Linux Bind
LogZilla App Store application: Linux Bind
Overview
BIND (Berkeley Internet Name Domain) is the standard domain name service (DNS) software for Linux systems. It runs as a service daemon to provide DNS resolution services for networks.
App Function
The Linux BIND app performs the following functions:
- Message Recognition: Identifies BIND DNS log messages and sets the
LogZilla event program to
bind - Data Extraction: Parses DNS query information and creates user tags for analysis
Vendor Documentation
Incoming Log Format
The BIND query log format is comprised of space-separated fields in a fixed
order. The query log entry first reports a client object identifier in @0x
format. Next, it reports the client's IP address and port number, and the
query name, class and type. It then reports whether the Recursion Desired
flag was set (+ if set, - if not set), if the query was signed (S), EDNS
was in used along with the EDNS version number (E(#)), if TCP was used (T),
if DO (DNSSEC Ok) was set (D), if CD (Checking Disabled) was set (C), if a
valid DNS Server COOKIE was received (V), or if a DNS COOKIE option without
a valid Server COOKIE was present (K). After this the destination address
the query was sent to is reported. Note: This reflects BIND 9.11.0 behavior.
Parsed Metadata Fields
| Tagged | Tag Name | Example | Description |
|---|---|---|---|
| ☑ | SrcIP | 11.22.33.44 | Source IP address of DNS client |
Query | 23-courier.push.apple.com | DNS query domain name | |
Query Type | A | DNS record type |
Log Examples
A Record Query
text06-Jul-2022 11:12:04.202 client @0x7ff5b8000cd0 192.168.250.115#51530 (definitionupdates.microsoft.com): query: definitionupdates.microsoft.com IN A + (192.168.250.112)
AAAA Record Query
text07-Jul-2022 11:15:38.170 client @0x7f026c008868 192.168.10.30#45166 (google.com): query: google.com IN AAAA +E(0) (192.168.10.21)