Viewing DNS table to see where the bandwidth hog is gong

Discussion in 'Tomato Firmware' started by personalt, Sep 11, 2011.

  1. personalt

    personalt Networkin' Nut Member

    I am running tomato with QOS enabled. As soon as I fire the router up I get one connection that goes fullforce to one IP address on port 80. I dont know what website this connection is to.

    I tried a few websites that do reverse IP lookups but they just come back to level3 communiations.

    I would think there is likely a entry in the internal dns table for the ip in question but didnt know how to dump the table. Is there a command or something I can run from the GUI?
  2. Toastman

    Toastman Super Moderator Staff Member Member

    If you are using a recent third party build of Tomato, you can use the QOS - Details page to list all connections, click the box to do a lookup to the sites themselves. You can easily identify which PC is doing it.

    The QOS ctrates page shows which connections are taking the most bandwidth.

    I'm just about to post new versions of Tomato, initially for K2.4 MIPSR1 routers (WRT series etc.) which will have even more detailed client monitoring facilities. A MIPSR2 K2.6 build will follow soon.
  3. personalt

    personalt Networkin' Nut Member

    I am using your build..
    Using this as an example, I ftp some data to my dads house often. He uses dyndns with the address something like - which currently is but from QOS view details when I click on that IP it returns - ( which I assume is looked up elsewhere.

    I dont see how would be be in my dns table. I really want to get back the address I entered during the inital lookup.

    In this case it doesnt really matter, but i have an apartment where I provide internet to and i have a user that hits some address or something like that really hard. I want to see what the user is hitting that gets resolved to this address. i want to see what he is doing to see if I think it makes sense to change the QOS prioirty.
  4. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    To be able to view the DNS cache, do the following from ssh/telnet:
    nvram set debug_norestart=dnsmasq
    service dnsmasq restart
    killall dnsmasq
    dnsmasq -q
    nvram unset debug_norestart
    This will clear the cache, so you'll have to wait until whatever query you're wanting to see happens. Every DNS query will now show up in the router log, but you can also view the current cache at any time. When you want to view the cache, do
    killall -SIGUSR1 dnsmasq
    The entire dns cache will be dumped to the router log.
    When you're done, it's probably a good idea to return things to normal by running
    service dnsmasq restart
  5. personalt

    personalt Networkin' Nut Member

    thanks.. that worked like a chanp...
  6. EOC_Jason

    EOC_Jason Networkin' Nut Member

    To answer your question to your example, it depends on the lookup direction. You could have a million different URLs pointing to one IP... You do a lookup on each of the hostnames and you get the same IP. HOWEVER... If you do a reverse lookup entering the IP, there will be only one reverse lookup entry, and that is controlled by the person whom is authoritative for that netblock.

    There's no way to enter an IP and find out every hostname that points to it.

    Back to your dilemma though... Hopefully you have tracked down what that person is doing. When you say it's hitting an IP hard, that (to me) usually means something like a trojan on their computer, or P2P...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice