Reference: DNS Activity event message examples - BlueCat Integrity - 9.4.0

Address Manager Administration Guide

Locale
English
Product name
BlueCat Integrity
Version
9.4.0

The following section outlines example event messages that are sent from the DNS Activity service to the configured Splunk server or HTTP endpoint, such as a data lake. You can configure the Splunk server or HTTP endpoint to retrieve specific information from the DNS event message to monitor the health of your network.

DNS message types

The following message types can be represented in the messageType field of a DNS query, DNS response, DNS update query, or DNS update query response event:
  • AuthQuery—a query message received from a resolver by an authoritative name server from the perspective of the authoritative name server.
  • AuthResponse—a response message sent from an authoritative name server to a resolver from the perspective of the authoritative name server.
  • ResolverQuery—a query message sent from a resolver to an authoritative name server from the perspective of the resolver. Resolvers typically clear the RD (recursion desired) bit when sending queries.
  • ResolverResponse—a response message received from an authoritative name server by a resolver from the perspective of the resolver.
  • ClientQuery—a query message sent from a client to a DNS server that is expected to perform further recursion from the perspective of the DNS server. The client may be a stub resolver, forwarder, or another type of software which typically sets the RD (recursion desired) bit when querying the DNS server. The DNS server may be a simple forwarding proxy or full recursive resolver.
  • ClientResponse—a response message sent from a DNS server to a client from the perspective of the DNS server. The DNS server typically sets the RD (recursion desired) bit when sending queries.
  • ForwarderQuery—a query message sent from a client to a downstream DNS server to an upstream DNS server that is expected to perform further recursion from the perspective of the downstream DNS server.
  • ForwarderResponse—a response message sent from an upstream DNS server performing recursion to a downstream DNS server from the perspective of the downstream DNS server.
  • UpdateQuery—an update query message received from a resolver by an authoritative name server from the perspective of the authoritative name server.
  • UpdateResponse—an update response message sent from an authoritative name server to a resolver from the perspective of the authoritative name server.

For more information on the DNS message types, refer to the dnstap protobuf schema.

Example event messages in a recursive environment

The following scenario outlines example event messages that appear in a recursive environment with one authoritative server and one recursive server where DNS Activity is enabled on both servers.

When a request is sent to the recursive server, the recursive server captures one ResolverResponse message, one ResolverQuery message, one ClientQuery message, and one ClientResponse message. On the authoritative server, the server captures one AuthQuery message and one AuthResponse message. If the authoritative answer has been cached locally by the recursive server, future queries will only produce ClientQuery and ClientResponse messages. If the DNS request is made on the authoritative server, one AuthQuery message and one ClientResponse message is captured.