dnstop

dnstop [-i interface | -f pcap_file] [-l num] [-p] [-v] [-h]

-i interface
    Specifies the network interface from which to capture live DNS traffic. This is typically an Ethernet interface like eth0 or enpXsX.

-f pcap_file
    Reads DNS packets from a pre-recorded pcap file instead of capturing live traffic. Useful for offline analysis.

-l num
    Sets the maximum number of entries (e.g., top talkers or queried domains) to display in the interactive interface. Defaults to 10.

-p
    Prevents the specified interface from being put into promiscuous mode. Only captures traffic destined for or from the local machine.

-v
    Displays the version information of dnstop and exits.

-h
    Shows a brief help message and exits, outlining basic usage and options.

dnstop is a powerful command-line tool designed for real-time monitoring and analysis of DNS (Domain Name System) traffic. It operates by passively sniffing network packets on a specified interface or reading from a pcap file, leveraging the libpcap library. The utility presents DNS query and response statistics in a highly interactive, curses-based interface, reminiscent of the top(1) command. Users can observe various metrics including source and destination IP addresses, queried domain names, DNS query types (e.g., A, AAAA, MX), response codes (e.g., NOERROR, NXDOMAIN), and the volume of bytes transferred.

This tool is invaluable for system administrators and network engineers for diagnosing DNS-related performance issues, identifying unusual or suspicious DNS traffic patterns, detecting potential DNS amplification attacks, and generally gaining insights into the DNS activity on a network. Its interactive nature allows for sorting data by different criteria, making it easier to pinpoint high-volume queriers or specific types of DNS queries.

dnstop requires root privileges or appropriate capabilities (e.g., CAP_NET_RAW, CAP_NET_ADMIN) to capture live network traffic.
It relies on the libpcap library for packet capture, which must be installed on the system.
The tool does not perform reverse DNS lookups; all IP addresses are displayed numerically. On very high-traffic DNS servers, dnstop can consume significant CPU and memory resources.
Its effectiveness can be limited by the kernel's packet buffer size, potentially leading to dropped packets under heavy load. Primarily designed for IPv4 DNS traffic, though some installations might have limited IPv6 support.

Once dnstop is running, the interactive interface provides several key controls:
's': Sorts the displayed data by different columns (e.g., queries, bytes). Repeated presses cycle through sorting options.
'q': Quits the dnstop application.
'h': Displays an in-application help screen with a list of available commands and their descriptions.

dnstop is frequently used for:
• Performance Monitoring: Identifying which clients or domains are generating the most DNS queries.
• Security Analysis: Detecting unusual query patterns that might indicate malware activity, DNS tunneling, or amplification attacks.
• Troubleshooting: Pinpointing DNS resolution issues by observing response codes (e.g., a high number of NXDOMAIN responses for legitimate queries).

dnstop was originally developed by Steve Filipiak, providing a much-needed real-time monitoring solution for DNS traffic. Its design borrowed heavily from the user interface paradigm established by top(1), making it intuitive for Unix-like system administrators. It quickly became a standard tool for diagnosing DNS server issues, especially in environments where BIND or other DNS services were critical. While its core functionality has remained consistent, maintenance and updates have continued over time, ensuring its relevance in modern network analysis workflows.

tcpdump(1), top(1), iftop(8), netstat(8), tshark(1)