DNS Query

BIND is the standard domain name service (DNS) provision software for Linux. It runs as a service daemon.

Rule Function

This rule does two things: from recognizing the log message it sets the LogZilla event program to bind, and it then parses the three fields below from the log message and sets corresponding user tags.

Vendor Documentation

• BIND 9 - Versatile, classic, complete name server software
• BIND
• bind(2) — Linux manual page

Incoming Log Format

The BIND query log format is comprised of space-separated fields in a fixed order. The query log entry first reports a client object identifier in @0x format. Next, it reports the client's IP address and port number, and the query name, class and type. It then reports whether the Recursion Desired flag was set (+ if set, - if not set), if the query was signed (S), EDNS was in used along with the EDNS version number (E(#)), if TCP was used (T), if DO (DNSSEC Ok) was set (D), if CD (Checking Disabled) was set (C), if a valid DNS Server COOKIE was received (V), or if a DNS COOKIE option without a valid Server COOKIE was present (K). After this the destination address the query was sent to is reported. Note: This reflects BIND 9.11.0 behavior.

User Tags

Log Examples

Example 1: Querying an A record

06-Jul-2022 11:12:04.202 client @0x7ff5b8000cd0 192.168.250.115#51530 (definitionupdates.microsoft.com): query: definitionupdates.microsoft.com IN A + (192.168.250.112)

Example 2: Querying an AAAA record

07-Jul-2022 11:15:38.170 client @0x7f026c008868 192.168.10.30#45166 (google.com): query: google.com IN AAAA +E(0) (192.168.10.21)