Originally published January 27, 2017 @ 1:29 am

Recently I’ve been decommissioning old DNS servers and those things are notoriously hard to get rid of. The problem was that the IP addresses could not be preserved. I needed to track down every incoming DNS request, figure out what is sending them and why, and point that client to the new DNS server IPs.

Analyzing DNS logs is certainly helpful. However, sometimes it’s also useful to be able to watch DNS queries in real time. Below is a quick script that uses tshark to do just that. It will listen on the default NIC for one minute and tell you which external systems have sent DNS queries.

tshark -nn -i $(route | grep -m1 ^default | awk '{print $NF}') -a duration:10 \
-T fields -e ip.src -e dns.qry.name -R "dns.flags.response eq 0" \
-E separator="," 2>/dev/null | awk -F',' '{print $1}' | sort | grep -v \
"$(ifconfig | sed -En 's/;s/.*inet (addr:)?(([0-9]*\.){3}[0-9]*).*//p')" | uniq -c | while read a b ; \
do echo "${a} $(h="$(dig +short -x ${b} | head -1)"; if [ -z "${h}" ]; then echo ${b}; else echo ${h}; fi)" ; \
done | sort -nr | column -t ; /bin/rm -f /tmp/ether* 2>/dev/null