RFC 8618
Compacted-DNS (C-DNS): A Format for DNS Packet Capture
Pages: 79
Proposed Standard
Proposed Standard
Part 2 of 4 – Pages 18 to 39
7. C-DNS Format Detailed Description
The CDDL definition for the C-DNS format is given in Appendix A.7.1. Map Quantities and Indexes
All map keys are integers with values specified in the CDDL. String keys would significantly bloat the file size. All key values specified are positive integers under 24, so their CBOR representation is a single byte. Positive integer values not currently used as keys in a map are reserved for use in future standard extensions. Implementations may choose to add additional implementation-specific entries to any map. Negative integer map keys are reserved for these values. Key values from -1 to -24 also have a single-byte CBOR representation, so such implementation-specific extensions are not at any space efficiency disadvantage. An item described as an index is the index of the data item in the referenced array. Indexes are 0-based.7.2. Tabular Representation
The following sections present the C-DNS specification in tabular format with a detailed description of each item. In all quantities that contain bit flags, bit 0 indicates the least significant bit, i.e., flag "n" in quantity "q" is on if "(q & (1 << n)) != 0". For the sake of readability, all type and field names defined in the CDDL definition are shown in double quotes. Type names are by convention camel case (e.g., "BlockTables"), and field names are lowercase with hyphens (e.g., "block-tables"). For the sake of brevity, the following conventions are used in the tables: o The column M marks whether items in a map are mandatory. * X - Mandatory items. * C - Conditionally mandatory items. Such items are usually optional but may be mandatory in some configurations. * If the column is empty, the item is optional.
o The column T gives the CBOR datatype of the item.
* U - Unsigned integer.
* I - Signed integer (i.e., either a CBOR unsigned integer or a
CBOR negative integer).
* B - Boolean.
* S - Byte string.
* T - Text string.
* M - Map.
* A - Array.
In the case of maps and arrays, more information on the type of each
value, including the CDDL definition name if applicable, is given in
the description.
7.3. "File"
A C-DNS file has an outer structure "File", an array that contains
the following:
+---------------+---+---+-------------------------------------------+
| Field | M | T | Description |
+---------------+---+---+-------------------------------------------+
| file-type-id | X | T | String "C-DNS" identifying the file type. |
| | | | |
| file-preamble | X | M | Version and parameter information for the |
| | | | whole file. Map of type "FilePreamble"; |
| | | | see Section 7.3.1. |
| | | | |
| file-blocks | X | A | Array of items of type "Block"; see |
| | | | Section 7.3.2. The array may be empty if |
| | | | the file contains no data. |
+---------------+---+---+-------------------------------------------+
7.3.1. "FilePreamble"
Information about data in the file. A map containing the following: +----------------------+---+---+------------------------------------+ | Field | M | T | Description | +----------------------+---+---+------------------------------------+ | major-format-version | X | U | Unsigned integer "1". The major | | | | | version of the format used in the | | | | | file. See Section 8. | | | | | | | minor-format-version | X | U | Unsigned integer "0". The minor | | | | | version of the format used in the | | | | | file. See Section 8. | | | | | | | private-version | | U | Version indicator available for | | | | | private use by implementations. | | | | | | | block-parameters | X | A | Array of items of type | | | | | "BlockParameters". See Section | | | | | 7.3.1.1. The array must contain | | | | | at least one entry. (The | | | | | "block-parameters-index" item in | | | | | each "BlockPreamble" indicates | | | | | which array entry applies to that | | | | | "Block".) | +----------------------+---+---+------------------------------------+7.3.1.1. "BlockParameters"
Parameters relating to data storage and collection that apply to one or more items of type "Block". A map containing the following: +-----------------------+---+---+-----------------------------------+ | Field | M | T | Description | +-----------------------+---+---+-----------------------------------+ | storage-parameters | X | M | Parameters relating to data | | | | | storage in a "Block" item. Map | | | | | of type "StorageParameters"; see | | | | | Section 7.3.1.1.1. | | | | | | | collection-parameters | | M | Parameters relating to collection | | | | | of the data in a "Block" item. | | | | | Map of type | | | | | "CollectionParameters"; see | | | | | Section 7.3.1.1.2. | +-----------------------+---+---+-----------------------------------+
7.3.1.1.1. "StorageParameters"
Parameters relating to how data is stored in the items of type "Block". A map containing the following: +------------------+---+---+----------------------------------------+ | Field | M | T | Description | +------------------+---+---+----------------------------------------+ | ticks-per-second | X | U | Sub-second timing is recorded in | | | | | ticks. This specifies the number of | | | | | ticks in a second. | | | | | | | max-block-items | X | U | The maximum number of items stored in | | | | | any of the arrays in a "Block" item | | | | | (Q/R, Address/Event Count, or | | | | | Malformed Message data items). An | | | | | indication to a decoder of the | | | | | resources needed to process the file. | | | | | | | storage-hints | X | M | Collection of hints as to which fields | | | | | are omitted in the arrays that have | | | | | optional fields. Map of type | | | | | "StorageHints". See Section | | | | | 7.3.1.1.1.1. | | | | | | | opcodes | X | A | Array of OPCODES [opcodes] (unsigned | | | | | integers, each in the range 0 to 15 | | | | | inclusive) recorded by the collecting | | | | | implementation. See Section 6.2.2. | | | | | | | rr-types | X | A | Array of RR TYPEs [rrtypes] (unsigned | | | | | integers, each in the range 0 to 65535 | | | | | inclusive) recorded by the collecting | | | | | implementation. See Section 6.2.2. | | | | | | | storage-flags | | U | Bit flags indicating attributes of | | | | | stored data. | | | | | Bit 0. 1 if the data has been | | | | | anonymized. | | | | | Bit 1. 1 if the data is sampled data. | | | | | Bit 2. 1 if the names have been | | | | | normalized (converted to uniform | | | | | case). | | | | | | | client-address | | U | IPv4 client address prefix length, in | | -prefix-ipv4 | | | the range 1 to 32 inclusive. If | | | | | specified, only the address prefix | | | | | bits are stored. |
| | | | | | client-address | | U | IPv6 client address prefix length, in | | -prefix-ipv6 | | | the range 1 to 128 inclusive. If | | | | | specified, only the address prefix | | | | | bits are stored. | | | | | | | server-address | | U | IPv4 server address prefix length, in | | -prefix-ipv4 | | | the range 1 to 32 inclusive. If | | | | | specified, only the address prefix | | | | | bits are stored. | | | | | | | server-address | | U | IPv6 server address prefix length, in | | -prefix-ipv6 | | | the range 1 to 128 inclusive. If | | | | | specified, only the address prefix | | | | | bits are stored. | | | | | | | sampling-method | | T | Information on the sampling method | | | | | used. See Section 6.2.3. | | | | | | | anonymization | | T | Information on the anonymization | | -method | | | method used. See Section 6.2.3. | +------------------+---+---+----------------------------------------+7.3.1.1.1.1. "StorageHints" An indicator of which fields the collecting implementation omits in the maps with optional fields. Note that hints have a top-down precedence. In other words, where a map contains another map, the hint on the containing map overrides any hints in the contained map and the contained map is omitted. A map containing the following: +------------------+---+---+----------------------------------------+ | Field | M | T | Description | +------------------+---+---+----------------------------------------+ | query-response | X | U | Hints indicating which "QueryResponse" | | -hints | | | fields are omitted; see Section | | | | | 7.3.2.4. If a bit is unset, the field | | | | | is omitted from the capture. | | | | | Bit 0. time-offset | | | | | Bit 1. client-address-index | | | | | Bit 2. client-port | | | | | Bit 3. transaction-id | | | | | Bit 4. qr-signature-index | | | | | Bit 5. client-hoplimit | | | | | Bit 6. response-delay | | | | | Bit 7. query-name-index | | | | | Bit 8. query-size | | | | | Bit 9. response-size |
| | | | Bit 10. response-processing-data | | | | | Bit 11. query-question-sections | | | | | Bit 12. query-answer-sections | | | | | Bit 13. query-authority-sections | | | | | Bit 14. query-additional-sections | | | | | Bit 15. response-answer-sections | | | | | Bit 16. response-authority-sections | | | | | Bit 17. response-additional-sections | | | | | | | query-response | X | U | Hints indicating which | | -signature-hints | | | "QueryResponseSignature" fields are | | | | | omitted; see Section 7.3.2.3.2. If a | | | | | bit is unset, the field is omitted | | | | | from the capture. | | | | | Bit 0. server-address-index | | | | | Bit 1. server-port | | | | | Bit 2. qr-transport-flags | | | | | Bit 3. qr-type | | | | | Bit 4. qr-sig-flags | | | | | Bit 5. query-opcode | | | | | Bit 6. qr-dns-flags | | | | | Bit 7. query-rcode | | | | | Bit 8. query-classtype-index | | | | | Bit 9. query-qdcount | | | | | Bit 10. query-ancount | | | | | Bit 11. query-nscount | | | | | Bit 12. query-arcount | | | | | Bit 13. query-edns-version | | | | | Bit 14. query-udp-size | | | | | Bit 15. query-opt-rdata-index | | | | | Bit 16. response-rcode | | | | | | | rr-hints | X | U | Hints indicating which optional "RR" | | | | | fields are omitted; see Section | | | | | 7.3.2.3.4. If a bit is unset, the | | | | | field is omitted from the capture. | | | | | Bit 0. ttl | | | | | Bit 1. rdata-index | | other-data-hints | X | U | Hints indicating which other datatypes | | | | | are omitted. If a bit is unset, the | | | | | datatype is omitted from the capture. | | | | | Bit 0. malformed-messages | | | | | Bit 1. address-event-counts | +------------------+---+---+----------------------------------------+
7.3.1.1.2. "CollectionParameters"
Parameters providing information regarding how data in the file was collected (applicable for some, but not all, collection environments). The values are informational only and serve as metadata to downstream analyzers as to the configuration of a collecting implementation. They can provide context when interpreting what data is present/absent from the capture but cannot necessarily be validated against the data captured. These parameters have no default. If they do not appear, nothing can be inferred about their value. A map containing the following items: +------------------+---+---+----------------------------------------+ | Field | M | T | Description | +------------------+---+---+----------------------------------------+ | query-timeout | | U | To be matched with a Query, a Response | | | | | must arrive within this number of | | | | | milliseconds. | | | | | | | skew-timeout | | U | The network stack may report a | | | | | Response before the corresponding | | | | | Query. A Response is not considered | | | | | to be missing a Query until after this | | | | | many microseconds. | | | | | | | snaplen | | U | Collect up to this many bytes per | | | | | packet. | | | | | | | promisc | | B | "true" if promiscuous mode | | | | | [pcap-options] was enabled on the | | | | | interface, "false" otherwise. | | | | | | | interfaces | | A | Array of identifiers (of type text | | | | | string) of the interfaces used for | | | | | collection. | | | | | | | server-addresses | | A | Array of server collection IP | | | | | addresses (of type byte string). | | | | | Metadata for downstream analyzers; | | | | | does not affect collection. | | | | | |
| vlan-ids | | A | Array of identifiers (of type unsigned | | | | | integer, each in the range 1 to 4094 | | | | | inclusive) of VLANs [IEEE802.1Q] | | | | | selected for collection. VLAN IDs are | | | | | unique only within an administrative | | | | | domain. | | | | | | | filter | | T | Filter for input, in "tcpdump" | | | | | [pcap-filter] style. | | | | | | | generator-id | | T | Implementation-specific human-readable | | | | | string identifying the collection | | | | | method. | | | | | | | host-id | | T | String identifying the collecting | | | | | host. | +------------------+---+---+----------------------------------------+7.3.2. "Block"
Container for data with common collection and storage parameters. A map containing the following: +--------------------+---+---+--------------------------------------+ | Field | M | T | Description | +--------------------+---+---+--------------------------------------+ | block-preamble | X | M | Overall information for the "Block" | | | | | item. Map of type "BlockPreamble"; | | | | | see Section 7.3.2.1. | | | | | | | block-statistics | | M | Statistics about the "Block" item. | | | | | Map of type "BlockStatistics"; see | | | | | Section 7.3.2.2. | | | | | | | block-tables | | M | The arrays containing data | | | | | referenced by individual | | | | | "QueryResponse" or | | | | | "MalformedMessage" items. Map of | | | | | type "BlockTables"; see Section | | | | | 7.3.2.3. | | | | | | | query-responses | | A | Details of individual C-DNS Q/R data | | | | | items. Array of items of type | | | | | "QueryResponse"; see Section | | | | | 7.3.2.4. If present, the array must | | | | | not be empty. | | | | | |
| address-event | | A | Per-client counts of ICMP messages | | -counts | | | and TCP resets. Array of items of | | | | | type "AddressEventCount"; see | | | | | Section 7.3.2.5. If present, the | | | | | array must not be empty. | | | | | | | malformed-messages | | A | Details of malformed DNS messages. | | | | | Array of items of type | | | | | "MalformedMessage"; see Section | | | | | 7.3.2.6. If present, the array must | | | | | not be empty. | +--------------------+---+---+--------------------------------------+7.3.2.1. "BlockPreamble"
Overall information for a "Block" item. A map containing the following: +------------------+---+---+----------------------------------------+ | Field | M | T | Description | +------------------+---+---+----------------------------------------+ | earliest-time | C | A | A timestamp (two unsigned integers, of | | | | | type "Timestamp") for the earliest | | | | | record in the "Block" item. The first | | | | | integer is the number of seconds since | | | | | the POSIX epoch [posix-time] | | | | | ("time_t"), excluding leap seconds. | | | | | The second integer is the number of | | | | | ticks (see Section 7.3.1.1.1) since | | | | | the start of the second. This field | | | | | is mandatory unless all block items | | | | | containing a time offset from the | | | | | start of the Block also omit that time | | | | | offset. | | | | | | | block-parameters | | U | The index of the item in the | | -index | | | "block-parameters" array (in the | | | | | "file-preamble" item) applicable to | | | | | this block. If not present, index 0 | | | | | is used. See Section 7.3.1. | +------------------+---+---+----------------------------------------+
7.3.2.2. "BlockStatistics"
Basic statistical information about a "Block" item. A map containing the following: +---------------------+---+---+-------------------------------------+ | Field | M | T | Description | +---------------------+---+---+-------------------------------------+ | processed-messages | | U | Total number of well-formed DNS | | | | | messages processed from the input | | | | | traffic stream during collection of | | | | | data in this "Block" item. | | | | | | | qr-data-items | | U | Total number of Q/R data items in | | | | | this "Block" item. | | | | | | | unmatched-queries | | U | Number of unmatched Queries in this | | | | | "Block" item. | | | | | | | unmatched-responses | | U | Number of unmatched Responses in | | | | | this "Block" item. | | | | | | | discarded-opcode | | U | Number of DNS messages processed | | | | | from the input traffic stream | | | | | during collection of data in this | | | | | "Block" item but not recorded | | | | | because their OPCODE is not in the | | | | | list to be collected. | | | | | | | malformed-items | | U | Number of malformed messages | | | | | processed from the input traffic | | | | | stream during collection of data in | | | | | this "Block" item. | +---------------------+---+---+-------------------------------------+
7.3.2.3. "BlockTables"
Map of arrays containing data referenced by individual "QueryResponse" or "MalformedMessage" items in this "Block". Each element is an array that, if present, must not be empty. An item in the "qlist" array contains indexes to values in the "qrr" array. Therefore, if "qlist" is present, "qrr" must also be present. Similarly, if "rrlist" is present, "rr" must also be present. The map contains the following items: +-------------------+---+---+---------------------------------------+ | Field | M | T | Description | +-------------------+---+---+---------------------------------------+ | ip-address | | A | Array of IP addresses, in network | | | | | byte order (of type byte string). If | | | | | client or server address prefixes are | | | | | set, only the address prefix bits are | | | | | stored. Each string is therefore up | | | | | to 4 bytes long for an IPv4 address, | | | | | or up to 16 bytes long for an IPv6 | | | | | address. See Section 7.3.1.1.1. | | | | | | | classtype | | A | Array of RR CLASS and TYPE | | | | | information. Type is "ClassType". | | | | | See Section 7.3.2.3.1. | | | | | | | name-rdata | | A | Array where each entry is the | | | | | contents of a single NAME or RDATA in | | | | | wire format (of type byte string). | | | | | Note that NAMEs, and labels within | | | | | RDATA contents, are full domain names | | | | | or labels; no name compression (per | | | | | [RFC1035]) is used on the individual | | | | | names/labels within the format. | | | | | | | qr-sig | | A | Array of Q/R data item signatures. | | | | | Type is "QueryResponseSignature". | | | | | See Section 7.3.2.3.2. | | | | | | | qlist | | A | Array of type "QuestionList". A | | | | | "QuestionList" is an array of | | | | | unsigned integers, indexes to | | | | | "Question" items in the "qrr" array. | | | | | |
| qrr | | A | Array of type "Question". Each entry | | | | | is the contents of a single Question, | | | | | where a Question is the second or | | | | | subsequent Question in a Query. See | | | | | Section 7.3.2.3.3. | | | | | | | rrlist | | A | Array of type "RRList". An "RRList" | | | | | is an array of unsigned integers, | | | | | indexes to "RR" items in the "rr" | | | | | array. | | | | | | | rr | | A | Array of type "RR". Each entry is | | | | | the contents of a single RR. See | | | | | Section 7.3.2.3.4. | | | | | | | malformed-message | | A | Array of the contents of malformed | | -data | | | messages. Array of type | | | | | "MalformedMessageData". See Section | | | | | 7.3.2.3.5. | +-------------------+---+---+---------------------------------------+7.3.2.3.1. "ClassType"
RR CLASS and TYPE information. A map containing the following: +-------+---+---+--------------------------+ | Field | M | T | Description | +-------+---+---+--------------------------+ | type | X | U | TYPE value [rrtypes]. | | | | | | | class | X | U | CLASS value [rrclasses]. | +-------+---+---+--------------------------+
7.3.2.3.2. "QueryResponseSignature"
Elements of a Q/R data item that are often common between multiple individual Q/R data items. A map containing the following: +--------------------+---+---+--------------------------------------+ | Field | M | T | Description | +--------------------+---+---+--------------------------------------+ | server-address | | U | The index in the "ip-address" array | | -index | | | of the server IP address. See | | | | | Section 7.3.2.3. | | | | | | | server-port | | U | The server port. | | | | | | | qr-transport-flags | C | U | Bit flags describing the transport | | | | | used to service the Query. Same | | | | | definition as "mm-transport-flags" | | | | | in Section 7.3.2.3.5, with an | | | | | additional indicator for trailing | | | | | bytes. See Appendix A. | | | | | Bit 0. IP version. 0 if IPv4, 1 if | | | | | IPv6. See Section 6.2.4. | | | | | Bits 1-4. Transport. 4-bit | | | | | unsigned value where | | | | | 0 = UDP [RFC1035] | | | | | 1 = TCP [RFC1035] | | | | | 2 = TLS [RFC7858] | | | | | 3 = DTLS [RFC8094] | | | | | 4 = HTTPS [RFC8484] | | | | | 15 = Non-standard transport (see | | | | | below) | | | | | Values 5-14 are reserved for future | | | | | use. | | | | | Bit 5. 1 if trailing bytes in Query | | | | | packet. See Section 11.2. | | | | | | | qr-type | | U | Type of Query/Response transaction | | | | | based on the definitions in the | | | | | dnstap schema [dnstap-schema]. | | | | | 0 = Stub. A transaction between a | | | | | stub resolver and a DNS server from | | | | | the perspective of the stub | | | | | resolver. | | | | | 1 = Client. A transaction between a | | | | | client and a DNS server (a proxy or | | | | | full recursive resolver) from the | | | | | perspective of the DNS server. |
| | | | 2 = Resolver. A transaction between | | | | | a recursive resolver and an | | | | | authoritative server from the | | | | | perspective of the recursive | | | | | resolver. | | | | | 3 = Authoritative. A transaction | | | | | between a recursive resolver and an | | | | | authoritative server from the | | | | | perspective of the authoritative | | | | | server. | | | | | 4 = Forwarder. A transaction | | | | | between a downstream forwarder and | | | | | an upstream DNS server (a recursive | | | | | resolver) from the perspective of | | | | | the downstream forwarder. | | | | | 5 = Tool. A transaction between a | | | | | DNS software tool and a DNS server, | | | | | from the perspective of the tool. | | | | | | | qr-sig-flags | | U | Bit flags explicitly indicating | | | | | attributes of the message pair | | | | | represented by this Q/R data item | | | | | (not all attributes may be recorded | | | | | or deducible). | | | | | Bit 0. 1 if a Query was present. | | | | | Bit 1. 1 if a Response was present. | | | | | Bit 2. 1 if a Query was present and | | | | | it had an OPT RR. | | | | | Bit 3. 1 if a Response was present | | | | | and it had an OPT RR. | | | | | Bit 4. 1 if a Query was present but | | | | | had no Question. | | | | | Bit 5. 1 if a Response was present | | | | | but had no Question (only one | | | | | query-name-index is stored per Q/R | | | | | data item). | | | | | | | query-opcode | | U | Query OPCODE. | | | | | | | qr-dns-flags | | U | Bit flags with values from the Query | | | | | and Response DNS flags. Flag values | | | | | are 0 if the Query or Response is | | | | | not present. | | | | | Bit 0. Query Checking Disabled | | | | | (CD). | | | | | Bit 1. Query Authenticated Data | | | | | (AD). | | | | | Bit 2. Query reserved (Z). |
| | | | Bit 3. Query Recursion Available | | | | | (RA). | | | | | Bit 4. Query Recursion Desired | | | | | (RD). | | | | | Bit 5. Query TrunCation (TC). | | | | | Bit 6. Query Authoritative Answer | | | | | (AA). | | | | | Bit 7. Query DNSSEC answer OK (DO). | | | | | Bit 8. Response Checking Disabled | | | | | (CD). | | | | | Bit 9. Response Authenticated Data | | | | | (AD). | | | | | Bit 10. Response reserved (Z). | | | | | Bit 11. Response Recursion | | | | | Available (RA). | | | | | Bit 12. Response Recursion Desired | | | | | (RD). | | | | | Bit 13. Response TrunCation (TC). | | | | | Bit 14. Response Authoritative | | | | | Answer (AA). | | | | | | | query-rcode | | U | Query RCODE. If the Query contains | | | | | an OPT RR [RFC6891], this value | | | | | incorporates any EXTENDED-RCODE | | | | | value [rcodes]. | | | | | | | query-classtype | | U | The index in the "classtype" array | | -index | | | of the CLASS and TYPE of the first | | | | | Question. See Section 7.3.2.3. | | | | | | | query-qdcount | | U | The QDCOUNT in the Query, or | | | | | Response if no Query present. | | | | | | | query-ancount | | U | Query ANCOUNT. | | | | | | | query-nscount | | U | Query NSCOUNT. | | | | | | | query-arcount | | U | Query ARCOUNT. | | | | | | | query-edns-version | | U | The Query EDNS version. ("EDNS" | | | | | stands for Extension Mechanisms for | | | | | DNS.) | | | | | | | query-udp-size | | U | The Query EDNS sender's UDP payload | | | | | size. | | | | | |
| query-opt-rdata | | U | The index in the "name-rdata" array | | -index | | | of the OPT RDATA. See Section | | | | | 7.3.2.3. | | | | | | | response-rcode | | U | Response RCODE. If the Response | | | | | contains an OPT RR [RFC6891], this | | | | | value incorporates any EXTENDED- | | | | | RCODE value [rcodes]. | +--------------------+---+---+--------------------------------------+ Version 1.0 of C-DNS supports transport values corresponding to DNS transports defined in IETF Standards Track documents at the time of writing. There are numerous non-standard methods of sending DNS messages over various transports using a variety of protocols, but they are out of scope for this document. With the current specification, these can be generically stored using value 15 (Non-standard transport), or implementations are free to use the negative integer map keys to define their own mappings. Such non-standard transports may also be the subject of a future extension to the specification.7.3.2.3.3. "Question"
Details on individual Questions in a Question section. A map containing the following: +-----------------+---+---+-----------------------------------------+ | Field | M | T | Description | +-----------------+---+---+-----------------------------------------+ | name-index | X | U | The index in the "name-rdata" array of | | | | | the QNAME. See Section 7.3.2.3. | | | | | | | classtype-index | X | U | The index in the "classtype" array of | | | | | the CLASS and TYPE of the Question. | | | | | See Section 7.3.2.3. | +-----------------+---+---+-----------------------------------------+
7.3.2.3.4. "RR"
Details on individual RRs in RR sections. A map containing the following: +-----------------+---+---+-----------------------------------------+ | Field | M | T | Description | +-----------------+---+---+-----------------------------------------+ | name-index | X | U | The index in the "name-rdata" array of | | | | | the NAME. See Section 7.3.2.3. | | | | | | | classtype-index | X | U | The index in the "classtype" array of | | | | | the CLASS and TYPE of the RR. See | | | | | Section 7.3.2.3. | | | | | | | ttl | | U | The RR Time to Live. | | | | | | | rdata-index | | U | The index in the "name-rdata" array of | | | | | the RR RDATA. See Section 7.3.2.3. | +-----------------+---+---+-----------------------------------------+7.3.2.3.5. "MalformedMessageData"
Details on malformed DNS messages stored in this "Block" item. A map containing the following: +--------------------+---+---+--------------------------------------+ | Field | M | T | Description | +--------------------+---+---+--------------------------------------+ | server-address | | U | The index in the "ip-address" array | | -index | | | of the server IP address. See | | | | | Section 7.3.2.3. | | | | | | | server-port | | U | The server port. | | | | | | | mm-transport-flags | C | U | Bit flags describing the transport | | | | | used to service the Query. See | | | | | Section 6.2.4. | | | | | Bits 1-4. Transport. 4-bit | | | | | unsigned value where | | | | | 0 = UDP [RFC1035] | | | | | 1 = TCP [RFC1035] | | | | | 2 = TLS [RFC7858] | | | | | 3 = DTLS [RFC8094] | | | | | 4 = HTTPS [RFC8484] | | | | | 15 = Non-standard transport | | | | | Values 5-14 are reserved for future | | | | | use. |
| | | | | | mm-payload | | S | The payload (raw bytes) of the DNS | | | | | message. | +--------------------+---+---+--------------------------------------+7.3.2.4. "QueryResponse"
Details on individual Q/R data items. Note that there is no requirement that the elements of the "query-responses" array are presented in strict chronological order. A map containing the following items: +----------------------+---+---+------------------------------------+ | Field | M | T | Description | +----------------------+---+---+------------------------------------+ | time-offset | | U | Q/R timestamp as an offset in | | | | | ticks (see Section 7.3.1.1.1) from | | | | | "earliest-time". The timestamp is | | | | | the timestamp of the Query, or the | | | | | Response if there is no Query. | | | | | | | client-address-index | | U | The index in the "ip-address" | | | | | array of the client IP address. | | | | | See Section 7.3.2.3. | | | | | | | client-port | | U | The client port. | | | | | | | transaction-id | | U | DNS transaction identifier. | | | | | | | qr-signature-index | | U | The index in the "qr-sig" array of | | | | | the "QueryResponseSignature" item. | | | | | See Section 7.3.2.3. | | | | | | | client-hoplimit | | U | The IPv4 TTL or IPv6 Hoplimit from | | | | | the Query packet. | | | | | | | response-delay | | I | The time difference between Query | | | | | and Response, in ticks. See | | | | | Section 7.3.1.1.1. Only present | | | | | if there is a Query and a | | | | | Response. The delay can be | | | | | negative if the network | | | | | stack/capture library returns | | | | | packets out of order. | | | | | |
| query-name-index | | U | The index in the "name-rdata" | | | | | array of the item containing the | | | | | QNAME for the first Question. See | | | | | Section 7.3.2.3. | | | | | | | query-size | | U | DNS Query message size (see | | | | | below). | | | | | | | response-size | | U | DNS Response message size (see | | | | | below). | | | | | | | response-processing | | M | Data on Response processing. Map | | -data | | | of type "ResponseProcessingData". | | | | | See Section 7.3.2.4.1. | | | | | | | query-extended | | M | Extended Query data. Map of type | | | | | "QueryResponseExtended". See | | | | | Section 7.3.2.4.2. | | | | | | | response-extended | | M | Extended Response data. Map of | | | | | type "QueryResponseExtended". See | | | | | Section 7.3.2.4.2. | +----------------------+---+---+------------------------------------+ The "query-size" and "response-size" fields hold the DNS message size. For UDP, this is the size of the UDP payload that contained the DNS message. For TCP, it is the size of the DNS message as specified in the two-byte message length header. Trailing bytes in UDP Queries are routinely observed in traffic to authoritative servers, and this value allows a calculation of how many trailing bytes were present.7.3.2.4.1. "ResponseProcessingData"
Information on the server processing that produced the Response. A map containing the following: +------------------+---+---+----------------------------------------+ | Field | M | T | Description | +------------------+---+---+----------------------------------------+ | bailiwick-index | | U | The index in the "name-rdata" array of | | | | | the owner name for the Response | | | | | bailiwick. See Section 7.3.2.3. | | | | | | | processing-flags | | U | Flags relating to Response processing. | | | | | Bit 0. 1 if the Response came from | | | | | cache. | +------------------+---+---+----------------------------------------+
7.3.2.4.2. "QueryResponseExtended"
Extended data on the Q/R data item. Each item in the map is present only if collection of the relevant details is configured. A map containing the following items: +------------------+---+---+----------------------------------------+ | Field | M | T | Description | +------------------+---+---+----------------------------------------+ | question-index | | U | The index in the "qlist" array of the | | | | | entry listing any second and | | | | | subsequent Questions in the Question | | | | | section for the Query or Response. | | | | | See Section 7.3.2.3. | | | | | | | answer-index | | U | The index in the "rrlist" array of the | | | | | entry listing the Answer RR sections | | | | | for the Query or Response. See | | | | | Section 7.3.2.3. | | | | | | | authority-index | | U | The index in the "rrlist" array of the | | | | | entry listing the Authority RR | | | | | sections for the Query or Response. | | | | | See Section 7.3.2.3. | | | | | | | additional-index | | U | The index in the "rrlist" array of the | | | | | entry listing the Additional RR | | | | | sections for the Query or Response. | | | | | See Section 7.3.2.3. Note that Query | | | | | OPT RR data can optionally be stored | | | | | in the QuerySignature. | +------------------+---+---+----------------------------------------+
7.3.2.5. "AddressEventCount"
Counts of various IP-related events relating to traffic with individual client addresses. A map containing the following: +--------------------+---+---+--------------------------------------+ | Field | M | T | Description | +--------------------+---+---+--------------------------------------+ | ae-type | X | U | The type of event. The following | | | | | event types are currently defined: | | | | | 0. TCP reset. | | | | | 1. ICMP time exceeded. | | | | | 2. ICMP destination unreachable. | | | | | 3. ICMPv6 time exceeded. | | | | | 4. ICMPv6 destination unreachable. | | | | | 5. ICMPv6 packet too big. | | | | | | | ae-code | | U | A code relating to the event. For | | | | | ICMP or ICMPv6 events, this MUST be | | | | | the ICMP [RFC792] or ICMPv6 | | | | | [RFC4443] code. For other events, | | | | | the contents are undefined. | | | | | | | ae-transport-flags | C | U | Bit flags describing the transport | | | | | used to service the event. See | | | | | Section 6.2.4. | | | | | Bit 0. IP version. 0 if IPv4, 1 if | | | | | IPv6. | | | | | Bits 1-4. Transport. 4-bit | | | | | unsigned value where | | | | | 0 = UDP [RFC1035] | | | | | 1 = TCP [RFC1035] | | | | | 2 = TLS [RFC7858] | | | | | 3 = DTLS [RFC8094] | | | | | 4 = HTTPS [RFC8484] | | | | | 15 = Non-standard transport | | | | | Values 5-14 are reserved for future | | | | | use. | | | | | | | ae-address-index | X | U | The index in the "ip-address" array | | | | | of the client address. See Section | | | | | 7.3.2.3. | | | | | | | ae-count | X | U | The number of occurrences of this | | | | | event during the Block collection | | | | | period. | +--------------------+---+---+--------------------------------------+
7.3.2.6. "MalformedMessage"
Details on Malformed Message data items. A map containing the following: +----------------------+---+---+------------------------------------+ | Field | M | T | Description | +----------------------+---+---+------------------------------------+ | time-offset | | U | Message timestamp as an offset in | | | | | ticks (see Section 7.3.1.1.1) from | | | | | "earliest-time". | | | | | | | client-address-index | | U | The index in the "ip-address" | | | | | array of the client IP address. | | | | | See Section 7.3.2.3. | | | | | | | client-port | | U | The client port. | | | | | | | message-data-index | | U | The index in the "malformed- | | | | | message-data" array of the message | | | | | data for this message. See | | | | | Section 7.3.2.3. | +----------------------+---+---+------------------------------------+
(page 39 continued on part 3)