package dnstap
Get desktop application:
View/edit binary Protocol Buffers messages
message
dnstap.proto:24"Dnstap": this is the top-level dnstap type, which is a "union" type that contains other kinds of dnstap payloads, although currently only one type of dnstap payload is defined. See: https://developers.google.com/protocol-buffers/docs/techniques#union
optional bytes identity = 1
DNS server identity. If enabled, this is the identity string of the DNS server which generated this message. Typically this would be the same string as returned by an "NSID" (RFC 5001) query.
optional bytes version = 2
DNS server version. If enabled, this is the version string of the DNS server which generated this message. Typically this would be the same string as returned by a "version.bind" query.
optional bytes extra = 3
Extra data for this payload. This field can be used for adding an arbitrary byte-string annotation to the payload. No encoding or interpretation is applied or enforced.
required Dnstap.Type type = 15
optional message = 14
One of the following will be filled in.
Identifies which field below is filled in.
Used in:
MESSAGE = 1
message
dnstap.proto:118Message: a wire-format (RFC 1035 section 4) DNS message and associated metadata. Applications generating "Message" payloads should follow certain requirements based on the MessageType, see below.
Used in:
required Message.Type type = 1
One of the Type values described above.
optional SocketFamily socket_family = 2
One of the SocketFamily values described above.
optional SocketProtocol socket_protocol = 3
One of the SocketProtocol values described above.
optional bytes query_address = 4
The network address of the message initiator. For SocketFamily INET, this field is 4 octets (IPv4 address). For SocketFamily INET6, this field is 16 octets (IPv6 address).
optional bytes response_address = 5
The network address of the message responder. For SocketFamily INET, this field is 4 octets (IPv4 address). For SocketFamily INET6, this field is 16 octets (IPv6 address).
optional uint32 query_port = 6
The transport port of the message initiator. This is a 16-bit UDP or TCP port number, depending on SocketProtocol.
optional uint32 response_port = 7
The transport port of the message responder. This is a 16-bit UDP or TCP port number, depending on SocketProtocol.
optional uint64 query_time_sec = 8
The time at which the DNS query message was sent or received, depending on whether this is an AUTH_QUERY, RESOLVER_QUERY, or CLIENT_QUERY. This is the number of seconds since the UNIX epoch.
optional fixed32 query_time_nsec = 9
The time at which the DNS query message was sent or received. This is the seconds fraction, expressed as a count of nanoseconds.
optional bytes query_message = 10
The initiator's original wire-format DNS query message, verbatim.
optional bytes query_zone = 11
The "zone" or "bailiwick" pertaining to the DNS query message. This is a wire-format DNS domain name.
optional uint64 response_time_sec = 12
The time at which the DNS response message was sent or received, depending on whether this is an AUTH_RESPONSE, RESOLVER_RESPONSE, or CLIENT_RESPONSE. This is the number of seconds since the UNIX epoch.
optional fixed32 response_time_nsec = 13
The time at which the DNS response message was sent or received. This is the seconds fraction, expressed as a count of nanoseconds.
optional bytes response_message = 14
The responder's original wire-format DNS response message, verbatim.
optional policy = 15
Operator policy applied to the processing of this message, if any.
Used in:
AUTH_QUERY = 1
AUTH_QUERY is a DNS query message received from a resolver by an authoritative name server, from the perspective of the authoritative name server.
AUTH_RESPONSE = 2
AUTH_RESPONSE is a DNS response message sent from an authoritative name server to a resolver, from the perspective of the authoritative name server.
RESOLVER_QUERY = 3
RESOLVER_QUERY is a DNS query message sent from a resolver to an authoritative name server, from the perspective of the resolver. Resolvers typically clear the RD (recursion desired) bit when sending queries.
RESOLVER_RESPONSE = 4
RESOLVER_RESPONSE is a DNS response message received from an authoritative name server by a resolver, from the perspective of the resolver.
CLIENT_QUERY = 5
CLIENT_QUERY is a DNS query message sent from a client to a DNS server which is expected to perform further recursion, from the perspective of the DNS server. The client may be a stub resolver or forwarder or some other type of software which typically sets the RD (recursion desired) bit when querying the DNS server. The DNS server may be a simple forwarding proxy or it may be a full recursive resolver.
CLIENT_RESPONSE = 6
CLIENT_RESPONSE is a DNS response message sent from a DNS server to a client, from the perspective of the DNS server. The DNS server typically sets the RA (recursion available) bit when responding.
FORWARDER_QUERY = 7
FORWARDER_QUERY is a DNS query message sent from a downstream DNS server to an upstream DNS server which is expected to perform further recursion, from the perspective of the downstream DNS server.
FORWARDER_RESPONSE = 8
FORWARDER_RESPONSE is a DNS response message sent from an upstream DNS server performing recursion to a downstream DNS server, from the perspective of the downstream DNS server.
STUB_QUERY = 9
STUB_QUERY is a DNS query message sent from a stub resolver to a DNS server, from the perspective of the stub resolver.
STUB_RESPONSE = 10
STUB_RESPONSE is a DNS response message sent from a DNS server to a stub resolver, from the perspective of the stub resolver.
TOOL_QUERY = 11
TOOL_QUERY is a DNS query message sent from a DNS software tool to a DNS server, from the perspective of the tool.
TOOL_RESPONSE = 12
TOOL_RESPONSE is a DNS response message received by a DNS software tool from a DNS server, from the perspective of the tool.
UPDATE_QUERY = 13
UPDATE_QUERY is a Dynamic DNS Update request (RFC 2136) received by an authoritative name server, from the perspective of the authoritative name server.
UPDATE_RESPONSE = 14
UPDATE_RESPONSE is a Dynamic DNS Update response (RFC 2136) sent from an authoritative name server, from the perspective of the authoritative name server.
message
dnstap.proto:72Policy: information about any name server operator policy applied to the processing of a DNS message.
Used in:
optional string type = 1
type: the type of policy applied, e.g. "RPZ" for a policy from a Response Policy Zone.
optional bytes rule = 2
rule: the rule matched by the message. In a RPZ context, this is the owner name of the rule in the Reponse Policy Zone in wire format.
optional Policy.Action action = 3
action: the policy action taken in response to the rule match.
optional Policy.Match match = 4
match: the feature of the message exchange which matched the rule.
optional bytes value = 5
The matched value. Format depends on the matched feature .
The Action taken to implement the Policy.
Used in:
NXDOMAIN = 1
Respond with NXDOMAIN
NODATA = 2
Respond with empty answer section
PASS = 3
Do not alter the response (passthrough)
DROP = 4
Do not respond.
TRUNCATE = 5
Truncate UDP response, forcing TCP retry
LOCAL_DATA = 6
Respond with local data from policy
Match: what aspect of the message or message exchange triggered the application of the Policy.
Used in:
QNAME = 1
Name in question section of query
CLIENT_IP = 2
Client IP address
RESPONSE_IP = 3
Address in A/AAAA RRSet
NS_NAME = 4
Authoritative name server, by name
NS_IP = 5
Authoritative name server, by IP address
SocketFamily: the network protocol family of a socket. This specifies how to interpret "network address" fields.
Used in:
INET = 1
IPv4 (RFC 791)
INET6 = 2
IPv6 (RFC 2460)
SocketProtocol: the protocol used to transport a DNS message.
Used in:
UDP = 1
DNS over UDP transport (RFC 1035 section 4.2.1)
TCP = 2
DNS over TCP transport (RFC 1035 section 4.2.2)
DOT = 3
DNS over TLS (RFC 7858)
DOH = 4
DNS over HTTPS (RFC 8484)
DNSCryptUDP = 5
DNSCrypt over UDP (https://dnscrypt.info/protocol)
DNSCryptTCP = 6
DNSCrypt over TCP (https://dnscrypt.info/protocol)
DOQ = 7
DNS over QUIC (RFC 9250)