1.使用dnstop来进行DNS监控
dnstop是一种用来显示网络里的DNS流量信息的libpcap应用,他可以显示:
源 IP 地址
目标 IP 地址
查询类型响应代码
Opcodes
顶级域名
二级域名
三级域名等等
1.1 dnstop.rpm包
这种包是编译好的下载后可直接安装
包来源:
/>
-rwxr-xr-x 1 root root 34844 Aug 5 03:16 dnstop-20140915-1.el6.1.i686.rpm
[root@localhost rpm_install]# rpm -ivh dnstop-20140915-1.el6.1.i686.rpm
warning: dnstop-20140915-1.el6.1.i686.rpm: Header V3 RSA/SHA256 Signature, key ID 0608b895: NOKEY
Preparing... ########################################### [100%]
1:dnstop ########################################### [100%]
1.2 还有一种是未编译的,需要下载后手动编译安装
这里有一篇相关文章介绍:
/>
1.3 测试
1.3.1 dnstop命令用法:
dnstop [-46apsQR] [-b expression] [-i address] [-f filter] [-r interval] [device] [savefile]
其中:
-4/6:抓取IPv4/6的包;
-i:
忽略所选择的位址;
-a:来源不明的位址(anonymize addresses)
-b:expression BPF filter expression
-p:Do not put the interface into promiscuous mode.(杂乱模式)
-s:收集second-level领域的统计资料.
-r:间隔
-Q:count only DNS query messages 仅统计DNS查询信息
-R:count only DNS reply messages 仅统计DNS回应信息
device:指定设备;
dnstop也支持交互:
在运行dnstop的过程中,可以键入<s>、<d>、<t>、<1>、<2>、<Ctr+R>、<Ctr+X>等方式以交互方式来显示不同的信息:
s:记录发送DNS查询的客户端IP地址列表
d:记录DNS查询的目的服务器的IP地址表
t:记录查询详细类型
1:记录查询的顶级域名
2:记录查询的二级域名
Ctr+R:刷新
Ctr+X:退出
详细的用法可以用man dnstop查看
1.3.2 测试
在服务器192.168.85.128上:
[root@localhost ~]# dnstop -4 -Q -R eth0
Queries: 0 new, 0 total Wed Aug 5 05:49:33 2015
Replies: 0 new, 0 total
Sources Count % cum%
------- --------- ------ ------
然后再客户端192.168.85.133上:
[root@localhost ~]# dig -t A @192.168.85.128(显示的就不写了)
[root@localhost ~]# dig -t A mail.mageedu.com @192.168.85.128
此时服务器端显示:
Queries: 0 new, 2 total #两次查询 Wed Aug 5 05:52:37 2015
Replies: 0 new, 2 total #两次回应
Sources Count % cum%
-------------- --------- ------ ------
192.168.85.133 2 100.0 100.0
此时在按下2键:
Queries: 0 new, 2 total Wed Aug 5 05:53:57 2015
Replies: 0 new, 2 total
Query Name Count % cum%
----------- --------- ------ ------
mageedu.com 2 100.0 100.0 #二级域名为分隔断查看
2.利用bind源码包里的queryper进行压力测试
2.1 下载bind-9.7.4
地址:
/>
[root@localhost rpm_install]# ll
total 8160
-rwxr-xr-x 1 root root 8316839 Aug 5 04:43 bind-9.7.4.tar.gz
2.2 解压,然后进入到bind-9.7.4目录,找到contr
ib目录进入,里面就有queryperf
[root@localhost rpm_install]# tar xf bind-9.7.4.tar.gz
[root@localhost rpm_install]# cd bind-9.7.4
[root@localhost bind-9.7.4]# ll | grep contri
drwxrwxr-x 14 10132 wheel 4096 Aug 5 04:47 contrib
[root@localhost bind-9.7.4]# cd contrib/
[root@localhost contrib]# ll
total 48
drwxrwxr-x 2 10132 wheel 4096 Aug 5 04:47 dbus
drwxrwxr-x 4 10132 wheel 4096 Aug 5 04:47 dlz
drwxrwxr-x 3 10132 wheel 4096 Aug 5 04:47 idn
drwxrwxr-x 2 10132 wheel 4096 Aug 5 04:47 linux
drwxrwxr-x 2 10132 wheel 4096 Aug 5 04:47 named-bootconf
drwxrwxr-x 2 10132 wheel 4096 Aug 5 04:47 nanny
drwxrwxr-x 3 10132 wheel 4096 Aug 5 04:47 nslint-2.1a3
drwxrwxr-x 2 10132 wheel 4096 Aug 5 04:47 pkcs11-keygen
drwxrwxr-x 2 10132 wheel 4096 Aug 5 04:47 query-loc-0.4.0
drwxrwxr-x 5 10132 wheel 4096 Aug 5 04:47 queryperf
drwxrwxr-x 9 10132 wheel 4096 Aug 5 04:47 sdb
drwxrwxr-x 5 10132 wheel 4096 Jul 24 2011 zkt
2.3 进入queryperf目录中进行编译安装
[root@localhost queryperf]# ./configure
checking for gcc... gcc
checking for C compiler default output file name... a.out
checking whether the C compiler works... yes
checking whether we are cross compiling... no
checking for suffix of executables...
checking for suffix of object files... o
checking whether we are using the GNU C compiler... yes
checking whether gcc accepts -g... yes
checking for gcc option to accept ISO C89... none needed
checking for library containing res_mkquery... -lresolv
checking for library containing __res_mkquery... none required
checking for socket in -lsocket... no
checking for inet_ntoa in -lnsl... yes
checking for gethostbyname2... yes
checking for getaddrinfo... yes
checking for getnameinfo... yes
checking for socklen_t... yes
checking for sa_len... no
configure: creating ./config.status
config.status: creating Makefile
config.status: creating config.h
[root@localhost queryperf]# make
gcc -DHAVE_CONFIG_H -c queryperf.c
gcc -DHAVE_CONFIG_H queryperf.o -lnsl -lresolv -lm -o queryperf
[root@localhost queryperf]# cp queryperf /bin/ #这时就完成了,可以使用该命令了
2.4 queryperf用法:
[root@localhost queryperf]# queryperf -h
DNS Query Performance Testing Tool
Usage: queryperf [-d datafile] [-s server_addr] [-p port] [-q num_queries]
[-b bufsize] [-t timeout] [-n] [-l limit] [-f family] [-1]
[-i interval] [-r arraysize] [-u unit] [-H histfile]
[-T qps] [-e] [-D] [-c] [-v] [-h]
-d specifies the input data file (default: stdin)
-s sets the server to query (default: 127.0.0.1)
-p sets the port on which to query the server (default: 53)
-q specifies the maximum number of queries outstanding (default: 20)
-t specifies the timeout for query completion in seconds (default: 5)
-n causes configuration changes to be ignored
-l specifies how a limit for how long to run tests in seconds (no default)
-1 run through input only once (default: multiple iff limit given)
-b set input/output buffer size in kilobytes (default: 32 k)
-i specifies interval of intermediate outputs in seconds (default: 0=none)
-f specify address family of DNS transport, inet or inet6 (default: any)
-r set RTT statistics array size (default: 50000)
-u set RTT statistics time unit in usec (default: 100)
-H specifies RTT histogram data file (default: none)
-T specify the target qps (default: 0=unspecified)
-e enable EDNS 0
-D set the DNSSEC OK bit (implies EDNS)
-c print the number of packets with each rcode
-v verbose: report the RCODE of each response on stdout
-h print this usage
2.5测试
2.5.1 编辑一个文档,内容是
[root@localhost ~]# cat test
A
mail.mageedu.com A
mageedu.com NS
mageedu.com MX
2.5.2 shiyqueryperf命令在本机测试即本机是服务器端也是客户端
[root@localhost ~]# queryperf -d test -s 192.168.85.128
DNS Query Performance Testing Tool
Version: $Id: queryperf.c,v 1.12 2007-09-05 07:36:04 marka Exp $
[Status] Processing input data
[Status] Sending queries (beginning with 192.168.85.128)
[Status] Testing complete
Statistics:
Parse input file: once
Ended due to: reaching end of file
Queries sent: 4 queries
Queries completed: 4 queries
Queries lost: 0 queries
Queries delayed(?): 0 queries
RTT max: 0.004743 sec
RTT min: 0.000463 sec
RTT average: 0.003552 sec
RTT std deviation: 0.001801 sec
RTT out of range: 0 queries
Percentage completed: 100.00%
Percentage lost: 0.00%
Started at: Wed Aug 5 05:01:30 2015
Finished at: Wed Aug 5 05:01:30 2015
Ran for: 0.009666 seconds
Queries per second: 413.821643 qps #没秒中完成多少次查询(因为内容少所以查询的次数少点,也受DNS日志的影响)
此时的日志信息:
[root@localhost ~]# cat /var/named/log/bind_query.log
05-Aug-2015 02:10:48.556 queries: info: client 192.168.85.133#60772: view innet: query: IN A + (192.168.85.128)
05-Aug-2015 02:11:59.075 queries: info: client 192.168.85.133#41521: view innet: query: IN A + (192.168.85.128)
05-Aug-2015 05:01:30.504 queries: info: client 192.168.85.128#48697: view innet: query: IN A + (192.168.85.128)
05-Aug-2015 05:01:30.509 queries: info: client 192.168.85.128#48697: view innet: query: mail.mageedu.com IN A + (192.168.85.128)
05-Aug-2015 05:01:30.514 queries: info: client 192.168.85.128#48697: view innet: query: mageedu.com IN NS + (192.168.85.128)
05-Aug-2015 05:01:30.515 queries: info: client 192.168.85.128#48697: view innet: query: mageedu.com IN MX + (192.168.85.128)
补充:如果文件内容很多比如10万条,我们可以在测试时用top等监控命令来查看此时的cpu,内存使用等情况;
2.5.3 queryperf命令在客户端上测试
此时在服务器端(192.168.85.128)上,首先将/bin/queryperf文件复制到客户端(192.168.85.133)上,包括把测试文件复制也可以
[root@localhost ~]# scp /bin/queryperf 192.168.85.133:/bin/
root@192.168.85.133's password:
queryperf 100% 33KB 33.0KB/s 00:00
[root@localhost ~]# scp /root/test 192.168.85.133:/root
root@192.168.85.133's password:
test 100% 67 0.1KB/s 00:00
在客户端上测试:
[root@localhost ~]# queryperf -d test -s 192.168.85.128
DNS Query Performance Testing Tool
Version: $Id: queryperf.c,v 1.12 2007-09-05 07:36:04 marka Exp $
[Status] Processing input data
[Status] Sending queries (beginning with 192.168.85.128)
[Status] Testing complete
Statistics:
Parse input file: once
Ended due to: reaching end of file
Queries sent: 4 queries
Queries completed: 4 queries
Queries lost: 0 queries
Queries delayed(?): 0 queries
RTT max: 0.010055 sec
RTT min: 0.009055 sec
RTT average: 0.009422 sec
RTT std deviation: 0.000410 sec
RTT out of range: 0 queries
Percentage completed: 100.00%
Percentage lost: 0.00%
Started at: Wed Aug 5 05:13:22 2015
Finished at: Wed Aug 5 05:13:22 2015
Ran for: 0.011108 seconds
Queries per second: 360.100828 qps #变成了每秒360次,这实际上也受到了某些影响
你可以在测试文件中多写点(1万或10万条,反复复制),然后用queryperf和dnstop做测试产看此时的DNS解析情况
阅读(2031) | 评论(0) | 转发(0) |
