DNS query logging

So I'm testing out bro for a limited use on recording dns queries and
responses. I have the logs coming in and that's great, but I don't
think I'm not seeing all the dns traffic.

Example:

via tcpdump with a BPF for just a client I get:

22:44:26.342201 IP 10.10.189.40.36221 > 10.10.189.225.53: 58059+ A?
nike.com. (26)
22:44:26.412863 IP 10.10.189.225.53 > 10.10.189.40.36221: 58059 1/0/0
A 66.54.56.30 (42)

That makes sense.. request, and reply.

Yet in the dns.log I see

1378939466.342353 10.10.189.225 64592 10.85.30.71 53 udp 11033
nike.com 0 NOERROR F T T 66.54.56.30
1378939466.342201 10.10.189.40 36221 10.10.189.225 53 udp 58059
nike.com 0 NOERROR F T T 66.54.56.30

which shows the dns server talking to it's upstream server (expected)
and then issues the answer to the client, but the original request
isn't in the dns log.

So assuming you get a response back from an upstream server, you can
infer that the original requester was the second entry, but I was
expecting to see an entry for the actual request to the 189.225
server.

Or am I not understanding something right? I could probably look at
the conn.log, but I am trying to just log the dns request, so I have
conn.log turned off.

Are you using broctl or the bro binary?

What scripts do you have loaded that affect DNS and DNS logging?

Are you running against live traffic or a trace file? If on live traffic, I assume you’re running Bro on the DNS server at 10.85.30.71, are inbound client queries+responses and outbound upstream queries+responses happening on the same interface?

-AK

*on the DNS server at 10.10.189.225

I had only sent this to Liam.. not the list; and he responded, so that
helped. So this is just an FYI.

Also, I just noticed the timestamps in the entries..

From the example, the client request (1378939466.342201) happens

before the forwarding lookup (1378939466.342353) but gets written
after (since it's waiting for the results. So, now that makes sense
why it logs the way it does.

Thanks!