Introducing SOC Insights for BloxOne Threat Defense: Boost your SOC efficiency with AI-driven insights to eliminate manual work and accelerate investigation and response times. Read the blog announcement here.

NIOS DNS DHCP IPAM

Reply

isc bind query logs

New Member
Posts: 4
7329     1

What is the use of isc bind query logs and how to interpret that logs? 

Re: isc bind query logs

[ Edited ]
Superuser
Posts: 81
7329     1

Hello Guys,

 

This log represents an ‘event’ which was generated as a result of a DNS request initiated by a client & that’s pretty much its use-case. It is represented as ‘query’ in the server’s logging category & in a busy DNS environment with massive QPS numbers, Infoblox typically would advise to have this category to be turned off. That’s considering the performance impact on the server due to this extra job – pulls resources. Here’s a detailed info about it as requested :

 

Example :

 

29-Mar-2019 07:35:14.790 client 10.120.21.39#35910: query: google.com IN MX + (10.35.101.18)

29-Mar-2019 07:16:18.877 client 10.36.148.6#52197: view 1: query: whatever.com IN TXT + (10.35.101.18)

 

Fields explained based on the example above :

 

Field name

Data Format/Data example

Comments

Date

dd-Mmm-yyyy

This date/time is in host-local timezone

Time

hh:mm:ss.ms

This date/time is in host-local timezone

Client

'client' 10.120.21.39#52864

literal string 'client' followed by client ipaddress#port

View

'view' [0-9]':'

optional field. If view is default, it's omitted

Query-start

'query:'

literal string 'query:'

Query-name

cnn.com

 

Query-class

'IN'

Always 'IN'

Query-type

(A|AAAA|PTR|TXT|...)

Queried resource record type

Query-flags

[+-]SETDC

'+-' - '+' want recursion, '-' otherwise
'S' - TSIG 
'E' - EDNS option set
'T' - TCP query
'D' - EDNS 'DO' flag set
'C' - 'CD' message flag set

A sequence of letters which code query flags.
If flag is set, then letter is present, if flag is cleared, then letter is not present

Example: recursive query over TCP '+T'

Query-server

'('10.35.101.18')'

Ip addres of the server which received this request

 

I hope that’ll address your question.

 

Best regards.

Showing results for 
Search instead for 
Did you mean: 

Recommended for You