Originally published January 27, 2017 @ 1:29 am
Recently I’ve been decommissioning old DNS servers and those things are notoriously hard to get rid of. The problem was that the IP addresses could not be preserved. I needed to track down every incoming DNS request, figure out what is sending them and why, and point that client to the new DNS server IPs.
Analyzing DNS logs is certainly helpful. However, sometimes it’s also useful to be able to watch DNS queries in real time. Below is a quick script that uses tshark to do just that. It will listen on the default NIC for one minute and tell you which external systems have sent DNS queries.
tshark -nn -i $(route | grep -m1 ^default | awk '{print $NF}') -a duration:10 \
-T fields -e ip.src -e dns.qry.name -R "dns.flags.response eq 0" \
-E separator="," 2>/dev/null | awk -F',' '{print $1}' | sort | grep -v \
"$(ifconfig | sed -En 's/127.0.0.1//;s/.*inet (addr:)?(([0-9]*\.){3}[0-9]*).*//p')" | uniq -c | while read a b ; \
do echo "${a} $(h="$(dig +short -x ${b} | head -1)"; if [ -z "${h}" ]; then echo ${b}; else echo ${h}; fi)" ; \
done | sort -nr | column -t ; /bin/rm -f /tmp/ether* 2>/dev/null
Experienced Unix/Linux System Administrator with 20-year background in Systems Analysis, Problem Resolution and Engineering Application Support in a large distributed Unix and Windows server environment. Strong problem determination skills. Good knowledge of networking, remote diagnostic techniques, firewalls and network security. Extensive experience with engineering application and database servers, high-availability systems, high-performance computing clusters, and process automation.
