1.6
172.22.227.164         2    1.6
172.22.227.82          1    0.8

 

Track second and trhird level domain search


Under Debian / Ubuntu Linux, enter:
# dnstop -t -s eth0
Where,

  • -s Track second level domains
  • -t Track third level domains


Exit dnstop or reset counters

To exit the dnstop, hit ^X (hold [CTRL] key and press X). Press ^R to reset the counters.


Monitor TLD generating maximum traffic

While running dnstop, hit 1 key to view first level query names (TLDs).
Actual domain name search, hit 2 key.

For level 3 domain, hit 3 key.

Output examples:

Level1: Queries: 11 new, 9770 total                                                                                                                             Tue Jan 11 09:25:44 2011

Query Name            Count      %
----------------- --------- ------
in-addr.arpa           7701   78.8
test                    860    8.8
_nfsv4idmapdomain       463    4.7
com                     314    3.2
net                     156    1.6
org                      65    0.7
nl                       62    0.6
be                       49    0.5
de                       46    0.5
mailhost                 25    0.3
fr                       12    0.1
uk                       11    0.1
ch                        4    0.0
info                      2    0.0

Level 2 Queries: 10 new, 10615 total                                                                                                                            Tue Jan 11 09:26:50 2011

Query Name                Count      %
--------------------- --------- ------
172.in-addr.arpa           8338   78.5
oss.test                    930    8.8
_nfsv4idmapdomain           505    4.8
10.in-addr.arpa              59    0.6
xaton.com                    36    0.3
akamai.net                   25    0.2
mailhost                     25    0.2
192.in-addr.arpa             22    0.2
 

View DNS queries

t-key: most requested query type (A, AAAA, PTR etc)

View DNS clients who query the DNS server

d-key: to view dns destination IP address

 

Other key functions

 s - Sources list
 d - Destinations list
 t - Query types
 o - Opcodes
 r - Rcodes
 1 - 1st level Query Names      ! - with Sources
 2 - 2nd level Query Names      @ - with Sources
 3 - 3rd level Query Names      # - with Sources
 4 - 4th level Query Names      $ - with Sources
 5 - 5th level Query Names      % - with Sources
 6 - 6th level Query Names      ^ - with Sources
 7 - 7th level Query Names      & - with Sources
 8 - 8th level Query Names      * - with Sources
 9 - 9th level Query Names      ( - with Sources
^R - Reset counters
^X - Exit


DNS records
Field      Description
 A    Host address (A) resource record. Maps a DNS domain name to an Internet Protocol (IP) version 4 32-bit address.

AAAA    IPv6 host address (AAAA) resource record. Maps a DNS domain name to an Internet Protocol (IP) version 6 128-bit address.

CNAME    Canonical name (CNAME) resource record. Maps an aliased or alternate DNS domain name in the owner field to a canonical or primary DNS domain name specified in the canonical_name  field. The canonical or primary DNS domain name used in the data is required and must resolve to a valid DNS domain name in the namespace.

HINFO    Host information (HINFO) resource record. Specifies the type of CPU and operating system in the cpu_type and os_type fields, respectively, for the host DNS domain name in the owner field.

MX    Mail exchanger (MX) resource record. Provides message routing to a mail exchanger host, as specified in mail_exchanger_host, for mail sent to the domain name specified in the owner  field. A 2-digit preference value indicates preferred ordering if multiple exchanger hosts are specified. Each exchanger host must have a corresponding host (A) address resource record in a valid zone.

NS     Used to map a DNS domain name as specified in owner to the name of hosts operating DNS servers specified in the name_server_domain_name field.

NXT    Next resource record. NXT resource records indicate the nonexistence of a name in a zone by creating a chain of all of the literal owner names in that zone.

OPT    Option resource record. One OPT resource record can be added to the additional data section of either a DNS request or response. An OPT resource record belongs to a particular transport level message, such as UDP, and not to actual DNS data. Only one OPT resource record is allowed, but not required, per message.

PTR    Pointer (PTR) resource record. Points from the name in owner to another location in the DNS namespace as specified by targeted_domain_name. Often used in special domains such as the in-addr.arpa domain tree to provide reverse lookups of address-to-name mappings.

RP    Responsible Person (RP) resource record. Specifies the domain mailbox name for a responsible person in mailbox_name.

SIG    Signature resource record. Encrypts an RRset to a signer’s (RRset’s zone owner) domain name and a validity interval.

SOA    Start of authority (SOA) resource record. Indicates the name of origin for the zone and contains the name of the server that is the primary source for information about the zone.

SRV    Service locator (SRV) resource record. Allows multiple servers providing a similar TCP/IP-based service to be located using a single DNS query operation.

TXT    Text (TXT) resource record. Maps a DNS domain name specified in the owner field to a string of characters in text_string serving as descriptive text.

WKS    : Well-known service (WKS) resource record. Describes the well-known TCP/IP services supported by a particular protocol on a specific IP address.

X25    X.25 (X25) resource record. Maps a DNS domain name in the owner field to a Public Switched Data Network (PSDN) address number specified in psdn_number.



 
< Vorige   Volgende >