DNS Response Log Messages
Vendor Documentation
Classification
Rule Name | Rule Type | Common Event | Classification |
|---|---|---|---|
DNS Response Log Messages | Base Rule | General DNS Information | Information |
Mapping with LogRhythm Schema
Device Key in Log Message | LogRhythm Schema | Data Type | Schema Description |
|---|---|---|---|
Header: Severity | <severity> | Text/String | N/A |
N/A | <objecttype> | Text/String | dns_resp_log |
action | <action> | Text/String | This represents the verdict. This will always be reported as allowed for our DNS Response logs, since only requests that were allowed will have been passed through in the first place. For blocks, you should refer to our standard DNS Logs exports like you always have as described previously in this document. |
proto | <protname> | Text/String | This is the identified protocol as determined from the packet’s header information. Currently, this value will always show as UDP, since we only analyze DNS traffic riding over UDP on port 53. |
reason | <reason> | Text/String | Since only allowed traffic shows up in the DNS Response logs, and that decision was made at the time as reported in the associated DNS Log as described earlier in this document, this value will always show as policy. For related details (such as perhaps the presence of the domain on lists), see the associated DNS Logs as previously described. |
src | <sip> | IP Address | This is the source of the response, meaning the IP address of the outside server responsible for generating the response. For example, if Google’s primary DNS was the responding server, you’d see 8.8.8.8 here. |
dst | <dip> | IP Address | This is the protected IP on the inside that is receiving the DNS response. |
src_port | <sport> | Number | This is the source port, from the perspective of the far-end entity responsible for generating the UDP response. Thus, it will always show as port 53. |
dst_port | <dport> | Number | This is the destination port, from the perspective of the far-end entity responsible for generating the UDP response. That is, this is the local, protected system’s port that was used to originate the request in the first place. For most modern equipment, this will generally be a high-numbered port. |
query_type | N/A | N/A | The query type reported in the response. Generally, this will show as A. |
query_name | <domainorigin> | Text/String | The domain that was looked up by the originating requester, to which this response was generated. Examples include things like cnn.com or foxnews.com or google.com or bing.com, and so on. |
answer_type | N/A | N/A | This will be either CNAME or A, depending on the type of answer that was logged. We currently log only those two types and no other. |
answer_name | N/A | N/A | This is the domain name associated with the answer returned. This may or may not mimic the query_name value. A few common scenarios where it might not mimic exactly is in some load balancer configurations or a variety more complicated ‘any’ requests. |
answer_value | <snatip> or <sname> | Text/String/IP Address | For an A response, this will be the IPv4 address served up by the far-end DNS system in response to the originating protected system’s request. For a CNAME response, this will be a new canonical name based on the initial query_name specified. CNAME records always point to other domain names, and as such, are often used for aliasing. |