You know the Spiel: you’re looking at a logfile containing BIND’s querylog output, and you think: what do those flags really mean? Here’s a sample logfile entry:

    client view authoritative: query: IN NS -EDC (

As usual, the best documentation is the source code. I extracted this snippet from bin/named/query.c for your pleasure. :-)

      level, "query: %s %s %s %s%s%s%s%s%s (%s)", namebuf,
      classname, typename, WANTRECURSION(client) ? "+" : "-",
      (client->signer != NULL) ? "S": "",
      (client->opt != NULL) ? "E" : "",
      ((client->attributes & NS_CLIENTATTR_TCP) != 0) ?
    		 "T" : "",
      ((extflags & DNS_MESSAGEEXTFLAG_DO) != 0) ? "D" : "",
      ((flags & DNS_MESSAGEFLAG_CD) != 0) ? "C" : "",

Non capiche? Ok, I’ll translate. It starts off with the client’s IP address and port number. Then comes “query” and the name that was queried, the class (IN) and type (NS). The flags indicate whether recursion was requested (+) or not (-), if the request was signed (S), whether EDNS0 was enabled (E), DNSSEC was requested (D) or if the CD (checking disabled) flag was in use (C). And finally, if the connection arrived over TCP, a T is indicated. The default is UDP which is not otherwise mentioned. [Flags missing means they weren’t set.] And last, in parenthesis, the client’s destination address (i.e. the address of the name server).

Flattr this
DNS, BIND, and named :: 22 Feb 2011 :: e-mail


blog comments powered by Disqus