Hello Guys,
This log represents an ‘event’ which was generated as a result of a DNS request initiated by a client & that’s pretty much its use-case. It is represented as ‘query’ in the server’s logging category & in a busy DNS environment with massive QPS numbers, Infoblox typically would advise to have this category to be turned off. That’s considering the performance impact on the server due to this extra job – pulls resources. Here’s a detailed info about it as requested :
Example :
29-Mar-2019 07:35:14.790 client 10.120.21.39#35910: query: google.com IN MX + (10.35.101.18)
29-Mar-2019 07:16:18.877 client 10.36.148.6#52197: view 1: query: whatever.com IN TXT + (10.35.101.18)
Fields explained based on the example above :
Field name | Data Format/Data example | Comments |
Date | dd-Mmm-yyyy | This date/time is in host-local timezone |
Time | hh:mm:ss.ms | This date/time is in host-local timezone |
Client | 'client' 10.120.21.39#52864 | literal string 'client' followed by client ipaddress#port |
View | 'view' [0-9]':' | optional field. If view is default, it's omitted |
Query-start | 'query:' | literal string 'query:' |
Query-name | cnn.com | |
Query-class | 'IN' | Always 'IN' |
Query-type | (A|AAAA|PTR|TXT|...) | Queried resource record type |
Query-flags | [+-]SETDC '+-' - '+' want recursion, '-' otherwise
'S' - TSIG
'E' - EDNS option set
'T' - TCP query
'D' - EDNS 'DO' flag set
'C' - 'CD' message flag set | A sequence of letters which code query flags.
If flag is set, then letter is present, if flag is cleared, then letter is not present
Example: recursive query over TCP '+T' |
Query-server | '('10.35.101.18')' | Ip addres of the server which received this request |
I hope that’ll address your question.
Best regards.
8129 
1
