Query log reports

If you log all the queries BIND receives, you can do some digging and get some stats:

cat /var/log/bind/query.log | awk '{print $4}' | cut -d# -f1 | sort -n | uniq -c | sort -nr | head -20 This shows you the top 20 IP addresses querying your server.

Example output:

root@ns1b:/var/log/bind# date; time cat /var/log/bind/query.log | awk '{print $4}' | cut -d# -f1 | sort -n | uniq -c | sort -nr | head -20 Mon Apr 20 15:15:18 CDT 2015 58580 208.81.7.150 45500 199.87.154.255  21644 208.81.1.148  18454 199.87.156.58  18206 208.81.1.45  13669 199.87.155.106   8362 199.87.156.143   8110 199.87.155.30   7638 199.87.155.125   6763 199.87.154.242   6449 199.87.155.230   5388 199.87.155.62   5085 199.87.156.178   4914 199.87.155.57   4789 199.87.156.37   4690 199.87.155.243   4394 199.87.155.248   4228 199.87.155.91   4133 199.87.156.137   4096 199.87.156.45

real   0m9.698s user   0m9.892s sys    0m0.584s