Add DNS first-seen and last-seen history

README.md

@@ -39,3 +39,18 @@ make
 ## Usage
 
 For comprehensive help, use `dooked --help`
+
+### Record history fields
+
+JSON output includes `first-seen`, `last-seen`, and `seen` fields for each
+record. When a previous JSON output is passed back into `dooked`, records that
+are not present in the latest run are preserved with their last observed
+timestamp so rotating responses can be tracked over time.
+
+Useful reporting options:
+
+```
+--fs                 show records seen for the first time
+--ls 2               show records not seen for at least 2 days
+--lsd 05/01/2026    show records not seen since a US date
+```

dooked/include/cli_preprocessor.hpp

@@ -2,6 +2,7 @@
 
 #include "dns/dns_resolver.hpp"
 #include "utils/io_utils.hpp"
+#include <ctime>
 #include <thread>
 
 // maximum sockets to open regardless of the number of threads
@@ -24,7 +25,10 @@ struct cli_args_t {
   int post_http_request{};
   int thread_count{};
   int content_length{-1};
+  int last_seen_days{-1};
   bool include_date{false};
+  bool report_first_seen{false};
+  std::string last_seen_date{};
 };
 
 struct runtime_args_t {
@@ -36,6 +40,8 @@ struct runtime_args_t {
   http_process_e http_request_time_{};
   int thread_count{};
   int content_length{-1};
+  bool report_first_seen{false};
+  std::optional<std::time_t> last_seen_before{};
 };
 
 void run_program(cli_args_t const &cli_args);

dooked/include/utils/exceptions.hpp

@@ -1,6 +1,7 @@
 #pragma once
 
 #include <stdexcept>
+#include <string>
 
 namespace dooked {
 

dooked/include/utils/io_utils.hpp

@@ -26,6 +26,9 @@ void trim(std::string &);
 struct json_data_t {
   std::string domain_name{};
   std::string rdata{};
+  std::string first_seen{};
+  std::string last_seen{};
+  int seen{};
   int ttl{};
   int http_code{};
   int content_length{};
@@ -40,6 +43,18 @@ struct json_data_t {
         dns_str_to_record_type(json_object["type"].get<json::string_t>());
     data.rdata = json_object["info"].get<json::string_t>();
     data.ttl = json_object["ttl"].get<json::number_integer_t>();
+    if (auto const iter = json_object.find("first-seen");
+        iter != json_object.end() && iter->second.is_string()) {
+      data.first_seen = iter->second.get<json::string_t>();
+    }
+    if (auto const iter = json_object.find("last-seen");
+        iter != json_object.end() && iter->second.is_string()) {
+      data.last_seen = iter->second.get<json::string_t>();
+    }
+    if (auto const iter = json_object.find("seen");
+        iter != json_object.end() && iter->second.is_number_integer()) {
+      data.seen = iter->second.get<json::number_integer_t>();
+    }
     data.content_length = len;
     data.http_code = http_code;
     return data;

dooked/include/utils/probe_result.hpp

@@ -10,6 +10,9 @@ bool case_insensitive_compare(std::string const &, std::string const &);
 
 struct probe_result_t {
   std::string rdata{};
+  std::string first_seen{};
+  std::string last_seen{};
+  int seen{};
   dns_record_type_e type{}; // RR TYPE (2 octets)
   std::uint32_t ttl{};      // time to live(4 octets)