Networking

Unix and Linux network configuration. Multiple network interfaces. Bridged NICs. High-availability network configurations.

Applications

Reviews of latest Unix and Linux software. Helpful tips for application support admins. Automating application support.

Data

Disk partitioning, filesystems, directories, and files. Volume management, logical volumes, HA filesystems. Backups and disaster recovery.

Monitoring

Distributed server monitoring. Server performance and capacity planning. Monitoring applications, network status and user activity.

Commands & Shells

Cool Unix shell commands and options. Command-line tools and application. Things every Unix sysadmin needs to know.

Home » Commands & Shells

BIND DNS Query Frequency Analysis

Submitted by on September 6, 2016 – 1:30 pm

The little script (dns_qpm2) below will look through your BIND query logs and calculate average query-per-minute rate for the given clients.e Nothing fancy, but can be useful in identifying the heavy-hitters.


#!/bin/bash
d="/var/log/named"
f="${d}/query_log"
IFS=$'\n' ; a=($(grep -oPh "(?<=client )([0-9]{1,3}\.){3}([0-9]{1,3})(?=#)" "${f}" | sort -n -t . -k 1,1 -k 2,2 -k 3,3 -k 4,4 | uniq)) ; unset IFS
printf '%s\n' ${a[@]} | while read client
do
fqdn=$(dig +short -x ${client} 2>/dev/null | sed 's/\.$//g')
if [ -z "${fqdn}" ] ; then fqdn="${client}" ; fi
cn=$(grep -c "client ${client}#" ${f})
timediff="$(echo "scale=0;$(echo "$(date -d "$(tail -1 ${f} | awk '{print $1,$2}')" +%s)-\
$(date -d "$(head -1 ${f} | awk '{print $1,$2}')" +%s)"|bc -l)"/60*1|bc -l)"
printf "%-18s %-46s %-12s" "${client}" "${fqdn}" "${cn}"
echo "scale=0;$(grep -c "client ${client}#" ${f})/${timediff}*1"| bc -l | sort -n | awk '
BEGIN {
c = 0;
sum = 0;
}
$1 ~ /^([-+])?[0-9]*(\.[0-9]*)?$/ {
a[c++] = $1;
sum += $1;
}
END {
ave = sum / c;
printf("%.0f\n",ave);
}'
done | sort -k3nr | (echo "IP FQDN Q Q/min" && cat) | column -t

 

Print Friendly, PDF & Email

No Comment »

1 Pingbacks »

  • Monitoring DNS Queries | KrazyWorks says:
    January 27, 2017 at 7:20 am

    […] Analyzing DNS logs is certainly helpful. However, sometimes it’s also useful to be able to watch DNS queries in real time. Below is a quick script that uses tshark to do just that. It will listen on the default NIC for one minute and tell you which external systems have sent DNS queries. […]

    Reply

Leave a Reply

%d bloggers like this: