Summary: monitor outbound DNS traffic on a single host and process it in a streaming manner
- Monitor outbound DNS queries through
tcpdump - Deduplicate records such as adjacent
AandAAAArecords with the same domain name - Filter out special record types such as
PTR - Aggregate information from all previously monitored queries
- How many times the top-level domain (TLD) in the current record is queried
- How many times the second-level domain (SLD) in the current record is queried
- Select SLD or TLD as the domain key to print together with the full domain name
- Color the domain key before printing to stdout regarding how many times it is queried
- Handle all types of errors and print them to stderr asynchronously
- Errors from
tcpdump(the source) - Errors in information extraction (invalid records)
- Errors from
The latest stack is recommended: if installed with apt-get or dnf, then stack can be upgraded with stack upgrade. The latest stack is usually at ~/.local/bin/stack.
The application requires tcpdump installed on the host.
make install
This command compiles it, copies it to /usr/bin and sets appropriate permissions for it to run.
dnsmonitor
Color coding is based on TLD/SLD hit count (Config.hs):
colorHit :: Integer -> Text
colorHit h
| h == 1 = "yellow"
| h < 16 = "default"
| h < 128 = "grey"
| otherwise = "black"