flyinweb's blog

BIND查询日志格式分析

Nov 21 12:34:41 dns named[780]: [ID 866145 local0.info] client 1.2.3.4#32773: query: yikes.com IN MX -E

23-Apr-2010 15:21:15.316 queries: client 192.168.146.18#55771: query: 2030m.com IN A +ED (192.168.146.149)
23-Apr-2010 15:21:15.348 queries: client 192.168.146.18#47779: query: 20304050.cn IN A +ED (192.168.146.149)
23-Apr-2010 15:21:15.348 queries: client 192.168.146.18#21651: query: 2032.cc IN A +ED (192.168.146.149)
23-Apr-2010 15:21:15.348 queries: client 192.168.146.30#33151: query: 2mysite.net IN A + (192.168.146.150)
23-Apr-2010 15:21:15.351 queries: client 192.168.146.30#39878: query: 2mysite.net IN A +T (192.168.146.150)

The entries should be clear enough: the date and time the query was received; the source IP address and port number used by the client;and the name, class and qtype. The final field shows if the query had the rd (recursion desired) bit set (+) or not (-) -- typically showing if the query came from a name server or stub resolver -- or if EDNS0 (E) was used.

All of the text up to the record type (MX in this case) made sense, but I had no idea what the “-E” meant. Being the curious person I am, I dug through the BIND source code to locate the logging code. After a couple of find statements, I was able to locate the logging code in query.c:

ns_client_log(client, NS_LOGCATEGORY_QUERIES, NS_LOGMODULE_QUERY,
                     level, "query: %s %s %s %s%s%s", namebuf, classname,
                     typename, WANTRECURSION(client) ? "+" : "-",
                     (client->signer != NULL) ? "S": "",
                     (client->opt != NULL) ? "E" : "");

So a “+” or “-” in a query log entry indicates that a client requested recursion, and the “E” means that the query requested EDNS0. I would like to thank Knobee for his feedback on this post.