Skip to content

DNS Servers [dnsmasq], [pdnsd], [monitor: dnstop]

Source:

http://www.cyberciti.biz/faq/caching-dns-server/
http://www.debian-administration.org/articles/390
http://www.cyberciti.biz/faq/dnstop-monitor-bind-dns-server-dns-network-traffic-from-a-shell-prompt/
http://ubuntuforums.org/showthread.php?t=331850
http://www.cyberciti.biz/faq/unix-linux-dns-lookup-command/
http://www.cyberciti.biz/faq/dns-cache-poisoning-test/
https://wiki.archlinux.org/index.php/Pdnsd
http://askubuntu.com/questions/tagged/resolv.conf+resolvconf

http://wiki.openwrt.org/doc/howto/dhcp.dnsmasq

dnsmasq

1. Installation:

# apt-get install dnsmasq

2. /etc/resolv.conf However you need to setup 127.0.0.1 as dns server name in /etc/resolve.conf file:

nameserver 127.0.0.1
nameserver 213.42.20.20
nameserver 195.229.241.222

#Google DNDS
#nameserver 8.8.8.8
#nameserver 4.4.4.4

#OpenDNS
#nameserver 208.67.222.222
#nameserver 208.67.220.220

The dnsmasq should read the list of ISP nameservers from the automatically /etc/resolv.conf. You should list 127.0.0.1 as the first nameserver address in /etc/resolv.conf. So local desktop clients always gets cached queries. Step # 3 Restart/start Dnsmasq

# /etc/init.d/dnsmasq start

4. Update DNS server IPS for all desktop systems Point your windows XP or Linux Desktop client to IP of Linux firewall server i.e. 192.168.1.150 (see above network diagram) It is easy to use Dnsmasq rather than setting up caching BIND server. But hold on it has some cool usage too. You can add domains which you want to force to specific IP address. For example, doubleclick.net displays ugly adds on many sites, just send this server it to our 127.0.0.1 (i.e. your local server ). Just open a file /etc/dnsmasq.conf and add following line to it: address=/doubleclick.net/127.0.0.1 Restart Dnsmasq and make sure you runs local webserver at 127.0.0.1 with some default page. Read the Dnsmasq man page and docs for more information. Some options that should be checked: [Do not use them if you don't understand them, the stock config is fine]:

# Listen only on localhost
listen-address=127.0.0.1
bind-interfaces

# The default is 1000 dns entries to be cached.
cache-size=10000

# Make sure that DNS requests going out contain a valid domain
domain-needed

# The resolv file which dnsmasq will check for its default nameservers
# The syntax for that file is the same as for classic resolv.conf
resolv-file=/etc/resolv.dnsmasq

# Do not try to check the default /etc/resolv.conf file for any reason
no-poll

# All DNS requests for domain.prive, its subdomains and the reverse maps
# should be sent to the proper DNS. Adjust to your environment.
server=/domain.prive/10.0.0.1
server=/10.in-addr.arpa/10.0.0.1

[pdnsd]

There are several different packages you can use for caching DNS requests - including bind, djbdns, dnsmasq and pdnsd. The pdnsd package is a very simple and lightweight tool for DNS caching. It will, like many of the other systems, act as a small DNS server forwarding requests to a "real" DNS server and caching the responses. When pdnsd is stopped it will save all the lookups which have been made against it so they may be reloaded when it starts again. Installation is very straightforward:

apt-get install pdnsd

Once installed the software is configured via the file /etc/pdnsd.conf. To configure the software you must do two things:

  • Configure pdnsd so that it will forward requests it doesn't know about to a real DNS server, letting it cache those results.
  • Update your system so that DNS lookups against the newly installed cache, or proxy.

Once you've completed these two steps all DNS lookups upon your system will be cached, and your DNS lookups should be much faster. Upon your Debian GNU/Linux system you configure the DNS server(s) which are being used by means of the file, /etc/resolv.conf, this file will contain a list of name servers to query, perhaps along with a search domain to be used for unqualified hosts. To tell your server to make DNS queries against the freshly installed server you would update that file to read:

nameserver 127.0.0.1

The next thing to do is to edit the pdnsd configuration file /etc/pdnsd.conf to specify which DNS servers the cache should use for its own lookups - these will most likely be your ISPs nameservers. Locate the section of the configuration file which starts with server and add the IP address:

#
#  Specify the IP address of the real DNS server to query against here:
#
server {
        ip=11.22.33.44;   
        timeout=30;
        interval=30;
        uptest=ping;
        ping_timeout=50;
        purge_cache=off;
}

With this setting updated you can restart the caching service:

root@itchy:/etc# /etc/init.d/pdnsd restart
Restarting proxy DNS server: pdnsd.
root@itchy:/etc#

If you wish to add more DNS servers to query against you can add them seperated by commas, or you can add multiple ip= lines such as these two examples:

# Several IPs seperated by commas.
ip=11.22.33.44,111.222.333.444;

# Easier to read - one per line:
ip=11.22.33.44;
ip=111.222.333.444;

For more details of the supported options please consult the documentation by running "man pdnsd.conf". You can test the cache is working by issuing a manual request to it:

apt-get install dnsutils


root@itchy:/etc# dig  @localhost example.com mx

;; QUESTION SECTION:
;example.com.                   IN      MX

;; AUTHORITY SECTION:
example.com.            86400   IN      SOA     dns1.icann.org. hostmaster.icann.org.

;; Query time: 2224 msec
;; SERVER: 192.168.1.50#53(192.168.1.50)
;; WHEN: Sun Apr 23 21:47:41 2006
;; MSG SIZE  rcvd: 90

Here we used the dig command (part of the dnsutils package) to lookup the MX record of the domain name example.com. Notice at the bottom it shows "Query time: 2224msec"? Lets run that same query again - if our cache is working correctly it should be significantly faster:

root@itchy:/etc# dig  @itchy example.com mx |grep time
;; Query time: 1 msec

Much faster :) (Yes DNS queries are ordinarily cached to a certain extent; so you'd expect the speedup even without our explicit DNS caching server...)

[dnstop]

Q. How do I monitor my Bind 9 named (or any other dns server) server traffic / network traffic under Linux? How do I find out and view current DNS queries such as A, MX, PTR and so on in real time? How do I find out who is querying my DNS server or specific domain or specific dns client IP address? A. Log file can give out required information but dnstop is just like top command for monitoring dns traffic. It is a small tool to listen on device or to parse the file savefile and collect and print statistics on the local network's DNS traffic. You must have read access to /dev/bpf. bpf (Berkeley Packet Filter) which provides a raw interface to data link layers in a protocol independent fashion. All packets on the network, even those destined for other hosts, are accessible through this mechanism. dnstop can either read packets from the live capture device, or from a tcpdump savefile. Install dnstop* Type the following command to install dnstop under Debian / Ubuntu Linux:

$ sudo apt-get update
$ sudo apt-get install dnstop

How do I view dns traffic with dnstop?

Simply, type the following command at a shell prompt to monitor traffic for eth0 interface:

# dnstop {interface-name}
# dnstop eth0
# dnstop em0

Sample output:

2 new queries, 220 total queries                  Mon Aug  4 05:56:50 2008
Sources              count      %
---------------- --------- ------
180.248.xxx.26          72   32.7
77.89.xx.108             7    3.2
186.xxx.13.108           5    2.3
90.xxx.94.39             4    1.8
178.xx.77.83             4    1.8
187.xxx.149.23           4    1.8
xxx.13.249.70            4    1.8
1.xxx.169.102            4    1.8
189.xx.191.126           4    1.8
xxx.239.194.97           3    1.4

You can force dnstop to keep counts on names up to level domain name levels by using the -l {level} option. For example, with -l 2 (the default), dnstop will keep two tables: one with top-level domain names (such as .com, .org, .biz etc), and another with second level domain names (such as co.in, col.uk).

# dnstop -l 3 eth0

Under Debian / Ubuntu Linux, enter:

# dnstop -t -s eth0

Where,

- -s Track second level domains
- -t Track third level domains

Please note that increasing the level provides more details, but also requires more memory and CPU to keep track of DNS traffic.

How do I exit or reset counters?

To exit the dnstop, hit ^X (hold [CTRL] key and press X). Press ^R to reset the counters.

How do find out TLD generating maximum traffic?

While running dnstop, hit 1 key to view first level query names (TLDs):

5 new queries, 1525 total queries                 Mon Aug  4 06:11:09 2008
TLD                                count      %
------------------------------ --------- ------
net                                  520   34.1
biz                                  502   32.9
in-addr.arpa                         454   29.8
in                                    23    1.5
org                                   15    1.0
com                                   11    0.7

Look like this DNS server is serving more .net TLDs. You can also find out more about actual domain name by hinting 2 key while running dnstop:

3 new queries, 1640 total queries                 Mon Aug  4 06:13:20 2008
SLD                                count      %
------------------------------ --------- ------
cyberciti.biz                        557   34.0
nixcraft.net                         556   33.9
74.in-addr.arpa                       34    2.1
208.in-addr.arpa                      29    1.8
195.in-addr.arpa                      28    1.7
192.in-addr.arpa                      27    1.6
64.in-addr.arpa                       27    1.6
theos.in                              23    1.4
203.in-addr.arpa                      20    1.2
202.in-addr.arpa                      18    1.1
212.in-addr.arpa                      15    0.9
nixcraft.com                          13    0.8
217.in-addr.arpa                      13    0.8
213.in-addr.arpa                      12    0.7
128.in-addr.arpa                      12    0.7
193.in-addr.arpa                      12    0.7
simplyguide.org                       12    0.7
cricketnow.in                          3    0.2

To find out 3 level domain, hit 3 key:

www.cyberciti.biz         60   39.0
figs.cyberciti.biz        33   21.4
ns1.nixcraft.net          18   11.7
ns3.nixcraft.net          13    8.4
ns2.nixcraft.net          13    8.4
theos.in                   5    3.2
nixcraft.com               5    3.2
cyberciti.biz              2    1.3
jobs.cyberciti.biz         1    0.6
bash.cyberciti.biz         1    0.6

How do I display the breakdown of query types seen?

You can easily find out most requested, query type (A, AAAA, PTR etc) by hinting *t* key

Query Type     Count      %
---------- --------- ------
A?               224   56.7
AAAA?            142   35.9
A6?               29    7.3

How do I find out who is connecting to my DNS server?

Hit d to view dns client IP address:

Source         Query Name        Count       %
-------------- ------------- ---------  ------
xx.75.164.90   nixcraft.net          20    9.1
xx.75.164.90   cyberciti.biz         18    9.1
x.68.25.4      nixcraft.net           9    9.1
xxx.131.0.10   cyberciti.biz          5    4.5
xx.104.200.202 cyberciti.biz          4    4.5
202.xxx.0.2    cyberciti.biz          1    4.5

Option help

There many more option to provide detailed view of current, traffic, just type ? to view help for all run time options:

s - Sources list
d - Destinations list
t - Query types
o - Opcodes
r - Rcodes
1 - 1st level Query Names      ! - with Sources
2 - 2nd level Query Names      @ - with Sources
3 - 3rd level Query Names      # - with Sources
4 - 4th level Query Names      $ - with Sources
5 - 5th level Query Names      % - with Sources
6 - 6th level Query Names      ^ - with Sources
7 - 7th level Query Names      & - with Sources
8 - 8th level Query Names      * - with Sources
9 - 9th level Query Names      ( - with Sources
^R - Reset counters
^X - Exit
? - this

Further readings:

Back to top