A month or two back I was investigating a production issue and wanted to visualize our Bind query logs. The Bind statistics channel looked useful but there wasn’t enough data to help me troubleshoot my issue. In the spirit of software re-use I looked at a few opensource query log parsing utilities. The programs I found used MySQL and once again they didn’t have enough data to fit my needs. My needs were pretty simple:
Instead of mucking around with these solutions I wrote dnsrecon. Dnsrecon takes one or more logs as an argument and produces a compact DNS query log report which can be viewed in a terminal window:
$ dnsrecon.py logs/ --histogram
Processing logfile ../logs/named.queries
Processing logfile ../logs/named.queries.0
Processing logfile ../logs/named.queries.1
Processing logfile ../logs/named.queries.2
Processing logfile ../logs/named.queries.3
Processing logfile ../logs/named.queries.4
Processing logfile ../logs/named.queries.5
Processing logfile ../logs/named.queries.6
Processing logfile ../logs/named.queries.7
Processing logfile ../logs/named.queries.8
Processing logfile ../logs/named.queries.9
Summary for 05-Nov-2016 10:31:36.230 - 08-Nov-2016 14:15:51.426
Total DNS_QUERIES processed : 9937837
PTR records requested : 6374013
A records requested : 3082344
AAAA records requested : 372332
MX records requested : 32593
TXT records requested : 23508
SRV records requested : 19815
SOA records requested : 19506
NS records requested : 6661
DNSKEY records requested : 2286
Top 100 DNS names requested:
prefetch.net : 81379
sheldon.prefetch.net : 75244
penny.prefetch.net : 54637
.....
Top 100 DNS clients:
blip.prefetch.net : 103680
fmep.prefetch.net : 92486
blurp.prefetch.net : 32456
gorp.prefetch.net : 12324
.....
Queries per minute:
00: ******************* (149807)
01: ******************* (149894)
02: ******************************* (239495)
03: *********************************************** (356239)
04: ********************************************** (351916)
05: ********************************************* (346121)
06: ************************************************ (362635)
07: ************************************************** (377293)
08: ********************************************* (343376)
.....
Queries per hour:
00: ********* (325710)
01: ********** (363579)
02: ******** (304630)
03: ******** (302274)
04: ******** (296872)
05: ******** (295430)
.....
Over the course of my IT career I can’t recall how many times I’ve been asked IF a record is in use and WHO is using it. To help answer that question you can add the “–matrix” option to print domain names along with the names / IPs of the clients requesting those records. This produces a list similar to this:
prefetch.net
|-- leonard.prefetch.net 87656
|-- howard.prefetch.net 23456
|-- bernadette.prefetch.net 3425
The top entry is the domain being requested and the entries below it are the clients asking questions about it. I’m looking to add the record type requested to the resolution matrix as well as –start and –end arguments to allow data to be summarized during a specific time period. Shoot me a pull request if you enhance the script or see a better way to do something.