Hello,
I’m seeing a strange occurrence in my environment where I see all query information missing from some records in the dns.log. In the below example (sanitized) query, qclass, qclass_name, qtype, and qtype_name are all missing. It’s only a subset of the DNS connections I see so there’s a lot of DNS log entries that have the query data. I’m also not modifying anything DNS related through zeek scripting.
Answers is also missing but I would expect that if the query didn’t resolve to anything (I see answers missing error a lot).
Not sure where to begin to diagnose if this is Zeek or if I have some DNS servers sending strange packets.
Someone on my team figured this might be how Zeek handles a NODATA response.
ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id rtt query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD
RA Z answers TTLs rejected
1688541594.923730 CvyQCg47pXf2wK5MI2 192.168.0.2 43350 192.168.0.3 53 udp 46961 - - - - - - 0 NOERROR F F F F 0 - - F
Any help, ideas or explanations are greatly appreciated!