#!/bin/bash

# nothink.org

# Bind setting: /etc/bind/named.conf.local
#
#       logging {
#               channel "querylog" {
#                       file "/var/log/bind/queries.log";
#                       severity dynamic;
#                       print-time yes;
#               };
#               category queries {
#                       querylog;
#               };
#       };
#
# Log example:
# 20-Sep-2010 11:22:48.659 client 1.2.3.4#35944: query: google.org IN A + (1.1.1.1)

if ! [ "${1}" ];
then
        echo "$0 <log file> [limit]"
        exit 1
fi

if [ -f $1 ]
then
        LOG_FILE=$1
else
        echo "Error: log file '$1' not exist!"
        exit 1
fi

if [ "${2}" ]
then
        LIMIT=$2
else
        LIMIT=20
fi

printf "\n TOP 20 FQDN"
printf "\n--------------------------------------\n"
grep "client" $LOG_FILE | awk {'print $6'} | sort | uniq -c | sort -nr | head -n $LIMIT

printf "\n TOP 20 SRC"
printf "\n--------------------------------------\n"
grep "client" $LOG_FILE | awk {'print $4'} | cut -f 1 -d "#" |sort | uniq -c | sort -nr | head -n $LIMIT

printf "\n TOP 20 TYPE"
printf "\n--------------------------------------\n"
grep "client" $LOG_FILE | awk {'print $8'} | sort | uniq -c | sort -nr | head -n $LIMIT

printf "\n TOP 20 SRC PORT"
printf "\n--------------------------------------\n"
grep "client" $LOG_FILE | awk {'print $4'} | cut -f 2 -d "#" | cut -f 1 -d ":" | sort | uniq -c | sort -nr | head -n $LIMIT

printf "\n TOP 20 SRC FLAG"
printf "\n--------------------------------------\n"
grep "client" $LOG_FILE | awk {'print $9'} | cut -f 2 -d "#" | sort | uniq -c | sort -nr | head -n $LIMIT

printf "\n"

exit 0