Two questions about dns.log:
- it logs all the answers for each request but only one TTL. Should
"TTL" be a list of all the values in the corresponding order?
- it doesn't log the type of the answers (A, MX, etc), which seems
could be helpful?
I thought that was odd myself going through and testing traces.
I haven't ever really been satisfied with the content of that log. It's really hard to represent the DNS request/response pair though considering that you have to weigh data volume with typical use cases. It seems that all most people want (from a security forensics perspective) are the answers that came back from queries and who made the query. The technical details (even response type) matter surprisingly little in most cases. I would definitely like to talk about it more though.
the query. The technical details (even response type) matter
surprisingly little in most cases.
Maybe, but right now at least the TTL is just misleading/confusing I
think as it's not clear what it belongs to.
I would definitely like to talk about it more though.
We can do that.