Analiza DNS saobraćaja real-time, komanda dnstop

Komanda za real-time analizu DNS protoka direktno na samom DNS serveru se zove dnstop.
Instalacija :
# yum install dnstop*
Korišćenje :
Proverite na kojem interfejsu želite da hvatate saobraćaj i onda (ovo je default postvka) :
# dnstop eth0
Queries: 0 new, 410 total Tue May 27 08:48:03 2014

Query Name Count %
——————– ——— ——
gornjimilanovac.rs 69 16.8
barracudacentral.org 46 11.2
telekom.rs 32 7.8
10.in-addr.arpa 28 6.8
cloudmark.com 26 6.3
…..

Taster (t) daje raspored upita po vrsti (A, AAA, PTR…..) :
Queries: 0 new, 1783 total Tue May 27 08:57:46 2014

Query Type Count %
———- ——— ——
A? 749 42.0 – vraća IPv4 adresu kao odgovor
AAAA? 529 29.7 – vraća IPv6 adresu kao odgovor
PTR? 183 10.3 – reverse DNS lookups, vraća canonical name
MX? 160 9.0 – iz domena daje podatke o MTA-ovima
DS? 86 4.8 – zapis potpisnog ključa zone
DNSKEY? 11 0.6 – DNS key record
NS? 4 0.2 – name server record
…..
Detaljnije o tome šta je šta od tipova DNS upita ima ovde.

Ako se pritisne taster (r) :
Queries: 4 new, 4501 total Tue May 27 09:14:40 2014

Rcode Count %
——- ——— ——
Noerror 4501 100.0
Most of the queries should show a response code of NOERROR, but if you see a lot of NXDOMAIN codes (domain name not found), or REFUSED (domain name not in local zone), then you should start worrying about a possible hacking attempt by sending random domain names to your DNS server.

Moguće runtime opcije :
s – Sources list
d – Destinations list
t – Query types
o – Opcodes
r – Rcodes
1 – 1st level Query Names ! – with Sources
2 – 2nd level Query Names @ – with Sources
3 – 3rd level Query Names # – with Sources
4 – 4th level Query Names $ – with Sources
5 – 5th level Query Names % – with Sources
6 – 6th level Query Names ^ – with Sources
7 – 7th level Query Names & – with Sources
8 – 8th level Query Names * – with Sources
9 – 9th level Query Names ( – with Sources
^R – Reset counters
^X – Exit
? – this

Dobar link.

This entry was posted in Linux and tagged , , , . Bookmark the permalink.

Comments are closed.