Questions about dns.log

robin · November 29, 2011, 4:16pm

Two questions about dns.log:

- it logs all the answers for each request but only one TTL. Should
"TTL" be a list of all the values in the corresponding order?

- it doesn't log the type of the answers (A, MX, etc), which seems
could be helpful?

Robin

Slagell_Adam_J · November 29, 2011, 4:23pm

I thought that was odd myself going through and testing traces.

Seth_Hall3 · November 29, 2011, 5:41pm

I haven't ever really been satisfied with the content of that log. It's really hard to represent the DNS request/response pair though considering that you have to weigh data volume with typical use cases. It seems that all most people want (from a security forensics perspective) are the answers that came back from queries and who made the query. The technical details (even response type) matter surprisingly little in most cases. I would definitely like to talk about it more though.

.Seth

robin · November 29, 2011, 5:45pm

the query. The technical details (even response type) matter
surprisingly little in most cases.

Maybe, but right now at least the TTL is just misleading/confusing I
think as it's not clear what it belongs to.

I would definitely like to talk about it more though.

We can do that.

Robin

Topic		Replies	Views
DNS query logging Zeek	4	109	May 6, 2022
Problem with QR field in dns log Zeek	2	66	May 6, 2022
couple of questions Zeek	2	78	May 6, 2022
DNS log records do not have total_answers, total_queries, saw_reply and saw_query fields Zeek	1	112	May 6, 2022
Lying about DNS yields interesting bro entries Zeek	12	123	May 6, 2022

Questions about dns.log

Related topics