Bug #2723
closeddns v2 json output should always set top-level rrtype in responses
Description
Currently the v2 dns json doesn't set dns.rrtype, and instead relies on dns.answers[n].rrtype. This suffices in the common case of a single response, but if there are no responses--for example, if a client queries AAAA and no AAAA exists, or NXDOMAIN--there is nothing in the log entry showing what query generated the empty response. Likewise, when there is a chain of responses, it would be easier to determine what query initiated that chain if the original rrtype was included. In short, dns.rrtype should always be set in the json logs of dns responses.
Updated by Victor Julien about 6 years ago
- Status changed from New to Assigned
- Assignee set to Jason Ish
- Target version set to 4.1.1
Jason can you have a look?
Updated by Jason Ish about 6 years ago
So like this:
{"timestamp":"2016-10-14T09:40:21.889830-0600","flow_id":878745953342438,"pcap_cnt":1,"event_type":"dns","src_ip":"10.16.1.11","src_port":40697,"dest_ip":"10.16.1.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":25266,"rrname":"d98cf633-97be-406f-9e39-bd8fc0cbdea4.com","rrtype":"A","tx_id":0}}
{"timestamp":"2016-10-14T09:40:21.971664-0600","flow_id":878745953342438,"pcap_cnt":2,"event_type":"dns","src_ip":"10.16.1.1","src_port":53,"dest_ip":"10.16.1.11","dest_port":40697,"proto":"UDP","dns":{"version":2,"type":"answer","id":25266,"flags":"8183","qr":true,"rd":true,"ra":true,"rrname":"d98cf633-97be-406f-9e39-bd8fc0cbdea4.com","rrtype":"A","rcode":"NXDOMAIN","authorities":[{"rrname":"com","rrtype":"SOA","ttl":900}]}}
Notice the "rrtype" after "rrname" before the authorities.
Updated by Michael Stone about 6 years ago
Jason Ish wrote:
So like this:
[...]
[...]Notice the "rrtype" after "rrname" before the authorities.
exactly
Updated by Victor Julien about 6 years ago
- Status changed from Assigned to Closed