Profiling DNS Logs

At the time the DNS server runs, a set of Log_info-level log information, shown below, is generated every hour to feed back the DNS server's running status:
Dec 10:23:52 www named[1033]: cleaned cache of RRset
Dec 10:23:52 www named[1033]: USAGE 977797432 976760631 cpu=6.55u/6.24s child cpu=0u/0s
Dec 10:23:52 www named[1033]: nstats 977797432 976760631 0=2 a=13192
cname=321 ptr=11204 mx=1173 txt=4 aaaa=32 any=4956
Dec 10:23:52 www named[1033]: xstats 977797432 976760631 rr=7629 rnxd=1368
rfwdr=4836 rdupr=51 rfail=159 rferr=0 rerr=12 raxfr=0 rlame=175 ropts=0
ssysq=2082 sans=26234 sfwdq=4520 sdupq=1263 serr=0 rq=30889 riq=4 rfwdq=0
rdupq=259 rtcp=2 sfwdr=4836 sfail=6 sferr=0 snaans=21753

Let's step through the following sentence:
1. Dec 10:23:52 www named[1033]: cleaned cache of RRset
This is the first line of each set of log information, indicating that the cache is being emptied.
which
Dec 26 10:23:52 indicates log generation time
WWW Displays the name of the computer where the DNS server resides
NAMED[1033]: Displays the DNS server process name and process ID
Cleaned cache of RRset indicates that the cache is being cleared
2. Dec 10:23:52 www named[1033]: USAGE 977797432 976760631 cpu=6.55u
/6.24s Child cpu=0u/0s
This line is a usage line that is used to count the CPU time that the DNS server consumes.
which
Dec 26 10:23:52 indicates log generation time
WWW Displays the name of the computer where the DNS server resides
NAMED[1033]: Displays the DNS server process name and process ID
USAGE line Tag
977797432 976760631 977797432-976760631 is the total number of seconds the DNS server is running
Cpu=6.55u/6.24s on behalf of the DNS server using user state 6.55 seconds, System State 6.24 seconds (U on behalf of user, S for system),
The child CPU represents the CPU footprint of the DNS server subprocess.
3. Dec 10:23:52 www named[1033]: nstats 977797432 976760631 0=2
cname=321 ptr=11204 mx=1173 txt=4 aaaa=32 any=4956
This line is the Nstats line, used to count the total number of queries received
which
Dec 26 10:23:52 indicates log generation time
WWW Displays the name of the computer where the DNS server resides
NAMED[1033]: Displays the DNS server process name and process ID
Nstats line Tag
977797432 976760631 977797432-976760631 is the total number of seconds the DNS server is running
0=2 represents an unknown type of DNS query 2
A=13192 on behalf of Class A address query 13,192 (most standard)
Cname=321 on behalf of the CNAME class address query 321 (generally some versions of the SendMail use the CNAME program
Standard email address issued, and is issued by dig or nslookup)
ptr=11204 represents a pointer query of 11,204 (many software uses this method to find an IP address)
mx=1173 on behalf of the Mail Exchanger query 1173 (is initiated by the mail-sending program)
Txt=4 a total of 4 text queries on behalf of the application
AAAA=32 on behalf of AAAA class query 32
any=4956 some sendmail use the address query way, a total of 4,956
Note: There may also be:
NS=XX represents a Name server query (for example, a server in which the first name server tries to find the root domain)
SOA=XX represents a secondary DNS update
HINFO=XX Host information Query
NSAP=XX map domain name to OSI Network Service access point address
AXFR=XX zone transfer for secondary DNS
These are not seen in this example.
4. Dec 10:23:52 www named[1033]: xstats 977797432 976760631 rr=7629
rfwdr=4836 rdupr=51 rfail=159 rferr=0 rerr=12 raxfr=0 rlame=175 ropts=0 ssysq=2082
sans=26234 sfwdq=4520 sdupq=1263 serr=0 rq=30889 riq=4
rdupq=259 rtcp=2
sfwdr=4836 sfail=6 sferr=0 snaans=21753 snxd=10276
This is the Xstats line, which is used to count some other data.
which
Dec 26 10:23:52 indicates log generation time
WWW Displays the name of the computer where the DNS server resides
NAMED[1033]: Displays the DNS server process name and process ID
Nstats line Tag
977797432 976760631 977797432-976760631 is the total number of seconds the DNS server is running
rr=7629 representative received a total of 7,629 responses from other hosts (the number of responses to queries sent by DNS to other machines or processes, RQ Independent)
rnxd=1368 representative received "No such domain" answer a total of 1368
Rfwdr=108 received a response to the original query of 108
rdupr=51 Repeat Response 51 (this response is a duplicate response when DNS cannot find the original query that caused the response in its unresolved query list)
Rfail=159 received Servfail (remote server error) 159
Rferr=0 did not receive Formerr (the Remote name server considers the local name server query to be malformed)
Rerr=12 received 12 errors except Servfail and Formerr.
Raxfr=0 Total 0 sub-zone transmissions
RLAME=175 received 175 bad licenses (meaning that some of the areas are authorized to other name servers, and this name server is not the authority of this zone)
Ropts=0 received a total of 0 packets with IP options
ssysq=2082 a total of 2,082 system queries (System queries are queries made by local name servers). Most of them are for
Root name server)
Sans=26234 answered a total of 26,234 enquiries
sfwdq=4520 not on this name server, while forwarding a total of 4,520
sdupq=1263 Repeat query number 1263
Total number of Servfail, Formerr errors issued by serr=0
RQ=30889 received a total of 30,889 inquiries
Riq=4 received the Reverse query 4 (reverse query is to map the address to the name, now this feature is implemented by PTR.) Earlier nslookup to use this query)
Rfwdq=0 no queries to be further processed
rdupq=259 Duplicate Query Total 259
rtcp=2 receives 2 queries over a TCP connection (typically using UDP)
sfwdr=4836 response from other name servers 4,836
Sfail=6 issued is considered to be servfail response a total of 6
Number of responses considered formerr by sferr=0
snaans=21753 non-authoritative answer a total of 21753
snxd=10276 issued no this domain answer 10,276

These statistics are the total statistics from the time the DNS was opened to the present, not the statistics for the current hour. How do you measure the load on a DNS server? Quite simply, divide the total number of queries by the total time that the DNS is running, don't you know? In this example: The DNS server is already running:
977797432-976760631=1036801 seconds = 288 hours
Note: From the 2nd, 3, 4 lines can be
And the total query request has: 2+13192+321+11204+1173+4+32+4956=20884 times
Note: From line 2nd can be obtained, that is, 107 times per hour query requests, less than 2 times per second, the visible load is relatively small.