Using Bind9, Tshark, and DNSTOP to monitor connections

Commands Documented below updates to come

For tracking DNS queries.

sudo apt-get install bind9

edit the file:

/etc/bind/named.conf.options

Uncomment and edit with your DNS IPs (these are googles but I use my ISP's)

forwarders {
    8.8.8.8;
    8.8.4.4;
};

Restart

sudo service bind9 restart 

Remember to redirect your main router to your DNS server to track all DNS queries. 

Use in conjunction with tshark for logging support.

Using in conjunction with DNSTOP to monitor DNS queries. 

(clients have to be routed to new DNS server to see connections) 

DNSTOP Commands 

 s - Sources list
 d - Destinations list
 t - Query types
 o - Opcodes
 r - Rcodes
 1 - 1st level Query Names      ! - with Sources
 2 - 2nd level Query Names      @ - with Sources
 3 - 3rd level Query Names      # - with Sources
 4 - 4th level Query Names      $ - with Sources
 5 - 5th level Query Names      % - with Sources
 6 - 6th level Query Names      ^ - with Sources
 7 - 7th level Query Names      & - with Sources
 8 - 8th level Query Names      * - with Sources
 9 - 9th level Query Names      ( - with Sources
^R - Reset counters
^X - Exit

 ? - this 

You have to save a file with something like tcpdump, and then dnstop will read it. DNSTOP can not save files itself.

Use it like this:

tcpdump -w dump.pcap -c 1000 port 53
then you can read that file like this
dnstop -l 3 dump.pcap

or

tshark -r dump.pcap

This will run for 15 seconds and then stop:

tcpdump -G 15 -W 1 -w myfile -i eth1 'port 53'

-G (how long to caputre before starting a new file in seconds)
-W (how many files to dump to before stoping)
-c (how big in MB are alloted to the dump file)
-w (file name)
-i (interface)
-tttt (timestamp)
dst (destination)

My final command:
sudo tcpdump -G 2580000 -W 800 -i eth1 -tttt -w /home/rsmith/dump.pcap port 53 and dst "ipaddr" &