Most of these tools help us diagnose a single zone. However, it would be nice to have something at our disposal that enables us to look at the aggregate usage of our environment and help us tease out any anomalies, such as abusive clients or zones under attack.
Enter dnstop, think of it like your Unix top command (which shows you which processes are consuming the most CPU resources) but one that shows you similar usage patterns for DNS queries. Take a look at the following:
Usage: dnstop <interface> -l <level>
# dnstop eth0:0 -l3 -p
The -l switch tells dnstop how many levels deep to count the hostnames being queried:
-l 1: com / net / org / biz
-l 2: example.com / example.net / example.org / example.biz
-l 3: example.com.br / example.gov.co ...