This week at work we fancied figuring out what the top sites are on are network. So decided an easy way to work this out would be to enable logging on are bind server and then write a script to work out what the top DNS queries are.
To enable logging in bind add the following to your `/etc/bind/named.conf`
logging {
channel simple_log {
file "/var/log/named/bind.log" versions 10 size 50m;
print-time yes;
print-severity yes;
print-category yes;
};
category default {
simple_log;
};
category queries {
simple_log;
};
};
this will output log entries every time a query is done. We can then parse the log files with the following script to get out just the url and a count.
#!/bin/bash echo "Top 20 Domains" echo "" cat /var/log/named/bind.log* | grep 'queries' | cut -d '/' -f 3 | sed 's/www.//' | sort | uniq -c | sort -nr | head -n 20
this script will output the top 20 in descending order with a count of the number of queries next to the url.
I then like to run the script every 2 minutes using watch.
watch -n 120 './bindLogCheck.sh'
running this should give you output like this
Top 20 Domains
6782 example.net
950 api.del.icio.us
600 test.com
600 something.com
536 mail.google.com
527 site.de
526 alpha.com
526 delta.com
526 gamma.co.uk
526 digitalforensicsmagazine.com
386 pablumfication.co.uk
200 google.com
192 safebrowsing-cache.google.com
189 safebrowsing.clients.google.com
97 google-analytics.com
83 facebook.com
74 googleads.g.doubleclick.net
74 bbc.co.uk
70 uk.mg40.mail.yahoo.com
70 capa.org
Any questions or comments as usual I would love to hear them.
Thank you! for help