统计客户端查询的DNS域名

admin · 发表于 2021-9-2 16:53

#!/bin/sh
#使用方法:
#mac-zhujiming.txt这个文件里面的mac地址对应的主机名可以自己定义,个人更建议在DHCP静态分配那里添加
#先取上次的时间
file="/tmp/dnschaxunjilu/shijian.txt"
if [ -f "$file" ]
then
shangcishijian=`cat /tmp/dnschaxunjilu/shijian.txt`
else
mkdir /tmp/dnschaxunjilu
shangcishijian=0
fi
#zhujiming=`cat /root/dnschaxunjilu/mac-zhujiming.txt` #操这里的隐藏bug真恶心用cat抓取文件内容赋值给变量会自动删除换行符
#然后把这次运行的时间保存到文件里面,以供下次使用
date "+%Y%m%d%H%M%S" >/tmp/dnschaxunjilu/shijian.txt
#today=`date "+%Y %m %d %H %M %S"`
#today_sec=`date "+%s"` #这个表示现在距离1970年的秒数
logread |grep dnsmasq |grep -v reply|grep query |grep -v 127.0.0.1 |grep -v "::1" |grep -v "192.168.11.21#5353"|awk '{print $5,$2,$3,$4,$10,$11,$13}' | while read line
do
#时间比较
nian=`echo $line |awk '{print $1}'`
yue=`echo $line |awk '{print $2}'` #月用的是英文表示
ri=`echo $line |awk '{print $3}'`
shi=`echo $line |awk '{print $4}' |awk -F: '{print $1}'`
fen=`echo $line |awk '{print $4}' |awk -F: '{print $2}'`
miao=`echo $line |awk '{print $4}' |awk -F: '{print $3}'`
if [ "$yue" = "Jan" ]
then
yue=1
elif [ "$yue" = "Feb" ]
then
yue=2
elif [ "$yue" = "Mar" ]
then
yue=3
elif [ "$yue" = "Apr" ]
then
yue=4
elif [ "$yue" = "May" ]
then
yue=5
elif [ "$yue" = "Jun" ]
then
yue=6
elif [ "$yue" = "Jul" ]
then
yue=7
elif [ "$yue" = "Aug" ]
then
yue=8
elif [ "$yue" = "Sep" ]
then
yue=9
elif [ "$yue" = "Oct" ]
then
yue=10
elif [ "$yue" = "Nov" ]
then
yue=11
elif [ "$yue" = "Dec" ]
then
yue=12
fi
#补位
if [ "$yue" -lt 10 ]
then
yuebuwei=0
fi
if [ "$ri" -lt 10 ]
then
ribuwei=0
fi
bencishijian=`echo $nian$yuebuwei$yue$ribuwei$ri$shi$fen$miao`
#echo $bencishijian"----"$shangcishijian
if [ $bencishijian -gt $shangcishijian ]
then
#echo $line >>/root/dnschaxunjilu/all.txt
#echo $bencishijian"大于"$shangcishijian
#取客户端的ip地址
kehuduanip=`echo $line | awk '{print $7}'`
#如果IP地址是IPV6的,则找到对应的IPV4地址方法是先找到mac,再通过MAC从arp表找到IP 最终是通过IPV4地址找主机名,因为现阶段IPV4是必须配置的
macdizhi6=`ip -6 neigh |grep -v FAILED |grep -v "00:00:00:00:00:00"|awk '{print $1,$5}' |grep $kehuduanip" " |awk '{print $2}' `
macdizhi4=`cat /proc/net/arp |grep -v "00:00:00:00:00:00"|awk '{print $1,$4}' |grep $kehuduanip" " |awk '{print $2}'`
macdizhi=`echo $macdizhi6`
#echo $kehuduanip" "$macdizhi4" "$macdizhi6 >>/root/dnschaxunjilu/temp_jilumeitiaoshuju.txt
if [ "$macdizhi6" != "" ]
then
#echo "通过IPV6地址的MAC"$macdizhi6"IPV6地址是"$kehuduanip >>/root/dnschaxunjilu/temp2.txt
kehuduanip=`cat /proc/net/arp |awk '{print $1,$4}' |grep $macdizhi6 |awk '{print $1}'`
#echo "找到对应的IPV4地址是"$kehuduanip >>/root/dnschaxunjilu/temp2.txt
else
#说明macdizhi4是存在的
macdizhi=`echo $macdizhi4`
fi
#echo "现在客户端ipv4是"$kehuduanip"mac地址是"$macdizhi >>/root/dnschaxunjilu/temp2.txt
#先从自定义里面找主机名
zhujimingwenjian=`cat /root/dnschaxunjilu/mac-zhujiming.txt |grep $macdizhi` #操这里的隐藏bug真恶心我原本配合上面的变量写的是 echo $zhujiming |grep $macdizhi
#echo "在主机名文件mac-zhujiming.txt里面找到的结果是"$zhujimingwenjian >>/root/dnschaxunjilu/temp2.txt
if [ "$zhujimingwenjian" != "" ]
then
zhujiming=`echo $zhujimingwenjian|awk '{print $2}'`
echo $line >>/root/dnschaxunjilu/jilu/$zhujiming.txt
#echo "主机名是"$zhujiming >>/root/dnschaxunjilu/temp2.txt
else
#从DHCP静态分配里面找
hostsjieguo=`cat /var/hosts/dhcp.* |grep -v ^# |grep .lan| awk -F.lan '{print $1}' | grep $kehuduanip`
#echo "在主机名文件和DHCP都没有找到,在静态分配里面找到"$hostsjieguo >>/root/dnschaxunjilu/temp2.txt
if [ "$hostsjieguo" != "" ]
then
zhujiming=`echo $hostsjieguo|awk '{print $2}'`
echo $line >>/root/dnschaxunjilu/jilu/$zhujiming.txt
#找到了的话就把这个添加到temp.txt
echo $macdizhi" "$zhujiming>>/tmp/dnschaxunjilu/temp.txt
else
#从dhcp动态分配里面找
dhcpjieguo=`cat /var/dhcp.leases |awk '{print $2,$4}' |grep -v \* |grep $macdizhi`
#echo "在主机名文件没找到,在DHCP里面找到"$dhcpjieguo >>/root/dnschaxunjilu/temp2.txt
if [ "$dhcpjieguo" != "" ]
then
zhujiming=`echo $dhcpjieguo|awk '{print $2}'`
echo $line >>/root/dnschaxunjilu/jilu/$zhujiming.txt
#找到了的话就把这个添加到temp.txt
echo $macdizhi" "$zhujiming>>/tmp/dnschaxunjilu/temp.txt
else
#自定义 DHCP 静态都没有找到那么唯一剩下的原因就是这个主机自己设置了静态IP,这种情况就用MAC地址记录他的结果吧
#macwumaohao=`echo $macdizhi|sed 's/://g'` #linux系统支持冒号，不用过滤
echo $line >>/root/dnschaxunjilu/jilu/$macdizhi" "$kehuduanip.txt
fi
fi
fi
fi
done
#把整个dnsmasq的本次查询日志放到大的日志里面方便验证是否正确因为我刚刚发现我的chrome虚拟机竟然查询了zhidao.baidu.com 但是我这个虚拟机什么软件都没装扎到原因了,就是上面那个cat抓取文本内容给变量然后会默认删除换行符造成的
#logread |grep dnsmasq |grep -v 127.0.0.1 >>total.log
#最后把temp.txt里面的内容去重以后添加到mac-zhujiming.txt 方便查看
#sleep 1
#today=`date "+%Y%m%d%H%M%S"`
#echo "#################################"$today >>/root/dnschaxunjilu/temp2.txt
#cat /root/dnschaxunjilu/temp.txt >>/root/dnschaxunjilu/temp2.txt
sleep 1
#echo "脚本结束把temp的新增的记录写入到mac-zhujiming文件">>/tmp/dnschaxunjilu/log.txt
cat /tmp/dnschaxunjilu/temp.txt |sort |uniq |while read line
do
if [ "$line" != "" ]
then
jishu=`cat /root/dnschaxunjilu/mac-zhujiming.txt |grep "$line" |wc -l`
if [ "$jishu" -eq 0 ]
then
echo $line >>/root/dnschaxunjilu/mac-zhujiming.txt
fi
fi
done
#echo "写入完毕清空temp">>/tmp/dnschaxunjilu/log.txt
echo > /tmp/dnschaxunjilu/temp.txt
#这样操作下来如果没有找到对应主机名的,记录的文件名就是mac地址
#找到了主机名的,就自动把主机名添加到mac-zhujiming.txt,方便以后使用,但是有个缺点就是如果我们手动修改了静态分配的名字,这里的还是不会变的
#说明:有时候客户端会重复查询,dns会反馈reply query is duplicate 这就是为什么查看结果的时候发现经常有2个并排在一起的查询估计软件开发者担心只查询一次可能会在网络不好的时候返回不到结果
#发现客户端查询的时候会用IPV4和IPV6分别查询A和AAAA地址,等于为了查询一个域名的结果,现在双栈需要查4次,以前IPV4的时代只需要查一次............
#echo $today
#echo $shangcishijian
#显示ipv6和mac
#ip -6 neigh |grep br-lan |grep -v FAILED |awk '{print $1,$5}'
#显示ipv4和mac
#cat /proc/net/arp |grep br-lan |awk '{print $1,$4}'
#显示dhcpv4分配的内容,然后根据MAC取主机名
#cat /var/dhcp.leases |awk '{print $2,$4}' |grep -v \* #MAC 主机名
#显示静态分配的这里只有IPV4的我估计我应该是没有静态分配IPV6 需要的时候再看吧 #IP 主机名
#cat /var/hosts/dhcp.* |grep -v ^# |grep .lan |awk -F.lan '{print $1}'

复制代码

更新于2022-04-28 目前用起来应该是没啥问题了openwrt默认硬盘空间不大,我额外挂载了一块4G的硬盘进去专门存放这个脚本的记录

admin · 发表于 2022-8-26 00:00

#下面是记录dns的查询记录按照IP地址保存
cat /tmp/dnsmasq-tmp.log |grep -v 127.0.0.1|grep "dnsmasq" |grep "query" |grep -v "query\[PTR" |awk '{print $1,$2,$3,$5,$8,$6}' |while read line
do
zhuji=`echo $line |awk '{print $5}'`
echo $line >> /root/yumingfenliu/dnschaxunjilu/$zhuji.txt
done

复制代码

上面这一段是https://www.ryzl.com.cn/forum.ph ... &extra=#pid1550
这个帖子里面顺手统计DNS查询记录的部分 linux系统的脚本

admin · 发表于 2022-9-27 03:34

#脚本重新改为只有没有列出的域名才会记录,这样方便有新的程序需要科学的时候可以查询域名记录
jianchashifouguowaiip(){
#ip=`echo $mingxi | awk '{print $5}'`
#yumingzui=`echo $line |awk '{print $5}'`
#yuming=`echo $line |awk '{print $6}'`
#ip=`echo $line |awk '{print $8}'`
ip=`echo $1`
#echo $ip >>temp.txt
#下面判断IP是否在指定的地址范围内
#echo "下面判断IP是否在指定的地址范围内"$ip>>/root/yumingfenliu/testlog.txt
ip1=`echo $ip |awk -F. '{print $1}'`
ip2=`echo $ip |awk -F. '{print $2}'`
ip3=`echo $ip |awk -F. '{print $3}'`
ip4=`echo $ip |awk -F. '{print $4}'`
#echo $ip1 $ip2 $ip3 $ip4
#由于openwrt的shell是ash的不支持数组,看来这个要想办法绕过
#先把IP转换为2进制吧
#国内的IPv4最高的子网掩码是/10最低的是/24,所以只需要转换23段就行了注意,这里需要安装bc opkg install bc
ip22=`echo "obase=2;$ip2"|bc`
ip32=`echo "obase=2;$ip3"|bc`
#echo $ip22
#echo $ip32
ip2i8=0
ip2i7=0
ip2i6=0
ip2i5=0
ip2i4=0
ip2i3=0
ip2i2=0
ip2i1=0
#
ip3i8=0
ip3i7=0
ip3i6=0
ip3i5=0
ip3i4=0
ip3i3=0
ip3i2=0
ip3i1=0
#这个是从第一位开始取1位这里要加判断,如果数值过小可能没有第8位
#128 64 32 16 8 4 2 1
#二进制转10进制用笨办法吧
if [ "$ip2" -ge 128 ]
then
ip2i8=`echo $ip22 |awk '{print substr($0,1,1)}'`
ip2i7=`echo $ip22 |awk '{print substr($0,2,1)}'`
ip2i6=`echo $ip22 |awk '{print substr($0,3,1)}'`
ip2i5=`echo $ip22 |awk '{print substr($0,4,1)}'`
ip2i4=`echo $ip22 |awk '{print substr($0,5,1)}'`
ip2i3=`echo $ip22 |awk '{print substr($0,6,1)}'`
ip2i2=`echo $ip22 |awk '{print substr($0,7,1)}'`
ip2i1=`echo $ip22 |awk '{print substr($0,8,1)}'`
elif [ "$ip2" -ge 64 ]
then
ip2i7=`echo $ip22 |awk '{print substr($0,1,1)}'`
ip2i6=`echo $ip22 |awk '{print substr($0,2,1)}'`
ip2i5=`echo $ip22 |awk '{print substr($0,3,1)}'`
ip2i4=`echo $ip22 |awk '{print substr($0,4,1)}'`
ip2i3=`echo $ip22 |awk '{print substr($0,5,1)}'`
ip2i2=`echo $ip22 |awk '{print substr($0,6,1)}'`
ip2i1=`echo $ip22 |awk '{print substr($0,7,1)}'`
elif [ "$ip2" -ge 32 ]
then
ip2i6=`echo $ip22 |awk '{print substr($0,1,1)}'`
ip2i5=`echo $ip22 |awk '{print substr($0,2,1)}'`
ip2i4=`echo $ip22 |awk '{print substr($0,3,1)}'`
ip2i3=`echo $ip22 |awk '{print substr($0,4,1)}'`
ip2i2=`echo $ip22 |awk '{print substr($0,5,1)}'`
ip2i1=`echo $ip22 |awk '{print substr($0,6,1)}'`
elif [ "$ip2" -ge 16 ]
then
ip2i5=`echo $ip22 |awk '{print substr($0,1,1)}'`
ip2i4=`echo $ip22 |awk '{print substr($0,2,1)}'`
ip2i3=`echo $ip22 |awk '{print substr($0,3,1)}'`
ip2i2=`echo $ip22 |awk '{print substr($0,4,1)}'`
ip2i1=`echo $ip22 |awk '{print substr($0,5,1)}'`
elif [ "$ip2" -ge 8 ]
then
ip2i4=`echo $ip22 |awk '{print substr($0,1,1)}'`
ip2i3=`echo $ip22 |awk '{print substr($0,2,1)}'`
ip2i2=`echo $ip22 |awk '{print substr($0,3,1)}'`
ip2i1=`echo $ip22 |awk '{print substr($0,4,1)}'`
elif [ "$ip2" -ge 4 ]
then
ip2i3=`echo $ip22 |awk '{print substr($0,1,1)}'`
ip2i2=`echo $ip22 |awk '{print substr($0,2,1)}'`
ip2i1=`echo $ip22 |awk '{print substr($0,3,1)}'`
elif [ "$ip2" -ge 2 ]
then
ip2i2=`echo $ip22 |awk '{print substr($0,1,1)}'`
ip2i1=`echo $ip22 |awk '{print substr($0,2,1)}'`
elif [ "$ip2" -ge 1 ]
then
ip2i1=`echo $ip22 |awk '{print substr($0,1,1)}'`
fi
#
if [ "$ip3" -ge 128 ]
then
ip3i8=`echo $ip32 |awk '{print substr($0,1,1)}'`
ip3i7=`echo $ip32 |awk '{print substr($0,2,1)}'`
ip3i6=`echo $ip32 |awk '{print substr($0,3,1)}'`
ip3i5=`echo $ip32 |awk '{print substr($0,4,1)}'`
ip3i4=`echo $ip32 |awk '{print substr($0,5,1)}'`
ip3i3=`echo $ip32 |awk '{print substr($0,6,1)}'`
ip3i2=`echo $ip32 |awk '{print substr($0,7,1)}'`
ip3i1=`echo $ip32 |awk '{print substr($0,8,1)}'`
elif [ "$ip3" -ge 64 ]
then
ip3i7=`echo $ip32 |awk '{print substr($0,1,1)}'`
ip3i6=`echo $ip32 |awk '{print substr($0,2,1)}'`
ip3i5=`echo $ip32 |awk '{print substr($0,3,1)}'`
ip3i4=`echo $ip32 |awk '{print substr($0,4,1)}'`
ip3i3=`echo $ip32 |awk '{print substr($0,5,1)}'`
ip3i2=`echo $ip32 |awk '{print substr($0,6,1)}'`
ip3i1=`echo $ip32 |awk '{print substr($0,7,1)}'`
elif [ "$ip3" -ge 32 ]
then
ip3i6=`echo $ip32 |awk '{print substr($0,1,1)}'`
ip3i5=`echo $ip32 |awk '{print substr($0,2,1)}'`
ip3i4=`echo $ip32 |awk '{print substr($0,3,1)}'`
ip3i3=`echo $ip32 |awk '{print substr($0,4,1)}'`
ip3i2=`echo $ip32 |awk '{print substr($0,5,1)}'`
ip3i1=`echo $ip32 |awk '{print substr($0,6,1)}'`
elif [ "$ip3" -ge 16 ]
then
ip3i5=`echo $ip32 |awk '{print substr($0,1,1)}'`
ip3i4=`echo $ip32 |awk '{print substr($0,2,1)}'`
ip3i3=`echo $ip32 |awk '{print substr($0,3,1)}'`
ip3i2=`echo $ip32 |awk '{print substr($0,4,1)}'`
ip3i1=`echo $ip32 |awk '{print substr($0,5,1)}'`
elif [ "$ip3" -ge 8 ]
then
ip3i4=`echo $ip32 |awk '{print substr($0,1,1)}'`
ip3i3=`echo $ip32 |awk '{print substr($0,2,1)}'`
ip3i2=`echo $ip32 |awk '{print substr($0,3,1)}'`
ip3i1=`echo $ip32 |awk '{print substr($0,4,1)}'`
elif [ "$ip3" -ge 4 ]
then
ip3i3=`echo $ip32 |awk '{print substr($0,1,1)}'`
ip3i2=`echo $ip32 |awk '{print substr($0,2,1)}'`
ip3i1=`echo $ip32 |awk '{print substr($0,3,1)}'`
elif [ "$ip3" -ge 2 ]
then
ip3i2=`echo $ip32 |awk '{print substr($0,1,1)}'`
ip3i1=`echo $ip32 |awk '{print substr($0,2,1)}'`
elif [ "$ip3" -ge 1 ]
then
ip3i1=`echo $ip32 |awk '{print substr($0,1,1)}'`
fi
#echo $ip2i8 $ip2i7 $ip2i6 $ip2i5 $ip2i4 $ip2i3 $ip2i2 $ip2i1
#echo $ip3i8 $ip3i7 $ip3i6 $ip3i5 $ip3i4 $ip3i3 $ip3i2 $ip3i1
#正式开始比较,从文本里面读取国内的网段这里有7890行我估计可能会卡
shifouguonei=0
for guoneiwangduan in `cat /root/dnsjilu/cn.zone |grep ^$ip1`
do
wanduan=`echo $guoneiwangduan |awk -F/ '{print $1}'`
yanma=`echo $guoneiwangduan |awk -F/ '{print $2}'`
t_ip2=0
t_ip3=0
if [ "$ip2i8" -eq 1 ] && [ "$yanma" -ge 9 ]
then
let t_ip2=t_ip2+128
fi
if [ "$ip2i7" -eq 1 ] && [ "$yanma" -ge 10 ]
then
let t_ip2=t_ip2+64
fi
if [ "$ip2i6" -eq 1 ] && [ "$yanma" -ge 11 ]
then
let t_ip2=t_ip2+32
fi
if [ "$ip2i5" -eq 1 ] && [ "$yanma" -ge 12 ]
then
let t_ip2=t_ip2+16
fi
if [ "$ip2i4" -eq 1 ] && [ "$yanma" -ge 13 ]
then
let t_ip2=t_ip2+8
fi
if [ "$ip2i3" -eq 1 ] && [ "$yanma" -ge 14 ]
then
let t_ip2=t_ip2+4
fi
if [ "$ip2i2" -eq 1 ] && [ "$yanma" -ge 15 ]
then
let t_ip2=t_ip2+2
fi
if [ "$ip2i1" -eq 1 ] && [ "$yanma" -ge 16 ]
then
let t_ip2=t_ip2+1
fi
#echo "查看具体是哪里出错了2"
if [ "$ip3i8" -eq 1 ] && [ "$yanma" -ge 17 ]
then
let t_ip3=t_ip3+128
fi
if [ "$ip3i7" -eq 1 ] && [ "$yanma" -ge 18 ]
then
let t_ip3=t_ip3+64
fi
if [ "$ip3i6" -eq 1 ] && [ "$yanma" -ge 19 ]
then
let t_ip3=t_ip3+32
fi
if [ "$ip3i5" -eq 1 ] && [ "$yanma" -ge 20 ]
then
let t_ip3=t_ip3+16
fi
if [ "$ip3i4" -eq 1 ] && [ "$yanma" -ge 21 ]
then
let t_ip3=t_ip3+8
fi
if [ "$ip3i3" -eq 1 ] && [ "$yanma" -ge 22 ]
then
let t_ip3=t_ip3+4
fi
if [ "$ip3i2" -eq 1 ] && [ "$yanma" -ge 23 ]
then
let t_ip3=t_ip3+2
fi
if [ "$ip3i1" -eq 1 ] && [ "$yanma" -ge 24 ]
then
let t_ip3=t_ip3+1
fi
#echo "查看具体是哪里出错了3"
if [ "$yanma" -le 16 ]
then
wanduanip=`echo $ip1.$t_ip2.0.0`
#echo "查看具体是哪里出错了4"
elif [ "$yanma" -gt 16 ]
then
wanduanip=`echo $ip1.$t_ip2.$t_ip3.0`
#echo "查看具体是哪里出错了5"
fi
if [ "$wanduanip" == "$wanduan" ]
then
#echo "网段IP是:"$wanduanip"网段是"$wanduan
shifouguonei=1
break
#已经对比出了相同网段则该循环就不用继续了
fi
done
#if [ $shifouguonei == "guowai" ]
#then
# echo -e $yumingzui"\t"$yuming"\t"$ip"\t"$shifouguonei
#fi
return $shifouguonei
}
#根据分组ID处理
#先取上次的id
benciyunxingshijian=`date "+%Y%m%d"` #%Y%m%d%H%M
file="/tmpfs/dnsjilu/shangciid.txt"
if [ -f "$file" ]
then
shangciid=`cat /tmpfs/dnsjilu/shangciid.txt`
shangcihangshu=`cat /tmpfs/dnsjilu/shangcihangshu.txt`
zhengzaiyunxing=`cat /tmpfs/dnsjilu/zhengzaiyunxing.txt`
else
mkdir /tmpfs/dnsjilu
shangciid=0
shangcihangshu=0
zhengzaiyunxing=0
fi
#zhujiming=`cat /root/dnschaxunjilu/mac-zhujiming.txt` #操这里的隐藏bug真恶心用cat抓取文件内容赋值给变量会自动删除换行符
#####如果重启的话第一次执行第8段是read 所以加个grep query 就是全部都是查询的记录了
#root@OpenWrt:~/dnschaxunjilu# cat /tmpfs/dnsmasq.log |grep dnsmasq |tail -n 1 |awk '{print $8}'
#read
#root@OpenWrt:~/dnschaxunjilu# cat /tmpfs/dnsmasq.log |grep dnsmasq |tail -n 1 |awk '{print $8}'
#1
#root@OpenWrt:~/dnschaxunjilu# cat /tmpfs/dnsmasq.log |grep dnsmasq |tail -n 1 |awk '{print $8}'
#3
###########################################################根据分组就行了第8段就是分组
#笨办法先获取最后一个分组id
if [ $zhengzaiyunxing -eq 0 ]
then
echo "1" >/tmpfs/dnsjilu/zhengzaiyunxing.txt
hangshu=`cat /tmpfs/dnsmasq.log |wc -l`
let xianshihangshu=hangshu-shangcihangshu
jilushijian=`date "+%Y-%m-%d %H:%M"` #%Y%m%d%H%M
echo "时间 "$jilushijian" 总行数"$hangshu" 上次行数"$shangcihangshu" 本次显示这些行"$xianshihangshu >>/root/dnsjilu/log/log.txt
tail -n $xianshihangshu /tmpfs/dnsmasq.log >/tmpfs/dnsmasq-temp.log
zuihouid=`cat /tmpfs/dnsmasq-temp.log |grep "dnsmasq[[0-9]*]: [0-9]" |grep query |tail -n 1 |awk '{print $5}'`
bencichushiid=`cat /tmpfs/dnsmasq-temp.log |grep "dnsmasq[[0-9]*]: [0-9]" |grep query |head -n 1 |awk '{print $5}'`
echo "zuihouid="$zuihouid" bencichushiid="$bencichushiid >>/root/dnsjilu/log/log.txt
#结果要么都是数字要么都是空的
if [ "$zuihouid" != "" ] && [ $xianshihangshu -gt 0 ]
then
#如果有数字就判断当前已经用过的ID是否小于最后id 如果小于就开始判断
#echo "youjieguo"$zuihouid
if [ $shangciid -lt $zuihouid ]
then
#如果上次id小于最后id 说明有新的记录
#判断上次id是否小于本次初始id 如果小于说经这段时间查询的记录太多了,有记录丢失了,要么增加log空间大小,要么就缩短脚本间隔
if [ "$bencichushiid" != "" ]
then
if [ $bencichushiid -le $zuihouid ] && [ $shangciid -lt $bencichushiid ]
then
#本次初始ID小于最后id 并且上次id小于本次初始ID
#所以2个条件同时成立才表示这段时间查询的记录太多,有记录丢失了
let shangciid=bencichushiid
else
#本次初始ID大于最后id 说明dnsmasq重启了这样的话上次id可能会小于本次初始id同时也小于最后id
shangciid=1
fi
#else
#如果是空的说明服务器刚开机
fi
#经过上面的判断,现在shangciid就是正常的了
echo "shangciid="$shangciid >>/root/dnsjilu/log/log.txt
#然后循环
let for_kaishiid=shangciid
for i in $(seq $for_kaishiid $zuihouid)
do
####echo "开始判断id "$i
chaxunleixing=""
chaxunyuming=""
chaxunjieguo=""
ip=""
shijian=""
xuhao=0
forjilushijian=`date "+%Y-%m-%d %H:%M:%S"` #%Y%m%d%H%M
echo "时间 "$forjilushijian" 行数"$i>>/root/dnsjilu/log/log-for.txt
#正则表达式数字 cat /tmpfs/dnsmasq.log |grep dnsmasq |grep "dnsmasq[[0-9]*]: [0-9]" |grep "dnsmasq[[0-9]*]: 3 "
#cat /tmpfs/dnsmasq.log |grep dnsmasq |grep "dnsmasq\[^\d{n}$\]\: $i "
cat /tmpfs/dnsmasq-temp.log |grep "dnsmasq[[0-9]*]: [0-9]" |grep "dnsmasq[[0-9]*]: $i " |while read line
do
#第一种没有任何反馈
#Thu Sep 22 13:36:53 2022 daemon.info dnsmasq[1]: 520 192.168.11.178/60292 query[AAAA] tracker.openbittorrent.com from 192.168.11.178
#Thu Sep 22 13:36:53 2022 daemon.info dnsmasq[1]: 520 192.168.11.178/60292 forwarded tracker.openbittorrent.com to 192.168.1.1
#第二种有正常反馈
#Thu Sep 22 13:36:53 2022 daemon.info dnsmasq[1]: 522 192.168.11.178/54698 query[AAAA] tracker-udp.gbitt.info from 192.168.11.178
#Thu Sep 22 13:36:53 2022 daemon.info dnsmasq[1]: 522 192.168.11.178/54698 forwarded tracker-udp.gbitt.info to 192.168.1.1
#Thu Sep 22 13:36:53 2022 daemon.info dnsmasq[1]: 522 192.168.11.178/54698 reply tracker-udp.gbitt.info is 2a00:f10:10b::1209
#第三种没有ipv6地址
#Thu Sep 22 13:37:17 2022 daemon.info dnsmasq[1]: 529 192.168.11.178/56141 query[AAAA] tracker.dler.com from 192.168.11.178
#Thu Sep 22 13:37:17 2022 daemon.info dnsmasq[1]: 529 192.168.11.178/56141 forwarded tracker.dler.com to 192.168.1.1
#Thu Sep 22 13:37:17 2022 daemon.info dnsmasq[1]: 529 192.168.11.178/56141 reply tracker.dler.com is <CNAME>
#Thu Sep 22 13:37:17 2022 daemon.info dnsmasq[1]: 529 192.168.11.178/56141 reply tracker.dler.org is NODATA-IPv6
#一些典型的记录
#Thu Sep 22 11:54:56 2022 daemon.info dnsmasq[1]: 1035 192.168.11.108/52426 query[type=65] mesu.apple.com from 192.168.11.108
#Thu Sep 22 11:54:56 2022 daemon.info dnsmasq[1]: 1035 192.168.11.108/52426 cached mesu.apple.com is <CNAME>
#Thu Sep 22 11:54:56 2022 daemon.info dnsmasq[1]: 1035 192.168.11.108/52426 cached mesu-cdn.apple.com.akadns.net is <CNAME>
#Thu Sep 22 11:54:56 2022 daemon.info dnsmasq[1]: 1035 192.168.11.108/52426 cached mesu-china.apple.com.akadns.net is <CNAME>
#Thu Sep 22 11:54:56 2022 daemon.info dnsmasq[1]: 1035 192.168.11.108/52426 forwarded mesu.apple.com to 192.168.1.1
#Thu Sep 22 11:54:58 2022 daemon.info dnsmasq[1]: 1035 192.168.11.108/52426 reply error is REFUSED
#Thu Sep 22 11:45:00 2022 daemon.info dnsmasq[1]: 846 127.0.0.1/58245 query[A] www.ryzl.com.cn from 127.0.0.1
#Thu Sep 22 11:45:00 2022 daemon.info dnsmasq[1]: 846 127.0.0.1/58245 cached www.ryzl.com.cn is 116.62.23.29
#Thu Sep 22 11:45:00 2022 daemon.info dnsmasq[1]: 847 ::1/58245 query[A] www.ryzl.com.cn from ::1
#Thu Sep 22 11:45:00 2022 daemon.info dnsmasq[1]: 847 ::1/58245 cached www.ryzl.com.cn is 116.62.23.29
#Thu Sep 22 11:45:00 2022 daemon.info dnsmasq[1]: 848 127.0.0.1/58245 query[AAAA] www.ryzl.com.cn from 127.0.0.1
#Thu Sep 22 11:45:00 2022 daemon.info dnsmasq[1]: 848 127.0.0.1/58245 forwarded www.ryzl.com.cn to 192.168.1.1
#Thu Sep 22 11:45:00 2022 daemon.info dnsmasq[1]: 849 ::1/58245 query[AAAA] www.ryzl.com.cn from ::1
#Thu Sep 22 11:45:00 2022 daemon.info dnsmasq[1]: 849 ::1/58245 reply query is duplicate
echo $line >>/root/dnsjilu/log/zongrizhi-$benciyunxingshijian.txt
tmp_chaxunleixing=`echo $line |awk '{print $7}'`
if [ "$tmp_chaxunleixing" == "query[A]" ] || [ "$tmp_chaxunleixing" == "query[AAAA]" ] || [ "$tmp_chaxunleixing" == "query[type=65]" ]
then
chaxunleixing=$tmp_chaxunleixing
chaxunyuming=`echo $line |awk '{print $8}'`
ip=`echo $line |awk '{print $10}'`
shijian=`echo $line |awk '{print $1"-"$2,$3}'`
xuhao=`echo $line |awk '{print $5}'`
fi
if [ "$chaxunleixing" != "query[A]" ] && [ "$chaxunleixing" != "query[AAAA]" ]
then
echo $line >>/root/dnsjilu/log/zongrizhi-$benciyunxingshijian-chaxunleixingbushiliechude.txt
fi
#centos的dnsmasq日志记录好像reply是查询结果 config是配置的sougou.com结果
if [ "$tmp_chaxunleixing" == "reply" ]
then
if [ "$chaxunleixing" == "query[A]" ] || [ "$chaxunleixing" == "query[AAAA]" ]
then
chaxunjieguo=`echo $line |awk '{print $10}'`
if [ "$chaxunjieguo" != "<CNAME>" ] && [ "$chaxunjieguo" != "NODATA-IPv6" ] && [ "$chaxunjieguo" != "REFUSED" ] && [ "$chaxunjieguo" != "duplicate" ] && [ "$chaxunjieguo" != "SERVFAIL" ]
then
#判断结果是不是ipv6
guoneiwai="ipv6bupanduan"
shifouipv6=`echo $chaxunjieguo |grep : |wc -l`
if [ $shifouipv6 -eq 0 ]
then
#没有冒号说明是ipv4
if ( jianchashifouguowaiip "$chaxunjieguo" )
then
guoneiwai="guowai"
else
guoneiwai="guonei"
fi
fi
####echo $chaxunyuming" "$chaxunleixing" "$chaxunjieguo" "$benciyunxingshijian
yuming=`echo $chaxunyuming |grep -Eo '[^.]+.[^.]+
这个脚本是openwrt的脚本统计dns查询记录,然后查询过的域名就不记录了,只记录新查询的域名
方便在有新服务的时候看看用到了哪些域名
比如打开steam以后可以看看steam具体用到了哪些域名
`
kexueshangwang=`cat /etc/dnsmasq.d/address.conf |grep "/$yuming" |wc -l`
yijingcunzaiyuming=`cat /etc/dnsmasq.d/guoneiyuming.conf |grep "$yuming" |wc -l`
if [ $kexueshangwang -eq 0 ] && [ $yijingcunzaiyuming -eq 0 ]
then
#如果国外域名没有同时国内域名也没有说明是全新域名就按照天和客户端名字把查询结果记录到文本里面
echo -e $shijian"\t"$ip"\t"$xuhao"\t"$yuming"\t"$chaxunyuming"\t"$chaxunleixing"\t"$chaxunjieguo"\t"$guoneiwai>>/root/dnsjilu/log/$ip.txt
echo -e "#"$shijian"\t"$ip"\t"$xuhao"\t"$yuming"\t"$chaxunyuming"\t"$chaxunleixing"\t"$chaxunjieguo>>/etc/dnsmasq.d/guoneiyuming.conf
#echo $line >>/root/dnsjilu/log/rizhi-$ip-$benciyunxingshijian.txt
fi
fi
fi
fi
done
done
#最后有id重复的需要把已经读取过的行数删掉
#sed -i '1,'"$hangshu"'d' /tmpfs/dnsmasq.log #不能这样弄,这样弄了dnsmasq就不会继续往这个文件写入日志了
else
if [ $shangciid -gt $zuihouid ]
then
#如果上次id大于最后id,说明dnsmasq重启了,就把上次id变为0 以便下一次运行的时候从头开始
shangciid=0
#else
#不大于也不小于说明是等于,说明没有新的查询就不处理
fi
fi
#最后把本次最后id存放到文件里面以便下次调用
echo $zuihouid >/tmpfs/dnsjilu/shangciid.txt
echo $hangshu >/tmpfs/dnsjilu/shangcihangshu.txt
#最后记录一下是否有内存泄露之前的脚本有内存泄露了
jilufreelogshijian=`date "+%Y-%m-%d %H:%M"` #%Y%m%d%H%M
echo $jilufreelogshijian >> /root/dnsjilu/log/free-log.txt
free >> /root/dnsjilu/log/free-log.txt
echo "0" >/tmpfs/dnsjilu/zhengzaiyunxing.txt
#else
#echo "最后ID是空的说明刚刚启动还没有客户端发送解析"
fi
fi

复制代码

这个脚本是openwrt的脚本统计dns查询记录,然后查询过的域名就不记录了,只记录新查询的域名
方便在有新服务的时候看看用到了哪些域名
比如打开steam以后可以看看steam具体用到了哪些域名

admin · 发表于 2025-5-18 20:27

#简单的记录客户端查询了哪些DNS记录,按照天保存,并删除7天之前的记录,防止长时间不管理,磁盘空间爆掉
#先取上次的时间
file="/tmp/jiludnschaxunshijian.txt"
if [ -f "$file" ]
then
shangcishijian=`cat /tmp/jiludnschaxunshijian.txt`
else
shangcishijian="2025 May 18 00:00:00"
fi
#首先把这次运行的时间保存到文件里面,以供下次使用
date "+%Y %b %d %H:%M:%S" >/tmp/jiludnschaxunshijian.txt
#这个命令输出的时间格式类似于2025 May 18 19:45:40
#然后列出所有查询记录结果类似如下
#2025 May 18 19:45:40 query[A] settings-win.data.microsoft.com 192.168.11.179
#2025 May 18 19:46:29 query[AAAA] setup.icloud.com fc00:192:168:11::78
#2025 May 18 19:46:29 query[A] setup.icloud.com fc00:192:168:11::78
#2025 May 18 19:49:54 query[A] www.ryzl.com.cn 192.168.11.179
#2025 May 18 19:49:54 query[HTTPS] www.ryzl.com.cn 192.168.11.179
#把这些查询记录通过最后面的客户端,分类保存
#相关知识点
jilurizhishijian=`date "+%Y%m%d"`
logread |grep dnsmasq |grep -v reply |grep query |grep -v 127.0.0.1 |grep -v "::1" |awk '{print $5,$2,$3,$4,$10,$11,$13}' | while read line
do
nian=`echo $line |awk '{print $1}'`
yue=`echo $line |awk '{print $2}'`
ri=`echo $line |awk '{print $3}'`
shifenmiao=`echo $line |awk '{print $4}'`
if [ "$ri" -lt 10 ]
then
ri="0$ri"
fi
bencishijian=`echo $nian $yue $ri $shifenmiao`
#echo "比较时间本次时间$bencishijian 上次时间$shangcishijian"
if [ "$bencishijian" \> "$shangcishijian" ]
then
#echo "本次时间晚于上次时间"
#再加个功能,判断域名是否已经在谷歌解析了
#/root/dnsmasq/dnsmasq.d/server-ipset.conf
#/root/dnsmasq/dnsmasq.d/gfwlist.conf
yumingshifouguowai=""
chaxunyuming=`echo $line | awk '{print $6}'`
yuming=`echo $chaxunyuming |grep -Eo '[^.]+.[^.]+`
#这里要用正则表达式匹配域名比如mi.com 只能匹配.mi.com/和/mi.com/
guowaiyuming1=`cat /root/dnsmasq/dnsmasq.d/server-ipset.conf |grep -E [./]$yuming[/] |wc -l`
guowaiyuming2=`cat /root/dnsmasq/dnsmasq.d/gfwlist.conf |grep -E [./]$yuming[/] |wc -l`
if [ $guowaiyuming1 -gt 0 ] || [ $guowaiyuming2 -gt 0 ]
then
yumingshifouguowai="已添加8.8.8.8解析"
fi
kehuduanip=`echo $line | awk '{print $7}'`
xianshijieguo=`echo $line |awk '{print $1,$2,$3,$4,$6}'`
echo -e $xianshijieguo"\t\t"$yumingshifouguowai >>/root/dnsjilu/log/$jilurizhishijian-$kehuduanip.txt
fi
done
#最后清理7天之前的文件
find "/root/dnsjilu/log" -mtime +7 -type f -name "*.txt" | while read line
do
rm -f $line
done

复制代码

		自动登录	找回密码
密码			立即注册