/
Resolvers setting answer bits in queries

Resolvers setting answer bits in queries

Owned by Oli Schacher
Sept 13, 2017

Description:


Show a list of resolvers which send queries containing values which should only be present in answers:
- TC bit set
- RA bit set
- RCODE > 0 

Note that these columns are only available as of ENTRADA 0.0.10


Impala Query:


select 
 src,
 max(country) as country,
 count(*) as total_queries,
 sum(case when (q_tc=true or q_ra=true or q_rcode>0) then 1 else 0 end) as weird_queries,
 sum(q_tc) as q_tc,
 sum(q_ra) as q_ra,
 sum(case when q_rcode > 0 then 1 else 0 end) as q_rcode
from 
 dns.queries 
where 
 year=2017 and month=9 
group by 
 src 
having 
 weird_queries>0
order by
 weird_queries desc
 
limit 10


Example Output:


srccountrytotal_queriesweird_queriesq_tcq_raq_rcode
195.141.183.84CH208763082003082
212.205.80.44GR118182963002963
98.191.98.157US25122349002349
195.167.37.93GR54091288001288
91.209.84.9CH4162971300713
46.18.202.87RU56053600536
104.43.9.196SG42939839800
213.198.82.40DE391238600386
141.122.189.112CH13800119600196
212.243.142.98CH156015800158