0

I need to create a report with the top 30 domains that are requested from our Recursive DNS servers. The report must be in the following format:

Domain Number of Requests

For example:

Google.com; 98556
yahoo.com; 45585

etc

I know that BIND 9.3 offers no such functionality, so, do you know any script that could be run on a let's say daily basis and gather that information?

My plan it to create an RRD DB with that information in a later state.

Peter
  • 822
  • 2
  • 10
  • 23

1 Answers1

-1

If you enable querylog in Bind9, it will log all queries made to your server, which you can then parse for the recursive flag, then order. You could use many tools for that, pick your own poison.

Given entries like this:

02-Mar-2013 10:50:08.899 queries: info: client 111.22.33.44#53: Query: fully.qualified.domain.name IN A -E
02-Mar-2013 10:50:08.900 queries: info: client 111.22.33.44#53: Query: fully.qualified.domain.name IN A6 -E

The fields are such:

The date and time the query was received; the source IP address and port number used by the client; and the name, class and qtype. The final field shows if the query had the rd (recursion desired) bit set (+) or not (-) -- typically showing if the query came from a name server or stub resolver -- or if EDNS0 (E) was used.

NickW
  • 10,263
  • 1
  • 20
  • 27
  • Do keep in mind that on a very busy recursive server query logging can have performance implications. Logging thousands or tens of thousands of queries per second can be pretty taxing. On a modestly loaded system it shouldn't be too much of a problem. Which syslog daemon you use can make a difference; you want to use a modern one that doesn't block to write every log message. – Michael McNally Apr 05 '13 at 18:18
  • I know how to enable queries logging. What I want is to analyze that. – Peter Apr 06 '13 at 13:49
  • I just told you the fields, all you have to do is write an awk query, then order it, then count.. – NickW Apr 08 '13 at 08:26