is an excellent tool to monitor the BIND (named) service traffic and also live queries like A, MX, PTR, CNAME record on real time. This tool comes with multiple options which helps us to sort the max TLD traffic, query types, source ips, no of hits etc.

Installing Dnstop

Dnstop source code is available here , if you are using centOS or RHEL the easy way of installing is by using rpm click here to download rpm and before you install the dnstop rpm make sure the libpcap-devel and ncurses-devel are already installed and if not you can install it using yum

  • # yum install libpcap-devel ncurses-devel

Dnstop help

To start with this tool, just use dnstop with the interface name. For example

  • # dnstop <interface-name>
    # dnstop eth0

The output will look similar below.

Dnstop Interface

To reset the counter, use ^R and to exit from dnstop use ^X

Finding out maximum traffic generating by TLD’s

  • # dnstop eth0

Press 1 while running the dnstop and the output will look similar below.

Dnstop Tld Traffic

And to find the actual domain names press 2 while dnstop is running to get the output similar to below.

Dnstop domain Traffic

Press t to get the record based hits as below

Dnstop record query

Useful Links :

Dnstop home page