Skip to content

DNS Query

BIND is the standard domain name service (DNS) provision software for Linux. It runs as a service daemon.

Rule Function

This rule does two things: from recognizing the log message it sets the LogZilla event program to bind, and it then parses the three fields below from the log message and sets corresponding user tags.

Vendor Documentation

Incoming Log Format

The BIND query log format is comprised of space-separated fields in a fixed order. The query log entry first reports a client object identifier in @0x format. Next, it reports the client's IP address and port number, and the query name, class and type. It then reports whether the Recursion Desired flag was set (+ if set, - if not set), if the query was signed (S), EDNS was in used along with the EDNS version number (E(#)), if TCP was used (T), if DO (DNSSEC Ok) was set (D), if CD (Checking Disabled) was set (C), if a valid DNS Server COOKIE was received (V), or if a DNS COOKIE option without a valid Server COOKIE was present (K). After this the destination address the query was sent to is reported. Note: This reflects BIND 9.11.0 behavior.

User Tags

User Tag Example
Query Type A

Log Examples

Example 1: Querying an A record

06-Jul-2022 11:12:04.202 client @0x7ff5b8000cd0 ( query: IN A + (

Example 2: Querying an AAAA record

07-Jul-2022 11:15:38.170 client @0x7f026c008868 ( query: IN AAAA +E(0) (