Top DNS Measurement


This script uses a built in probabalistic measurement mechanism in Bro to
measure the top DNS requests (by type of query, i.e., CNAME, A, AAAA, etc) being done over a definable period of time. This is logged into a new log named "top_dns.log".

By using the probabalistic mechanism, it makes this task something that can be
achieved in a memory efficient manner and loading this script shouldn't have
any truly significant performance impact on most deployments.


bro-pkg refresh
bro-pkg install bro/corelight/top-dns


If you would like to change the logging/measurement interval, use the following snippet (default is 15 minutes):

redef TopDNS::logging_interval = 1hr;

If you would like to log more or less than the default of 10 names for each
query type, you can use the following snippet:

redef TopDNS::top_k = 20;

If you would like to add something like MX recore queries to be measured, you
can add the following snippet:

redef TopDNS::records += {"MX"};

By default this package will measure based on the full domain. If you'd like measure based on trimming down to the "domain" ( would be
trimmed to, you can use the following snippet in local.bro:

redef TopDNS::use_trimmed_domain = T;

Package Version :