You know the Spiel: you’re looking at a logfile containing BIND’s querylog output, and you think: what do those flags really mean? Here are two sample logfile entries, the first from a BIND version in 2011 (when I originally wrote this piece), and the second from a BIND version 9.11.2 server.

client 192.168.117.234#53311: view authoritative: query: example.org IN NS -EDC (192.168.36.217)
client @0x7fa0d607f200 192.168.1.130#63565 (example.org): view internal: query: query: example.org IN NS +E(0)K (192.168.1.130)

Note how the format of the log lines has changed. I pity you if you’re using regular expressions to handle these entries … :)

As usual, the best documentation is the source code. I extracted this snippet from bin/named/query.c for your pleasure. (This is from named 9.11.2.)

ns_client_log(client, NS_LOGCATEGORY_QUERIES, NS_LOGMODULE_QUERY,
              level, "query: %s %s %s %s%s%s%s%s%s%s (%s)", namebuf,
              classname, typename, WANTRECURSION(client) ? "+" : "-",
              (client->signer != NULL) ? "S" : "", ednsbuf,
              TCP(client) ? "T" : "",
              ((extflags & DNS_MESSAGEEXTFLAG_DO) != 0) ? "D" : "",
              ((flags & DNS_MESSAGEFLAG_CD) != 0) ? "C" : "",
              HAVECOOKIE(client) ? "V" : WANTCOOKIE(client) ? "K" : "",
              onbuf);

It starts off with a pointer address followed by the client’s IP and port and the name. The view used is shown here ("internal") followed by the string "query". Then come the name that was queried, the class (IN) and type (NS), and some flags which indicate whether recursion was requested (+) or not (-), if the request was signed (S), whether EDNS0 was enabled (E) with its flags, and whether the connection was over TCP (T) or UDP (the default which is not specified).

If DNSSEC was requested we see a (D), and if the CD (checking disabled) flag was in use a (C).

[Flags missing means they weren’t set.] And last, in parenthesis, the client’s destination address (i.e. the address of the name server).