Parsing DNS query and response fields
The DNS Query and DNS Response fields were removed. You can still view the DNS response data by including more granular DNS data fields in your search results. For more information about the DNS data fields that you can use, see Enriched inspection.
The following information can help you parse the data in the DNS Query and DNS Response fields.
The DNS Query and DNS Response fields are populated only if the flow has data on a DNS query or DNS response, and the inspection level is set to Enriched or Advanced.DNS query
<transaction ID>,<flags>,<query domain>,<request type>
Field | Description |
---|---|
Transaction ID | Used by the DNS client and server to identify the transaction when it matches a request to a response. |
Flags | A value of R indicates that recursion was requested; otherwise, the field is empty. When recursion is requested and enabled, the DNS server makes queries on behalf of the client to resolve the domain name. |
Query domain | The domain name that was requested to be resolved. |
Request type | Identifies the type of resource information that was requested, as defined by the Internet
Assigned Numbers Authority (IANA). Some of the most common requests types include IPv4 host address (A), IPv6 address (AAAA), canonical domain name for the alias (CNAME), the authoritative name server for the domain (NS), and name of the mail exchange server (MX). |
51736,R,<domain name>,A
- The transaction ID is 51736.
- Recursion was requested.
- The bracketed location shows the domain name to be resolved.
- The resource information that is requested is the IPv4 host address.
DNS response
The DNS Response field uses this format, which is described in the following table:
<transaction id>,<flags>,<query domain>,<response code>,
<num answers>,<num authority>,<num additional>,<answers>
Field | Description |
---|---|
Transaction ID | Used by the DNS client and server to identify the transaction when it matches a request to a response. |
Flags | Might be empty, or some combination of A,R, and T where
|
Query domain | The domain name that was requested to be resolved. |
Response code | A response code of 0 means that no errors were encountered. All other response code values indicate some type of error. For example, the query might be formatted improperly or the domain name might not exist. |
Num answers | The number of regular answer records that were returned by the query. |
Num authority | The number of authority answer records that were returned by the query. |
Num additional | The number of extra answer records that were returned by the query. |
Answers | The list of answer responses that were returned by the query. Each answer is separated by the "|" symbol. Authority and additional answers have the same format as regular answers, and are denoted as authority and additional answers based on their location in the answers list. In QRadar Network Insights V7.3.1.4 and earlier, the answer responses follow this format:
where
In QRadar Network Insights V7.3.1.5 and later, the answers include the response type and follow this format:
The response type field indicates whether the answer is a standard answer (ANS), an authoritative answer (AUTH), or an additional answer (ADD). |
For example, in QRadar Network Insights V7.3.1.4, the DNS response to the DNS query above might look like this:
51736,R,<domain name>,0,1,2,2|<domain name>,A,246,145.72.70.20|
<domain name>,NS,1359,<auth_name_server1>|<domain name>,NS,1359,<auth_name_server2>
|<auth_name_server1>,A,72008,<IPv4 address>|<auth_name_server2>,A,2074,<IPv4 address>
- The transaction ID is 51736, which is the same ID that was assigned to the query.
- The "R" indicates that recursion was available and is part of the response.
- The bracketed location shows the domain name to be resolved.
- Response code 0 indicates that no errors were encountered.
- The 1,2,2 sequence indicates that there is one standard answer, two authority answers, and two additional answers.
- The "|" symbol shows the beginning of the answer fields.
- In the first answer, type A correlates to an IPv4 address, which indicates that the <domain name> can be found at <IPv4 address>, and it can be cached for 246 seconds.
- The 2nd and 3rd answers specify the authoritative name servers (NS) for the domain.
- The 4th and 5th answers specify the IPv4 addresses for the two authoritative name servers.
In QRadar Network Insights V7.3.1.5 or later, the answer fields include the response type, so the same DNS response might look like this:
51736,R,<domain name>,0,1,2,2|<domain name>,ANS,A,246,145.72.70.20|
<domain name>,AUTH,NS,1359,<auth_name_server1>|<domain name>,AUTH,NS,1359,
<auth_name_server2>|<auth_name_server1>,ADD,A,72008,<IPv4 address>|
<auth_name_server2>,ADD,A,2074,<IPv4 address>