DNS Query
BIND is the standard domain name service (DNS) provision software for Linux. It runs as a service daemon.
Rule Function
This rule does two things: from recognizing the log message it sets the LogZilla event program to bind, and it then parses the three fields below from the log message and sets corresponding user tags.
Vendor Documentation
Incoming Log Format
The BIND query log format is comprised of space-separated fields in a fixed
order. The query log entry first reports a client object identifier in @0x
format. Next, it reports the client's IP address and port number, and the
query name, class and type. It then reports whether the Recursion Desired
flag was set (+ if set, - if not set), if the query was signed (S), EDNS
was in used along with the EDNS version number (E(#)), if TCP was used (T),
if DO (DNSSEC Ok) was set (D), if CD (Checking Disabled) was set (C), if a
valid DNS Server COOKIE was received (V), or if a DNS COOKIE option without
a valid Server COOKIE was present (K). After this the destination address
the query was sent to is reported. Note: This reflects BIND 9.11.0 behavior.
User Tags
| User Tag | Example |
|---|---|
SrcIP |
11.22.33.44 |
Query |
23-courier.push.apple.com |
Query Type |
A |
Log Examples
Example 1: Querying an A record
06-Jul-2022 11:12:04.202 client @0x7ff5b8000cd0 192.168.250.115#51530 (definitionupdates.microsoft.com): query: definitionupdates.microsoft.com IN A + (192.168.250.112)
Example 2: Querying an AAAA record