About

dnstop is a libpcap application (a la tcpdump) that displays various tables of DNS traffic on your network. Currently dnstop displays tables of:

• Source IP addresses
• Destination IP addresses
• Query types
• Top level domains
• Second level domains

If people find dnstop useful and interesting, we plan to add additional tables, such as classification of legitimate/illegitimate queries.

Download and Compile

You can download the dnstop code at http://dnstop.measurement-factory.com/src/

dnstop is still relatively young, and perhaps not portable to all operating systems. It is known to compile and run on:

• FreeBSD 4.x (you can find net/dnstop in the Ports Collection)
• OpenBSD 3.0
• NetBSD 1.5 (you can find net/dnstop in the Packages Collection)
• Linux 2.2.x kernel

Please send compilation problems and other bugs to wessels at measurement-factory.com.

Usage

dnstop has the following command line options:

-a	Anonymize IP addresses
-b	customize BPF filter parameters
-i	ignore a source IP address
-p	dont put interface in promiscuous mode
-s	collect second-level domain stats

dnstop has the following display commands while running:

S	source address table
D	destination address table
T	query type table
1	TLD table
2	SLD table
^R	Reset counters
^X	Exit
?	Help

dnstop was originally presented in a talk at NANOG 26 (Oct 2002), "Toward Lowering the Load on DNS Root Nameservers".