The contents of this legacy page are no longer maintained nor supported, and are made available only for historical purposes.


The dnsstat (crl_dnsstat) package is based on CAIDA's CoralReef suite, containing only the parts of CoralReef needed to collect statistics on DNS queries.


CoralReef software is known to work under FreeBSD (2.x, 3.x, and 4.x), Linux (2.0.36 and 2.2 pre*) and Solaris 2.5. We expect the software to work on other POSIX systems as well, but have not tested others.

crl_dnsstat requires a standard C compiler. The README with the package details other requirements.


The crl_dnsstat application watches for DNS queries on UDP port 53. To collect accurate statistics on a specific nameserver (or client), it must be run on an interface that sees all DNS messages to that server (or from that client). It counts numbers of messages and numbers of queries, aggregated by any of source IP, destination IP, opcode, query type, query class. The subjects of queries are never recorded.

The example output below shows the finest aggregation (most detail) it is capable of recording; command line options can be used to reduce the detail. The "notes" column displays any unusual statistics: the number of messages that contained multiple queries or zero queries, and the number of messages for which the number of queries was impossible to determine.

-p<len> aggregate hosts by CIDR prefix length <len> (default: 32)
-a      resolve IP addresses to hostnames (requires -p32)
-n      print DNS code numbers, not symbols
-S      ignore IP source address
-D      ignore IP destination address
-Q      don't count by query opcode/class/type
-h      print in more human-friendly format
-r      do not count msgs with RD set
-u      print contents of unusual msgs to stderr
-C'filter=<tcpdump_filter>'count only packets that match <tcpdump_filter>
-Ci=<interval>print results every <interval> seconds
-Cd=<duration>stop after <duration> seconds

Additional -C option commands are described at /catalog/software/coralreef/doc/doc/cmd_usage

crl_dnsstat example

Example output, with source IP addresses changed for privacy:

# dnsstat output version: 0.1
# begin trace interval at 965767315.016479, duration 60.000000
# DNS messages: 155056 (2584.266667/s); DNS queries: 969271 (16154.516667/s)
#src             dst              op type  class queries    msgs notes       - -     -          36      36       0 PTR   IN          8       0 A     IN         28       - -     -           8       8       0 MX    IN          2       0 A     IN          6       - -     -         183     183       0 A     IN         97       0 PTR   IN         86       - -     -           1       1       0 A     IN          1       - -     -          28      28       0 PTR   IN          1       0 A     IN         27       - -     -          16      16       0 A     IN         16       - -     -         511     511       0 SOA   IN          2       0 ANY   IN          1       0 A     IN        508

Related Objects

See to explore related objects to this document in the CAIDA Resource Catalog.
Last Modified