The following section outlines example event messages that are sent from the DNS Activity service to the configured HTTP endpoint, Splunk server, Kafka cluster, or Elasticsearch server. You can configure the endpoint to retrieve specific information from the DNS event message to monitor the health of your network.
DNS message types
messageType
field of a DNS query, DNS response, DNS update query, or DNS update query response
event:AuthQuery
—a query message received from a resolver by an authoritative name server from the perspective of the authoritative name server.AuthResponse
—a response message sent from an authoritative name server to a resolver from the perspective of the authoritative name server.ResolverQuery
—a query message sent from a resolver to an authoritative name server from the perspective of the resolver. Resolvers typically clear the RD (recursion desired) bit when sending queries.ResolverResponse
—a response message received from an authoritative name server by a resolver from the perspective of the resolver.ClientQuery
—a query message sent from a client to a DNS server that is expected to perform further recursion from the perspective of the DNS server. The client may be a stub resolver, forwarder, or another type of software which typically sets the RD (recursion desired) bit when querying the DNS server. The DNS server may be a simple forwarding proxy or full recursive resolver.ClientResponse
—a response message sent from a DNS server to a client from the perspective of the DNS server. The DNS server typically sets the RD (recursion desired) bit when sending queries.ForwarderQuery
—a query message sent from a client to a downstream DNS server to an upstream DNS server that is expected to perform further recursion from the perspective of the downstream DNS server.ForwarderResponse
—a response message sent from an upstream DNS server performing recursion to a downstream DNS server from the perspective of the downstream DNS server.UpdateQuery
—an update query message received from a resolver by an authoritative name server from the perspective of the authoritative name server.UpdateResponse
—an update response message sent from an authoritative name server to a resolver from the perspective of the authoritative name server.
For more information on the DNS message types, refer to the dnstap protobuf schema.
Example event messages in a recursive environment
The following scenario outlines example event messages that appear in a recursive environment with one authoritative server and one recursive server where DNS Activity is enabled on both servers.
When a request is sent to the recursive server, the recursive server captures one
ResolverResponse
message, one ResolverQuery
message, one ClientQuery
message, and one
ClientResponse
message. On the authoritative server, the server
captures one AuthQuery
message and one
AuthResponse
message. If the authoritative answer has been
cached locally by the recursive server, future queries will only produce
ClientQuery
and ClientResponse
messages. If
the DNS request is made on the authoritative server, one AuthQuery
message and one ClientResponse
message is captured.