Parsing DNS query and response fields

The DNS Query and DNS Response fields were removed. You can still view the DNS response data by including more granular DNS data fields in your search results. For more information about the DNS data fields that you can use, see Enriched inspection.

The following information can help you parse the data in the DNS Query and DNS Response fields.

The DNS Query and DNS Response fields are populated only if the flow has data on a DNS query or DNS response, and the inspection level is set to Enriched or Advanced.

DNS query

The DNS Query field uses this format, which is described in the following table:
<transaction ID>,<flags>,<query domain>,<request type>
Table 1. Format for DNS query field
Field Description
Transaction ID Used by the DNS client and server to identify the transaction when it matches a request to a response.
Flags A value of R indicates that recursion was requested; otherwise, the field is empty.

When recursion is requested and enabled, the DNS server makes queries on behalf of the client to resolve the domain name.

Query domain The domain name that was requested to be resolved.
Request type Identifies the type of resource information that was requested, as defined by the Internet Assigned Numbers Authority (IANA).

Some of the most common requests types include IPv4 host address (A), IPv6 address (AAAA), canonical domain name for the alias (CNAME), the authoritative name server for the domain (NS), and name of the mail exchange server (MX).

For example, this DNS query is parsed like this:
51736,R,<domain name>,A
where
  • The transaction ID is 51736.
  • Recursion was requested.
  • The bracketed location shows the domain name to be resolved.
  • The resource information that is requested is the IPv4 host address.

DNS response

The DNS Response field uses this format, which is described in the following table:

<transaction id>,<flags>,<query domain>,<response code>,
<num answers>,<num authority>,<num additional>,<answers>
Table 2. Format for DNS Response field
Field Description
Transaction ID Used by the DNS client and server to identify the transaction when it matches a request to a response.
Flags Might be empty, or some combination of A,R, and T where
  • A means that the response is authoritative.
  • R means that recursion is available.
  • T means that the response was truncated.
Query domain The domain name that was requested to be resolved.
Response code A response code of 0 means that no errors were encountered. All other response code values indicate some type of error. For example, the query might be formatted improperly or the domain name might not exist.
Num answers The number of regular answer records that were returned by the query.
Num authority The number of authority answer records that were returned by the query.
Num additional The number of extra answer records that were returned by the query.
Answers The list of answer responses that were returned by the query.

Each answer is separated by the "|" symbol. Authority and additional answers have the same format as regular answers, and are denoted as authority and additional answers based on their location in the answers list.

In QRadar Network Insights V7.3.1.4 and earlier, the answer responses follow this format:

<domain name>,<answer type>,<time to live>,<answer fields>

where
  • Domain name is the name of the domain that the answer applies to.
  • Answer type is the type of answer that is supplied. It is the same as the request type that is specified in the DNS query.
  • Time to live is the number of seconds that the client can cache the information. A value of 0 indicates that the information cannot be cached.
  • Answer fields contain the answer information. Typically, the answer is only one value, but some answers might contain multiple comma-separated values. For example, if the request type is MX, the answer field might have multiple values if the domain is set up with both primary and secondary mail servers.

In QRadar Network Insights V7.3.1.5 and later, the answers include the response type and follow this format:

<domain name>,<response type>,<answer type>,<time to live>,<answer fields>

The response type field indicates whether the answer is a standard answer (ANS), an authoritative answer (AUTH), or an additional answer (ADD).

For example, in QRadar Network Insights V7.3.1.4, the DNS response to the DNS query above might look like this:

51736,R,<domain name>,0,1,2,2|<domain name>,A,246,145.72.70.20|
<domain name>,NS,1359,<auth_name_server1>|<domain name>,NS,1359,<auth_name_server2>
|<auth_name_server1>,A,72008,<IPv4 address>|<auth_name_server2>,A,2074,<IPv4 address>
where
  • The transaction ID is 51736, which is the same ID that was assigned to the query.
  • The "R" indicates that recursion was available and is part of the response.
  • The bracketed location shows the domain name to be resolved.
  • Response code 0 indicates that no errors were encountered.
  • The 1,2,2 sequence indicates that there is one standard answer, two authority answers, and two additional answers.
  • The "|" symbol shows the beginning of the answer fields.
  • In the first answer, type A correlates to an IPv4 address, which indicates that the <domain name> can be found at <IPv4 address>, and it can be cached for 246 seconds.
  • The 2nd and 3rd answers specify the authoritative name servers (NS) for the domain.
  • The 4th and 5th answers specify the IPv4 addresses for the two authoritative name servers.

In QRadar Network Insights V7.3.1.5 or later, the answer fields include the response type, so the same DNS response might look like this:

51736,R,<domain name>,0,1,2,2|<domain name>,ANS,A,246,145.72.70.20|
<domain name>,AUTH,NS,1359,<auth_name_server1>|<domain name>,AUTH,NS,1359,
<auth_name_server2>|<auth_name_server1>,ADD,A,72008,<IPv4 address>|
<auth_name_server2>,ADD,A,2074,<IPv4 address>