Skip to content

Latest commit



31 lines (28 loc) · 4.27 KB

File metadata and controls

31 lines (28 loc) · 4.27 KB


Event fields used to define metadata in DNS events. This commonly includes data in logs that contain DNS queries. Including, but not limited to, Zeek dns.log, Suricata DNS, Sysmon EventID 22, Windows DNS debug/trace logs. In the verbiage below, request is used to denote the client (or forwarded address if applicable) that is making the DNS request. This would commonly be the client/source that is looking up a domain.The response/answer, is used to denote the server that responded with the answer or responded to the request/client. It is important to remember that in DNS logs their are multiple servers that may be involved in the response. This is similar to how packets are forwarded through routers.


Name Type Description Sample Value
dns_additional_authoritative_name string additional authoritative response data from the supplemental information in the "additional" section of the DNS response defined in
dns_additional_name string additional response data from the supplemental information in the "additional" section of the DNS response defined in
dns_flags array_string An array of DNS flags if the data source does not parse them or set as boolean [ "1", "0" ]
dns_flags_authenticated boolean The "AD" flag. Indicates in a response that all data included in the answer and authority sections of the response have been authenticated by the server according to the policies of that server. see for more information. This is related to DNSSEC false
dns_flags_authoritative boolean The "AA" flag. Whether the response (answer) from the server was authoritative true
dns_flags_checking_disabled boolean The "CD" flag. Indicates checking disabled for DNSSEC true
dns_flags_recursion_available boolean The "RA" flag. Indicates the server supports recursive queries false
dns_flags_recursion_desired boolean The "RD" flag. Client requested recursion for the lookup/request true
dns_flags_truncated boolean The "TC" flag. Indicating (from the server) that response was more than permitted for the single sessions channel, this is usually 512 bytes. true
dns_flags_z integer The "Z" flag. This is a reserved field for older DNS implementations 0
dns_query_class string The class of the dns record requested in decimal format, normally this should be 1. Query class is related to zone information, therefore most clients would be request this type of class 1
dns_query_class_name integer The class of the dns record requested as a string, normally this should be C_INTERNET. Query class is related to zone information, therefore most clients would be request this type of class C_INTERNET
dns_query_name string what was queried
dns_query_type string The type of dns requested in decimal format 28
dns_query_type_name integer The type of dns requested as a string AAAA
dns_rejected boolean The server responded to the query but no answers were given. If not in the log source, could also be determined by a successful dns response code and no answers/replies returned false
dns_response_code integer The response code returned from the server for the request in decimal format 0
dns_response_code_name string The response code returned from the server for the request as a string NOERROR
dns_response_name array_string The results returned for the dns query. can contain a mix of IPs or domains
dns_response_ttl array_float The time to live (TTL) for each response_name ````````
dns_rtt float round trip time (RTT) of the dns query to answer 0.006946
dns_transaction_id integer Hexadecimal identifier assigned by the program that generated the DNS query. Is 16-bit. Can be used to match up DNS requests across software/clients 4D11
dns_transaction_id_hex string transaction_id in decimal format 19729