-
-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
GoAccess for DNS query logs (Bind9) #2346
Comments
Hello: I am trying to send it a different way. Thank you
|
It may be able to extract data from it. Could you please attach a file with some DNS entries on it? Thanks |
Hi:
Thank you very much for helping in this challenge I have.
I have attached a ~1 hour sample of log entries (about 20 MB before
creating the zip file).
It would be great to have a solution. There really is no solution today
for looking at the DNS (Bind9) log entries. I spent a lot of time
looking and it is really hard to find much of anything that would work
unless you want to spend thousands of US dollars on a solution.
The key thing is really to understand at what time and date are the
people who are doing queries. What is strange to me is that a lot of my
queries seem to be for an older DNS server I had and it has not been
operational for many months (207.140.111.251). The question is why and
where are these people doing queries of it. It seems to be from all over
the place.
Again, that you for taking the time to look at the challenge I have.
Thank you.
Kevin
…On 7/1/2022 6:26 PM, Gerardo O. wrote:
It may be able to extract data from it. Could you please attach a file
with some DNS entries on it? Thanks
—
Reply to this email directly, view it on GitHub
<#2346 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AF44KV5HAYEHVJ6N77GPAELVR55EBANCNFSM52NSGSGA>.
You are receiving this because you authored the thread.Message ID:
***@***.***>
|
It looks like the attachment was not posted. You may need to post it via github (attach files by dragging)... Thanks |
Anyways, this should work for bind9 query log (assuming the following format):
run goaccess as:
|
Hello: The results from your answer were very IMPRESSIVE! I used the first example that was provided. I found that the biggest abusive group that was hitting my DNS server was out of a middle eastern country (IL). It was roughly 2,000 hits an hour for one specific IP address. I need to now look at the various IP addresses shown as the top query sources to see where they are from. I also need to get the script to present in a web format but I think I can solve that issue (it easier to print that way). THANK YOU AGAIN !!! Kevin |
Happy to hear that worked! For the html report, you can always pass
e.g., Closing this, feel free to reopen it if needed. |
Hello Group:
Has anyone considered the use of GoAccess to study DNS queries?
I get a reasonable amount of queries (~50/second) on my public DNS server and while it is simple to create logs, the ability to display in some sort of usable fashion is a challenge. I was thinking that GoAccess would be a good tool as it is fast and the ability to customize the log format is very useful. That said, I have tried for several hours to create the script to do it and I keep getting a fatal error in the startup process.
Any ideas where I am going wrong? Perhaps it is right in front of me and I do not really understand the file parsing. One line of a DNS query is shown.
This is my simple script with all my notes on it (useful when on a single screen). The spacing of the fields is OK when used on a bigger monitor.
Thank you.
Kevin
The text was updated successfully, but these errors were encountered: