Who here has used dnstop?

[+John Teacake MVC]

Hey All,

Who here has used dnstop before? I suspect BudMan has. Anyway I want to filter it by Source and Query name on the TLD but ignore a certain one like say for example "local" because it fills up the logs. I want to ignore all the known TLD's which there is a filter for but go one step further and ignore the local one because it crowds the logs too much.

Here is an example of the output, I am trying to filter OUT the local entry's.

Queries: 3 new, 468 total                                      Wed Oct  7 15:56:50 2015

Source        Query Name      Count      %   ######%
------------- ----------- --------- ------ ------
***.***.92.5    local              23    4.9   11.8
***.***.8.46    local               9    1.9   13.7
***.***.8.74    local               9    1.9   15.6
***.***.8.46    home                7    1.5   18.8
***.***.56.10   local               7    1.5   20.3
***.***.54.82   local               6    1.3   21.6
***.***.91.43   local               6    1.3   22.9
***.***.90.187  local               6    1.3   24.1
***.***.169.25  local               6    1.3   25.4
***.***.92.104  local               5    1.1   26.5
***.***.42.65   ip6.arpa            5    1.1   27.6
***.***.62.31   local               4    0.9   28.4
***.***.91.103  local               4    0.9   29.3
***.***.90.158  local               4    0.9   30.1
***.***.90.113  local               4    0.9   32.7
***.***.91.2    local               4    0.9   33.5
***.***.140.77  local               4    0.9   35.3
***.***.91.53   local               4    0.9   36.1
***.***.8.95    local               3    0.6   36.8
***.***.90.125  local               3    0.6   37.4
***.***.94.28   local               3    0.6   38.7

 

[+BudMan MVC]

I have used sure.. but its been a while, I could fire it up but pretty sure you can not filter what your after.. If you only wanted to filter on bogus stuff like localhost, sure that works - what version are you using maybe they added some filters, but I do not recall a way to only count and display excluding your local domains..

You can up the level, looks like your only displaying tld? I think you can go up to 9th level or something so one.two.three.four.five.six.seven.eight.tld or something like that.  Looks like your only looking at 1st level or you would see like host.local, etc..

Why are you hiding the source in your output - your using public IP space that would do queries for something .local ???

 

[+John Teacake MVC]

Yeah I don't think you can filter out things like I wanted. 

[+BudMan MVC]

what are you wanting to do exactly?  If you know the breed of cat your trying to skin, you can find the best ways to skin that particular breed of cat

Why do you not care what your local boxes are doing queries for, and only outside stuff?  Keeping an eye on queries a machine does can be very useful - looking for old machines that no longer exist, etc..

What are you using for dns?  Bind and MS allow for logging of queries, dnsmasq as well. if your trying to find a source of specific queries?  Just looking in the cache of your dns server can be very insightful to what domains machines are looking for..