LinuxCommandLibrary

dnstop

Monitor DNS traffic in real-time

SYNOPSIS

dnstop [-4|-6] [-h] [-l logfile] [-L] [-m] [-n lines] [-r] [-v] <interface>

PARAMETERS

-4
    Display IPv4 DNS traffic only

-6
    Display IPv6 DNS traffic only (mutually exclusive with -4)

-h
    Show help summary and exit

-l file
    Log statistics periodically to specified file

-L
    Listen-only mode: capture without display or stats

-m
    Enable menu mode for interactive views (default)

-n num
    Set maximum lines to display (default 20)

-r
    Raw mode: plain text output, no curses interface

-v
    Verbose mode for additional debug output

<interface>
    Network interface to monitor (e.g., eth0, required)

DESCRIPTION

dnstop is a real-time, interactive console application for monitoring and analyzing DNS traffic on Linux and other Unix-like systems. It uses libpcap to capture DNS packets from a network interface and presents statistics in a curses-based interface reminiscent of the classic top(1) command.

Core functionality includes live displays of top-queried domains, top DNS servers, opcode usage (queries, responses, updates), resource record types (A, AAAA, MX, etc.), and sorting by metrics like packet count, byte volume, or query frequency. Users can drill down into views for top sources/destinations, NXDOMAIN responses, or error rates. It supports IPv4/IPv6 filtering, logging for post-analysis, and modes for raw output or listen-only operation.

Ideal for network troubleshooting, detecting DNS abuse (e.g., amplification DDoS), or performance monitoring in environments with high DNS volume. dnstop is lightweight, with minimal CPU/memory footprint, making it suitable for servers or embedded systems. Run as root for raw socket access; compile from source or install via packages like dnstop in Debian/Ubuntu repositories.

CAVEATS

Requires root privileges for packet capture; depends on libpcap; IPv6 support may vary; no graphical output; console must support curses/termcap.

BASIC USAGE EXAMPLES

Monitor default interface: sudo dnstop eth0
Log stats: sudo dnstop -l dns.log -n 30 eth0
Raw output: sudo dnstop -r eth0

VIEWS

Default: top queries; q for top domains, s for servers, t for RR types, o for opcodes; Esc or q to quit.

HISTORY

Developed by Olaf Titz in 2004 as a simple DNS top-like tool; released under GPLv2; maintained sporadically with updates for modern libpcap and IPv6; available in major distro repos since mid-2000s.

SEE ALSO

tcpdump(8), tshark(1), ntopng(8), bmon(8), dnsstat(1)

Copied to clipboard