dnstop is a libpcap application (like tcpdump) that displays various tables of DNS traffic on your network. Currently dnstop displays tables of:
- Source IP addresses
- Destination IP addresses
- Query types
- Response codes
- Opcodes
- Top level domains
- Second level domains
- Third level domains
- etc...
dnstop supports both IPv4 and IPv6 addresses.
To help find especially undesirable DNS queries, dnstop provides a number of filters. The filters tell dnstop to display only the following types of queries:
- For unknown/invalid TLDs
- A queries where the query name is already an IP address
- PTR queries for RFC1918 address space
- Responses with code REFUSED
- Responses with code SERVFAIL
dnstop can either read packets from the live capture device, or from a tcpdump savefile.