In this log line, what is -EDC? I've also noticed +, -, -E, and -ED
but I have no Idea what they are (called/represent).
08-May-2013 08:04:49.751 client 1.2.3.4#48747 (ns2.example.com):
query: ns2.example.com IN AAAA -EDC (1.2.3.4)
Also, I'm writing a parser and we're only loging 'queries' but if
someone has examples / schemas for the other categories, I'd like to
integrate that.
http://www.zytrax.com/books/dns/ch7/logging.html
"+EDC on a query indicates that it is:
- Recursive (+) - it has come from a client or a server that is
forwarding queries to your server
- The sender is using EDNS0 (using larger UDP packet sizes and
signalling the size that can be accepted)
- The sender understands DNSSEC (D) - this is a request to your server
to include any DNSSEC material associated with answer in the query reply.
- DNSSEC validation checking is disabled (C) - the sender wants the
answer anyway, even if the validation checks fail."
Source -
https://kb.isc.org/article/AA-00434/0/What-do-EDC-and-other-letters-I-see-in-my-query-log-mean.html
Also see https://www.isc.org/software/bind/documentation for further
documentation.
See this:
https://kb.isc.org/article/AA-00434/0/What-do-EDC-and-other-letters-I-see-in-my-query-log-mean.html
I've written a quick and dirty logging mechanism which stores the bind
logs in a mysql database in various fields. It works well for the
great majority of queries...happy to share the bash script if you're
interested.
Thanks, that's what I'm looking for.
Mike, sure I wouldn't mind schema ideas.
I'll send over some info tomorrow. Shoot me a reminder if you don't
get it by the later afternoon.
I wouldn't really call it a schema...it's just a simple field
extraction bash script that then generates the sql inserts. Like I
said...quick and dirty.
Afte coding it from scratch, I'm starting to like the idea of using
Splunk as a front-end to analyze the logs. You may want to look at
using that rather than coding one by hand. The free version can index
500 megs a day...which is a *lot* of queries.
I'll send over some info tomorrow. Shoot me a reminder if you don't
get it by the later afternoon.I wouldn't really call it a schema...it's just a simple field
extraction bash script that then generates the sql inserts. Like I
said...quick and dirty.
Cool.
Afte coding it from scratch, I'm starting to like the idea of using
Splunk as a front-end to analyze the logs. You may want to look at
using that rather than coding one by hand. The free version can index
500 megs a day...which is a *lot* of queries.
Thought about Splunk, then Graylog2, then LogStash. Now I'm just thinking
of continuing by hand and getting ElasticSearch going (got a perl Storable
going right now). But alternative thinking is always useful so...
> Thanks, that's what I'm looking for.
>
> Mike, sure I wouldn't mind schema ideas.
>
>>> In this log line, what is -EDC? I've also noticed +, -, -E, and -ED
>>> but I have no Idea what they are (called/represent).
>>>
>>> 08-May-2013 08:04:49.751 client 1.2.3.4#48747 (ns2.example.com):
>>> query: ns2.example.com IN AAAA -EDC (1.2.3.4)
>>>
>>> Also, I'm writing a parser and we're only loging 'queries' but if
>>> someone has examples / schemas for the other categories, I'd like to
>>> integrate that.
>>> DNS BIND9 logging Clause
>>>
>>
>> "+EDC on a query indicates that it is:
>>
>> - Recursive (+) - it has come from a client or a server that is
>> forwarding queries to your server
>> - The sender is using EDNS0 (using larger UDP packet sizes and
>> signalling the size that can be accepted)
>> - The sender understands DNSSEC (D) - this is a request to your server
>> to include any DNSSEC material associated with answer in the query
reply.
>> - DNSSEC validation checking is disabled (C) - the sender wants the
>> answer anyway, even if the validation checks fail."
>>
>> Source -
>>
https://kb.isc.org/article/AA-00434/0/What-do-EDC-and-other-letters-I-see-in-my-query-log-mean.html