It’s staggering to me how few security teams have gotten wise to regularly interrogating the logs from their recursive DNS servers. In many ways DNS logging can be considered sprinkling flour on the floor to track the footsteps of the culprit who’s been raiding the family fridge. Each step leaves a visible impression of where and how the intruder navigated the kitchen, and their shoe size.

via Persistent Threat Detection on a Budget « Damballa.

To turn on logging in bind use:

# rndc querylog

This puts all DNS queries into /var/log/messages.  Just grep for named and pipe that into some custom perl script or whatever to run against a blacklist.

# grep named /var/log/messages  |  run_my_blacklist_script.pl