- ts: time &log
The earliest time at which a DNS protocol message over the
associated connection is observed.
- uid: string &log
A unique identifier of the connection over which DNS messages
are being transferred.
- id: conn_id &log
The connection’s 4-tuple of endpoint addresses/ports.
- proto: transport_proto &log
The transport layer protocol of the connection.
- trans_id: count &log &optional
A 16-bit identifier assigned by the program that generated
the DNS query. Also used in responses to match up replies to
outstanding queries.
- query: string &log &optional
The domain name that is the subject of the DNS query.
- qclass: count &log &optional
The QCLASS value specifying the class of the query.
- qclass_name: string &log &optional
A descriptive name for the class of the query.
- qtype: count &log &optional
A QTYPE value specifying the type of the query.
- qtype_name: string &log &optional
A descriptive name for the type of the query.
- rcode: count &log &optional
The response code value in DNS response messages.
- rcode_name: string &log &optional
A descriptive name for the response code value.
- AA: bool &log &default = F &optional
The Authoritative Answer bit for response messages specifies
that the responding name server is an authority for the
domain name in the question section.
- TC: bool &log &default = F &optional
The Truncation bit specifies that the message was truncated.
- RD: bool &log &default = F &optional
The Recursion Desired bit in a request message indicates that
the client wants recursive service for this query.
- RA: bool &log &default = F &optional
The Recursion Available bit in a response message indicates
that the name server supports recursive queries.
- Z: count &log &default = 0 &optional
A reserved field that is currently supposed to be zero in all
queries and responses.
- answers: vector &log &optional
The set of resource descriptions in the query answer.
- TTLs: vector &log &optional
The caching intervals of the associated RRs described by the
answers field.
- rejected: bool &log &default = F &optional
The DNS query was rejected by the server.
- total_answers: count &optional
The total number of resource records in a reply message’s
answer section.
- total_replies: count &optional
The total number of resource records in a reply message’s
answer, authority, and additional sections.
- saw_query: bool &default = F &optional
Whether the full DNS query has been seen.
- saw_reply: bool &default = F &optional
Whether the full DNS reply has been seen.
- auth: set [string] &log &optional
(present if policy/protocols/dns/auth-addl.bro is loaded)
Authoritative responses for the query.
- addl: set [string] &log &optional
(present if policy/protocols/dns/auth-addl.bro is loaded)
Additional responses for the query.