[ Top | Up | Prev | Next | Map | Index ]

Analog 6.0: DNS lookups

Sometimes a logfile contains numerical IP addresses - like - for the computers that have visited you, instead of names like lion.statslab.cam.ac.uk. This section describes how you can get analog to do so-called DNS lookups to translate these numbers into names. This relies on you having a suitably configured system: DNS lookups are not possible on some systems.

First a note. Because analog's DNS lookups use only standard, platform-independent code, they are slower than lookups optimised for particular platforms. (This is especially true on platforms without the DNSTIMEOUT command described below.) So if you are doing DNS lookups regularly, you will probably be better off using one of the many specialist DNS lookup programs which you can find on the helper applications page.

DNS lookups are typically rather slow, because your computer has to ask across the network to find out the names of the hosts. For this reason, analog saves the addresses it has looked up in a file, so that you don't have to look them up again next time. The file is specified by a command like
DNSFILE dnscache
You will still need to use one of the commands in the next paragraph in order to actually use the file. If the name of the DNSFILE doesn't include a directory, it will be looked for wherever analog expects to find its DNS files. (This location is built in when the program is compiled.) For example, on Windows it would be in the same folder as the analog executable.

There are four possible levels of DNS activity. If you specify DNS NONE, no numerical addresses will be resolved. If you specify DNS READ, then analog will read the DNS file for old lookups, but no new lookups will take place. This mode is suitable if you are running analog while not connected to the internet. The third level is DNS WRITE. This reads the old file, looks up new addresses, and adds them to the file. (The first time you use DNS WRITE, you will get a missing-file warning as it tries to read the old file, but it will exist the next time.) The final level is DNS LOOKUP. This reads the old file and looks up new addresses, but doesn't add the new addresses to the file, so that they will not be remembered for next time. This is not normally a level that the user wants to specify, but analog will switch to this the behaviour if DNS WRITE fails for some reason.

If you are using a HOSTEXCLUDE command, you need to exclude the numerical IP address if it can't be resolved, or the name if it can. In other words, exclude whatever the host is known as in the Host Report.

If two copies of analog were allowed to write to the DNS file at the same time, the file could become corrupted. So when analog is running in DNS WRITE mode, it creates a lock file which tells other copies of analog to back off to DNS LOOKUP. You can change the location of that file with the command
Of course you should make sure that all copies of analog use the same lock file, at least if they have the same DNS file! Again, if the name of the DNSLOCKFILE doesn't include a directory, it will put in a canonical location, specified when the program was compiled.

If analog crashes, it may not clear up the lock file, so in that case you may have to delete it yourself. (Disclaimer: on some systems, race conditions may occasionally thwart this mechanism, but this is very unlikely.)

Analog never deletes anything from the DNS file: this means that the DNS file will grow, and can become quite large. You should delete the top of it every so often. There is a program on the helper applications page to help you do this more systematically.

There are two parameters which say how long to trust old lookups for. If you set

for example, then successful lookups will be checked again after 672 hours (4 weeks). You can also set the DNSBADHOURS similarly, to check failed lookups again after a certain time. By default the DNSBADHOURS is 336 (2 weeks) and the DNSGOODHOURS is a very large number (so that successful lookups are never rechecked, as long as they remain in the DNS file).

On some platforms (maybe only Unix) you can set a parameter called DNSTIMEOUT. If the DNS server still hasn't returned a reply within this many seconds, then the lookup will be aborted. However, this feature is off by default, because it breaks DNS lookups on many platforms. (The symptom is that the first few lookups succeed, but after a while, all lookups fail). If you try it, monitor it, and turn it off again if it causes problems.

Finally, there is a debugging command, DEBUG +D to show all the DNS lookups that analog is making.

Normally you need never write a DNS file: you should rely on analog to do it for you. But in case you need to know, the format of the file is
timestamp IP_address name
where the timestamp is the number of minutes since the beginning of 1970, GMT (i.e., "Unix time" divided by 60), and the name is just * if the address couldn't be resolved.
Go to the analog home page.

Stephen Turner
19 December 2004

Need help with analog? Use the analog-help mailing list.

[ Top | Up | Prev | Next | Map | Index ]