This week at work we fancied figuring out what the top sites are on are network. So decided an easy way to work this out would be to enable logging on are bind server and then write a script to work out what the top DNS queries are.
To enable logging in bind add the following to your `/etc/bind/named.conf`
logging { channel simple_log { file "/var/log/named/bind.log" versions 10 size 50m; print-time yes; print-severity yes; print-category yes; }; category default { simple_log; }; category queries { simple_log; }; };
this will output log entries every time a query is done. We can then parse the log files with the following script to get out just the url and a count.
#!/bin/bash echo "Top 20 Domains" echo "" cat /var/log/named/bind.log* | grep 'queries' | cut -d '/' -f 3 | sed 's/www.//' | sort | uniq -c | sort -nr | head -n 20
this script will output the top 20 in descending order with a count of the number of queries next to the url.
I then like to run the script every 2 minutes using watch.
watch -n 120 './bindLogCheck.sh'
running this should give you output like this
Top 20 Domains 6782 example.net 950 api.del.icio.us 600 test.com 600 something.com 536 mail.google.com 527 site.de 526 alpha.com 526 delta.com 526 gamma.co.uk 526 digitalforensicsmagazine.com 386 pablumfication.co.uk 200 google.com 192 safebrowsing-cache.google.com 189 safebrowsing.clients.google.com 97 google-analytics.com 83 facebook.com 74 googleads.g.doubleclick.net 74 bbc.co.uk 70 uk.mg40.mail.yahoo.com 70 capa.org
Any questions or comments as usual I would love to hear them.
Thank you! for help