Overview
The Query Log Analysis service provides comprehensive DNS log ingestion, analytics, automated threat detection with MITRE ATT&CK mapping, and executive reporting. Enterprise tier ($999/month) required.
1. Log Source Management
Configure log sources for ingestion.
GET
/api/v2/logs/sources
POST
/api/v2/logs/sources
Supported Source Types
syslog- Syslog integrationjson_api- JSON API ingestionfile_upload- File upload
Create Source Example
curl -X POST "https://www.dnsscience.io/api/v2/logs/sources" \
-H "Content-Type: application/json" \
-H "X-API-Key: YOUR_API_KEY" \
-d '{
"name": "Production DNS",
"source_type": "json_api",
"config": {}
}'2. Log Ingestion
POST
/api/v2/logs/ingest/{source_id}
Log Entry Format
{
"logs": [
{
"timestamp": "2024-11-22T10:30:00Z",
"client_ip": "192.168.1.100",
"query_name": "example.com",
"query_type": "A",
"response_code": "NOERROR",
"response_ip": "93.184.216.34",
"response_time_ms": 15
}
]
}Supported Response Codes
- NOERROR
- NXDOMAIN
- SERVFAIL
- REFUSED
- FORMERR
3. Log Analytics
GET
/api/v2/logs/stats?hours={hours}
GET
/api/v2/logs/top-domains?hours={hours}&limit={limit}
GET
/api/v2/logs/top-clients?hours={hours}&limit={limit}
Statistics Response
{
"period_hours": 24,
"total_queries": 1250000,
"unique_domains": 45000,
"unique_clients": 500,
"nxdomain_rate": 0.05,
"top_query_types": {
"A": 800000,
"AAAA": 250000,
"MX": 100000
}
}4. Domain Classification
POST
/api/v2/logs/classify
Example
curl -X POST "https://www.dnsscience.io/api/v2/logs/classify" \
-H "Content-Type: application/json" \
-H "X-API-Key: YOUR_API_KEY" \
-d '{"domain": "suspicious-domain.com"}'Response
{
"domain": "suspicious-domain.com",
"classification": "suspicious",
"confidence": 0.75,
"categories": ["newly-registered", "high-entropy"],
"risk_score": 65
}5. Threat Detection
Automated threat detection with pre-built rules.
POST
/api/v2/logs/detect/{source_id}
GET
/api/v2/logs/threats?hours={hours}&severity={severity}
GET
/api/v2/logs/threats/client/{ip}
Detection Rules
DGA Activity - High NXDomain rate indicating DGA malware
T1568.002
T1568.002
DNS Tunneling - Long encoded queries for data exfiltration
T1048.003
T1048.003
Fast Flux - Rapid IP rotation for C2 resilience
T1568.001
T1568.001
C2 Beaconing - Periodic queries indicating C2 communication
T1071.004
T1071.004
Cryptomining - Mining pool domain queries
T1496
T1496
Data Exfiltration - TXT record abuse for data theft
T1048.003
T1048.003
6. Executive Reporting
GET
/api/v2/logs/report/executive?hours={hours}
Report Contents
- Query volume summary
- Threat summary by severity (critical/high/medium/low)
- Top domains with classifications
- Malicious domain count
- Recommendations
Performance Considerations
| Feature | Limit | Notes |
|---|---|---|
| Log ingestion | 10,000 logs/request | Batch for optimal performance |
| Detection window | Configurable | Default 5 minutes |
| Data retention | 90 days | Partitioned by month |
Integration Examples
BIND Integration
logging {
channel dnsscience {
file "/var/log/named/queries.log";
print-time yes;
print-category yes;
};
category queries { dnsscience; };
};Syslog Integration
# /etc/rsyslog.d/dnsscience.conf
:programname, isequal, "named" action(
type="omhttp"
server="api.dnsscience.io"
...
)API Endpoints Summary
| Method | Endpoint | Description |
|---|---|---|
| GET | /api/v2/logs/sources |
List log sources |
| POST | /api/v2/logs/sources |
Create log source |
| POST | /api/v2/logs/ingest/{id} |
Ingest logs |
| GET | /api/v2/logs/stats |
Get statistics |
| GET | /api/v2/logs/top-domains |
Top domains |
| GET | /api/v2/logs/top-clients |
Top clients |
| POST | /api/v2/logs/classify |
Classify domain |
| POST | /api/v2/logs/detect/{id} |
Run detection |
| GET | /api/v2/logs/threats |
Get threats |
| GET | /api/v2/logs/threats/client/{ip} |
Client threats |
| GET | /api/v2/logs/report/executive |
Executive report |