Originally published September 6, 2016 @ 12:59 am

The little script (dns_qpm2) below will look through your BIND query logs and calculate average query-per-minute rate for the given clients.e Nothing fancy, but can be useful in identifying the heavy-hitters.

#!/bin/bash
d="/var/log/named"
f="${d}/query_log"
IFS=$'\n' ; a=($(grep -oPh "(?<=client )([0-9]{1,3}\.){3}([0-9]{1,3})(?=#)" "${f}" | sort -n -t . -k 1,1 -k 2,2 -k 3,3 -k 4,4 | uniq)) ; unset IFS
printf '%s\n' ${a[@]} | while read client
do
fqdn=$(dig +short -x ${client} 2>/dev/null | sed 's/\.$//g')
if [ -z "${fqdn}" ] ; then fqdn="${client}" ; fi
cn=$(grep -c "client ${client}#" ${f})
timediff="$(echo "scale=0;$(echo "$(date -d "$(tail -1 ${f} | awk '{print $1,$2}')" +%s)-\
$(date -d "$(head -1 ${f} | awk '{print $1,$2}')" +%s)"|bc -l)"/60*1|bc -l)"
printf "%-18s %-46s %-12s" "${client}" "${fqdn}" "${cn}"
echo "scale=0;$(grep -c "client ${client}#" ${f})/${timediff}*1"| bc -l | sort -n | awk '
BEGIN {
c = 0;
sum = 0;
}
$1 ~ /^([-+])?[0-9]*(\.[0-9]*)?$/ {
a[c++] = $1;
sum += $1;
}
END {
ave = sum / c;
printf("%.0f\n",ave);
}'
done | sort -k3nr | (echo "IP FQDN Q Q/min" && cat) | column -t