Forget everything I said in my last blog article.
Drop Splunk App for Stream into your system, put a stream forwarder on (or between) your DNS server, and look at the pretty pictures.
(snip of the full page, there's also tables on domains and so forth)
For added value, the app appears to be CIM compliant, so you can use e.g. PCAP Analyzer and Splunk DBIR App with the feed as well.
I'll dive into this some more later on with examples on using it for analytics, e.g. checking for zeus infection and so forth.
