Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

DNS debug log dns.log Format Review

landen99
Motivator
‎04-21-2014 06:20 AM

I am looking for a solid understanding of the fields in the DNS packet logs. I have included information from what I have already learned in the hopes that it helps others and that it helps with discovering the meanings of other fields. My primary fields of interest are: 710/714, 0000000028FB94C0/000000002CC599A0, Snd/Rcv, 8857/3434, 0080/1001, and "D". I understand UDP is the protocol and "R Q" means reply and " Q" means query.

Packet Log Examples

Date and Time             Type                     Prot Dir Query, Reply IP      R/Q             Flag     Record Domain
4/15/2014 3:16:00 PM 0710 PACKET  0000000028FB94C0 UDP  Rcv 69.160.33.71    8857 R Q [0080       NOERROR] A      .ns1.offeringsmislead.com.
4/21/2014 7:18:36 AM 0714 PACKET  000000002CC599A0 UDP  Snd 8.8.8.8         3434   Q [1001   D   NOERROR] A      .cdn-controltag.krxd.net.

The following code illustrates the format and location for the fields before and after the PACKET field, 0710/0714 and 0000000028FB94C0/000000002CC599A0:

0710 PACKET  0000000028FB94C0
0714 PACKET  000000002CC599A0

The following code reveals the fields before and after the DNS Type [R Q] field, 8857/3434, 0080/1001, and "D":

8857 R Q [0080 
3434   Q [1001   D
Tags (5)
Reply
1 Solution
Solved! Jump to solution
Solution

landen99
Motivator
‎02-05-2015 10:54 AM

The resources at http://technet.microsoft.com/en-us/library/cc772774(v=ws.10).aspx have explained many of the fields but a few remain a mystery to me and may prove a useful resource to you.

Information: DNS Update Message Flags

0   (NOERROR)  No error; successful update.
1   (FORMERR)  Format error; DNS server did not understand the update request.
0x2 (SERVFAIL) DNS server encountered an internal error, such as a forwarding timeout
0x3 (NXDOMAIN) A name that should exist does not exist.
0x4 (NOTIMP)   DNS server does not support the specified Operation code.
0x5 (REFUSED)  DNS server refuses to perform the update because
0x6 (YXDOMAIN) A name that should not exist does exist.
0x7 (YXRRSET)  A resource record set that should not exist does exist.
0x8 (NXRRSET)  A resource record set that should exist does not exist.
0x9 (NOTAUTH)  DNS server is not authoritative for the zone named in the Zone section.
0xA (NOTZONE)  A name used in the Prerequisite or Update sections is not within the zone specified by the Zone section.

Information: Record Type

A     0x01 Host (A) record                    For mapping a DNS domain name to an IP address used by a computer.
NS    0x02 Name server (NS) record            For mapping a DNS domain name to the name of a computer that operates the network name service.
CNAME 0x05 Alias (CNAME) record               For mapping an alias DNS domain name to another primary or canonical name.
PTR   0x0C (12)  Reverse-lookup (PTR) record  For mapping a reverse DNS domain name based on the IP address of a computer that points to the forward DNS domain name of that computer.
MX    0x0F (15)  Mail exchange (MX) record    For mapping a DNS domain name to the name of a computer that exchanges or forwards mail.
SRV   0x21 (33)  Service (SRV) record         For mapping a DNS domain name to a specified list of DNS host computers that offer a specific type of service, such as Active Directory domain controllers.
IXFR  0xFB (251) Incremental zone transfer (IXFR) record
AXFR  0xFC (252) Standard zone transfer (AXFR) record
All   0xFF (255) All records Domain

Information: UDP and TCP Port Assignments for DNS Servers

Traffic Type                    Source of Transmission   Source Port     Destination of Transmission     Destination Port
Queries from local DNS server   Local DNS server          1023+           Any remote DNS server           53
Responses to local DNS server   Any remote DNS server     53              Local DNS server                1023+
Queries from remote DNS server  Any remote DNS server     1023+           Local DNS server                53
Responses to remote DNS server  Local DNS server          53              Any remote DNS server           1023+

http://stratumsecurity.com/2012/07/03/splunk-security/
Helping with the awkward domain formatting:

[MSAD:NT6:DNS]
 SEDCMD-win_dns = s/\(\d+\)/./g

View solution in original post

Reply
Solved! Jump to solution

jmsiegma
Path Finder
‎04-21-2016 03:56 PM

In case this helps anyone for Microsoft DNS Logs:

props.conf:

EXTRACT-windows_dns_000001 = (?<thread_id>[0-9A-Fa-f]{4}) (?<Context>[^\s]+)\s+(?<internal_packet_id>[0-9A-Fa-f]+) (?<protocol>UDP|TCP) (?<direction_flag>Snd|Rcv) (?<client_ip>[0-9\.]+)\s+(?<xid>[0-9A-Fa-f]+) (?<type>[R\s]{1}) (?<opcode>[A-Z\?]{1}) \[(?<flags>[0-9A-Fa-f]+) (?<flagAuthoritativeAnswer>[A\s]{1})(?<flagTrucatedResponse>[T\s]{1})(?<flagRecursionDesire>[D\s]{1})(?<flagRecursionAvailable>[R\s]{1})\s+(?<response_code>[^\]]+)\]\s+(?<query_type>[^\s]+)\s+(?<query_name>[^/]+)

EXTRACT-windows_dns_000010 = ([a-zA-Z0-9\-\_]+)\([0-9]+\)(?<tld>[a-zA-Z0-9\-\_]+)\(0\)$
EXTRACT-windows_dns_000020 = \([0-9]+\)(?<domain>[a-zA-Z0-9\-\_]+\([0-9]+\)[a-zA-Z0-9\-\_]+)\(0\)$
EXTRACT-windows_dns_000030 = \s\([0-9]+\)(?<hostname>[a-zA-Z0-9\-\_]+)\(0\)$
EVAL-domain = replace(domain, "([\(0-9\)]+)", ".")
EVAL-query_domain = ltrim(replace(query_name, "(\([\d]+\))", "."),".")
EVAL-type_msg = case(type="R", "Response", isnull(type), "Query")
EVAL-opcode_msg = case(opcode="Q", "Standard Query", opcode="N", "Notify", opcode="U", "Update", opcode="?", "Unknown")
EVAL-direction = case(direction_flag="Snd", "Send", direction_flag="Rcv", "Received")
EVAL-decID = tonumber(xid, 16)

REPORT-win_dns = dns_string_lengths, dns_strings

FIELDALIAS-client_ip_src_ip = client_ip AS src_ip

transform.conf:

[dns_string_lengths]
REGEX = \((\d+)\)
FORMAT = strings_len::$1
MV_ADD = true
REPEAT_MATCH = true

[dns_strings]
REGEX = \([0-9]+\)([a-zA-Z0-9\-\_]+)\([0-9]+\)
FORMAT = strings::$1
MV_ADD = true
REPEAT_MATCH = true
Reply
Solved! Jump to solution

aakwah
Builder
‎04-06-2018 03:02 AM

Thanks @jmsiegma !

0 Karma
Reply
Solved! Jump to solution

seadawg
Engager
‎05-17-2015 01:54 PM 
The following is the header printed at the top of a dns trace log:


Message logging key (for packets - other items use a subset of these fields):
        Field #  Information         Values
        -------  -----------         ------
           1     Date
           2     Time
           3     Thread ID
           4     Context
           5     Internal packet identifier
           6     UDP/TCP indicator
           7     Send/Receive indicator
           8     Remote IP
           9     Xid (hex)
          10     Query/Response      R = Response
                                     blank = Query
          11     Opcode              Q = Standard Query
                                     N = Notify
                                     U = Update
                                     ? = Unknown
          12     [ Flags (hex)
          13     Flags (char codes)  A = Authoritative Answer
                                     T = Truncated Response
                                     D = Recursion Desired
                                     R = Recursion Available
          14     ResponseCode ]
          15     Question Type
          16     Question Name
Reply
Solved! Jump to solution
Solution

landen99
Motivator
‎02-05-2015 10:54 AM

The resources at http://technet.microsoft.com/en-us/library/cc772774(v=ws.10).aspx have explained many of the fields but a few remain a mystery to me and may prove a useful resource to you.

Information: DNS Update Message Flags

0   (NOERROR)  No error; successful update.
1   (FORMERR)  Format error; DNS server did not understand the update request.
0x2 (SERVFAIL) DNS server encountered an internal error, such as a forwarding timeout
0x3 (NXDOMAIN) A name that should exist does not exist.
0x4 (NOTIMP)   DNS server does not support the specified Operation code.
0x5 (REFUSED)  DNS server refuses to perform the update because
0x6 (YXDOMAIN) A name that should not exist does exist.
0x7 (YXRRSET)  A resource record set that should not exist does exist.
0x8 (NXRRSET)  A resource record set that should exist does not exist.
0x9 (NOTAUTH)  DNS server is not authoritative for the zone named in the Zone section.
0xA (NOTZONE)  A name used in the Prerequisite or Update sections is not within the zone specified by the Zone section.

Information: Record Type

A     0x01 Host (A) record                    For mapping a DNS domain name to an IP address used by a computer.
NS    0x02 Name server (NS) record            For mapping a DNS domain name to the name of a computer that operates the network name service.
CNAME 0x05 Alias (CNAME) record               For mapping an alias DNS domain name to another primary or canonical name.
PTR   0x0C (12)  Reverse-lookup (PTR) record  For mapping a reverse DNS domain name based on the IP address of a computer that points to the forward DNS domain name of that computer.
MX    0x0F (15)  Mail exchange (MX) record    For mapping a DNS domain name to the name of a computer that exchanges or forwards mail.
SRV   0x21 (33)  Service (SRV) record         For mapping a DNS domain name to a specified list of DNS host computers that offer a specific type of service, such as Active Directory domain controllers.
IXFR  0xFB (251) Incremental zone transfer (IXFR) record
AXFR  0xFC (252) Standard zone transfer (AXFR) record
All   0xFF (255) All records Domain

Information: UDP and TCP Port Assignments for DNS Servers

Traffic Type                    Source of Transmission   Source Port     Destination of Transmission     Destination Port
Queries from local DNS server   Local DNS server          1023+           Any remote DNS server           53
Responses to local DNS server   Any remote DNS server     53              Local DNS server                1023+
Queries from remote DNS server  Any remote DNS server     1023+           Local DNS server                53
Responses to remote DNS server  Local DNS server          53              Any remote DNS server           1023+

http://stratumsecurity.com/2012/07/03/splunk-security/
Helping with the awkward domain formatting:

[MSAD:NT6:DNS]
 SEDCMD-win_dns = s/\(\d+\)/./g
Reply
Solved! Jump to solution

asieira
Path Finder
‎07-10-2015 07:59 AM

For the hostname regex, you need to handle the pointers in square brackets as well. See this for more details: http://stackoverflow.com/questions/20381717/windows-dns-server-debug-log-hostname-format

0 Karma
Reply
Solved! Jump to solution

reswob4
Builder
‎04-21-2017 08:02 AM

Here is another resource: http://www.zytrax.com/books/dns/ch15/#name

0 Karma
Reply
Solved! Jump to solution

johnebgood
Path Finder
‎06-03-2015 11:31 AM

Is there a way to log what IP was resolved from a DNS request?

0 Karma
Reply
Solved! Jump to solution

landen99
Motivator
‎02-05-2015 10:55 AM

According to, http://arstechnica.com/civis/viewtopic.php?t=1171606 (hex to decimal conversions included in order to determine their meaning/significance):

The field before PACKET was not identified: 0710 is 1808 and 1714 is 1812
The field after PACKET may be "UDP dns info location": 0000000028FB94C0 is 687576256 and 000000002CC599A0 is 751147424
The field before the DNS type may be the "XID" (as in 0x8857 is 34903 and 0x3434 is 13364)
The field after the DNS type may be "flags" abcd as 0xcdab (as in 0x8000 is 32768 and 0x0110 is 272)

0 Karma
Reply
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...