honoki/dnsmonitor.py

## dnsmonitor.py
import time
import requests

def is_blacklisted(domain):
    blacklist  = open("blacklist.txt")
    return domain in [w.strip() for w in blacklist.readlines()]

# Avoid Slack expanding your links by replacing the last dot.
def escape_domain(domain):
    return domain.replace('yourdomain.com', 'yourdomain[.]com')

def watch(fn):
    fp = open(fn, 'r')
    fp.seek(0,2) # start watching from the end of the file
    while True:
        new = fp.readline()

        if new:
            parts = new.split(' ')
            yield (parts[7].lower(), parts[9], parts[4])
        else:
            time.sleep(0.5)

queries = '/var/log/named/queries.log'

for domain, type, fromip in watch(queries):
    print domain, type, fromip
    if 'yourdomain.com' not in domain:
        print "illegal request"
    elif is_blacklisted(domain):
        print "blacklisted - skipping"
    else:
        requests.post('https://hooks.slack.com/services/.../.../...', json={'text': '[dns] ['+type+'] '+escape_domain(domain)+ ' from '+fromip})
	import time
	import requests

	def is_blacklisted(domain):
	blacklist = open("blacklist.txt")
	return domain in [w.strip() for w in blacklist.readlines()]

	# Avoid Slack expanding your links by replacing the last dot.
	def escape_domain(domain):
	return domain.replace('yourdomain.com', 'yourdomain[.]com')

	def watch(fn):
	fp = open(fn, 'r')
	fp.seek(0,2) # start watching from the end of the file
	while True:
	new = fp.readline()

	if new:
	parts = new.split(' ')
	yield (parts[7].lower(), parts[9], parts[4])
	else:
	time.sleep(0.5)

	queries = '/var/log/named/queries.log'

	for domain, type, fromip in watch(queries):
	print domain, type, fromip
	if 'yourdomain.com' not in domain:
	print "illegal request"
	elif is_blacklisted(domain):
	print "blacklisted - skipping"
	else:
	requests.post('https://hooks.slack.com/services/.../.../...', json={'text': '[dns] ['+type+'] '+escape_domain(domain)+ ' from '+fromip})