On 1/24/2009 at 4:50 PM, Brian Keefer <chort@smtps.net> wrote: Caveat: my PERL is _terrible_.
http://www.smtps.net/pub/dns-amp-watch.pl
This assumes you're using BIND. My logs roll on the hour, so I run it from cron at 1 minute before the hour. Depending on how long it takes to process your logs, you might need to tweak.
FWIW, I find it easier to track this using tcpdump. I don't like running BIND with query logging. Here's a filter that catches these, port 53 && (udp[10:4] == 0x01000001) && (udp[20:2] == 0x0000) How it works is left as an exercise for the reader. When I sniff the link to a server authorative for several domains, 17:29:55.792127 IP 72.249.127.168.3966 > 206.220.220.100.53: 18501+ NS? . (17) 17:29:57.116367 IP 69.64.87.156.58419 > 206.220.220.100.53: 62419+ NS? . (17) 17:29:57.804987 IP 72.249.127.168.33108 > 206.220.220.100.53: 4637+ NS? . (17) 17:29:58.959680 IP 72.20.3.82.23084 > 206.220.220.100.53: 14310+ NS? . (17) 17:29:59.818994 IP 72.249.127.168.60876 > 206.220.220.100.53: 22791+ NS? . (17) 17:30:01.622728 IP 69.64.87.156.30151 > 206.220.220.100.53: 13557+ NS? . (17) 17:30:01.628899 IP 72.20.3.82.49015 > 206.220.220.100.53: 14250+ NS? . (17) 17:30:01.821214 IP 72.249.127.168.13831 > 206.220.220.100.53: 51065+ NS? . (17) 17:30:03.342856 IP 69.64.87.156.1926 > 206.220.220.100.53: 38768+ NS? . (17) 17:30:03.818706 IP 72.249.127.168.33663 > 206.220.220.100.53: 12720+ NS? . (17) 17:30:05.186647 IP 72.20.3.82.7649 > 206.220.220.100.53: 52079+ NS? . (17) 17:30:05.815718 IP 72.249.127.168.37241 > 206.220.220.100.53: 345+ NS? . (17) 17:30:07.816144 IP 72.249.127.168.23784 > 206.220.220.100.53: 56874+ NS? . (17) 17:30:07.849503 IP 69.64.87.156.33190 > 206.220.220.100.53: 20113+ NS? . (17)