while I'm at sharing bro related stuff, I've got a setup here
that parses bro's DNS log in real time and updates the database
of a local DNS server (powerdns with mysql backend) so as to
provide with more useful PTR records.
$ tail -1 dns.log
1345732627.030897 jUJU3ZwGOv4 x.x.x.x 54866 x.x.x.x 53 udp 44687 static.ak.facebook.com 1 C_INTERNET 1 A 0 NOERROR F F
F T T 0 static.ak.facebook.com.edgesuite.net,a749.dsw4.akamai.net,184.108.40.206,220.127.116.11 3364.000000,348.000000,15.000000,15.000000
$ dig -x 18.104.22.168 +short
For many "cloud" IP addresses, it won't necessarily be useful,
but in many case, it gives more useful information than the
real PTR record.
Above, it tells us that 22.214.171.124 was last the result of a
query for an A record for static.ak.facebook.com (at 14:37:07),
and it gives you the result of the geoiplookup.
It can be generalised for other things (like for internal IP
addresses, I use other sources of information to feed the
If anybody is interested, I can post the intructions on how to
set it up along with the small perl script that parses the bro
dns logs here or on github.