IP addresses, ports, ids, and query types are given in hexadecimal format. [u|t] denotes UDP or TCP transmission.
dnscache needs some records and found them in the cache. It may have needed the records because the client requested them, or it may have needed the addresses of a name server in order to look up some other records. The actual cached data is not recorded with this log entry. The cached data may include several records, but dnscache makes only one log entry.
Field Meaning
type The type of records needed.
name The domain name for which records were needed.
dnscache found the answer to a client query in its cache, and the answer was a CNAME record. In this case, dnscache starts over, looking for the same record type but with the "canonical name".
Field Meaning
name The domain name for which the client wants records.
cname The "canonical name" for name.
(Meaning: That name should be treated as an alias for cname.)
dnscache needed to know the authoritative nameservers for some domain, and found a set of nameservers for the domain, or some ancestor of it, in the cache. dnscache creates one log entry for each nameserver in the set. The actual name for which dnscache needed to find nameservers is on the query log entry preceding the set of cached ns log entries. For example:
u.query 673 7f000001:09b6:7c48 1 www.windows.com.
cached ns com. a.root-servers.net.
cached ns com. e.gtld-servers.net.
cached ns com. f.gtld-servers.net.
cached ns com. j.gtld-servers.net.
cached ns com. k.gtld-servers.net.
cached ns com. a.gtld-servers.net.
cached ns com. m.gtld-servers.net.
cached ns com. g.gtld-servers.net.
cached ns com. c.gtld-servers.net.
cached ns com. i.gtld-servers.net.
cached ns com. b.gtld-servers.net.
cached ns com. d.gtld-servers.net.
dnscache needed to know the authoritative nameservers for www.windows.com, and the nearest set of nameservers in its cache was the set of nameservers that are authoritative for com.
Field Meaning
control The domain name for which server is authoritative.
server The name of a server that is authoritative for control.
dnscache needs to find records for name and found a cached nxdomain entry in the cache.
Field Meaning
name The domain name for which records were requested.
dnscache decided not to try to respond to a client query.
Field Meaning
serial The serial number of the client request.
(See query for an explanation of client request serial numbers.)
error The reason dnscache dropped the request: timed out
dnscache had MAXUDP (400) active UDP queries and received another UDP query. It dropped the oldest active query.
dnscache received an AXFR request.
dnscache could not allocate memory for parsing a query packet or building a response.
dnscache was instructed to omitt name server with '% serverip' or to use a standard query for '- serverip'.
dnscache found a lame delegation. This means that the server is supposed to be authoritative for some domain, but isn't.
Field Meaning
serverip The IP address of the lame server.
name The domain name for which records were requested.
control The domain for which the server is supposed to be authoritative, but isn't.
dnscache received a "no data" response. This means that the server has records for the requested name, but no records of the requested type.
Field Meaning
serverip The IP address of the responding server.
ttl The time-to-live of the SOA record in the response.
(This is how long dnscache is allowed to cache the negative response.
dnscache will not cache a negative response for more than one hour in any case.)
type The requested record type.
name The domain name for which records were requested.
dnscache received a "Name Error" response. This means that the server has no records of any type for the requested name.
Field Meaning
serverip The IP address of the responding server.
ttl The time-to-live of the SOA record in the response.
(This is how long dnscache is allowed to cache the negative response.
dnscache will not cache a negative response for more than one hour in any case.)
name The domain name for which records were requested.
dnscache received a packet containing a query and intends to try to answer it.
Field Meaning
serial The number of queries dnscache received prior to this query since starting, plus one.
(In other words, serial number 1 is assigned to the first query received,
serial number 2 is assigned to the second query received, and so on.
The counter is stored using 64 bits, so chances of it wrapping are unlikely.)
clientip The source IP address of the packet.
(Presumably this is the IP address from which the packet was sent,
though it could have been spoofed.)
clientport The source UDP port of the packet.
id The id from the packet.
(The id is chosen by the client, and the server will include it in the response.)
type The type of records the client wants.
name The domain name for which the client wants records.
dnscache finished constructing a response to a query. If the query came over UDP [u], then dnscache also sent the response. If the query came over TCP [t], then dnscache did not send the response before making this log entry. (Sending over TCP may block so dnscache trickles the data out as part of its main loop.)
Field Meaning
serial The serial number of the client request to which dnscache responded.
(See query for an explanation of client request serial numbers.)
length The number of bytes in the response.
dnscache sent a packet with rcode 2, "Server failure", because it encountered an error. Some of the errors that can make dnscache do this:
failure to create a UDP socket
failure to set the O_NONBLOCK flag on the UDP socket
failure to bind the UDP socket to a port
failure to transmit a packet to any of up to 16 nameservers and receive a response packet with an rcode of 0 (no error) or 3 (NXDOMAIN), with four attempts per nameserver
failure to create a TCP socket
failure to set the O_NONBLOCK flag on the TCP socket
failure to bind the TCP socket to a port
failure to connect the TCP socket to any of up to 16 nameservers (one attempt per nameserver), transmit a query to the nameserver, and receive a response packet with an rcode of 0 (no error) or 3 (NXDOMAIN)
Field Meaning
name The domain name for which the dnscache was trying to find records.
error Error message will always be "input/output error".
dnscache logs this entry when it starts up and providing information on it's binding and the default UDP maximum message size it uses.
This entry contains statistics about dnscache's behavior, both since startup and at the moment the entry was logged.
Field Meaning
query-count Total number of queries received by dnscache since startup.
cache-motion Total number of bytes dnscache has stored in its cache since startup.
(This says nothing about the maximum size of the cache
or how much data has been evicted from the cache.
See djb's explanation of cache motion for more information.)
udp-active Number of queries that dnscache has received via UDP but not yet responded to or dropped.
edn-active Number of queries that dnscache has received via EDNS(0) but not yet responded to or dropped.
tcp-active Number of queries that dnscache has received via TCP but not yet responded to or dropped.
This line indicates that dnscache transmitted the query to the responsible name server.
Field Meaning
gluelessness The amount of gluelessness that generated this query.
(Read djb's explanation of gluelessness.)
type The requested record type.
name The domain name for which records are being requested.
control The authoritative anchestor domain.
[!|~|-|+|*] Field indicating the server qualification.
(Currently, '-' means none, and '+' says DNSCurve qualification.)
serverips List of IP addresses referencing authoritive servers
for control used for random name lookup.
The root server will give dnscache a list of servers that are authoritative for the com domain. dnscache will ask one of the com servers for the A records for example.com, and the log entry will have com. in the control field.
Suppose the com server says that ns.example.net is authoritative for example.com. Then when dnscache asks ns.example.net for AAAA and A records for example.com, the log entry will have example.com in the control field.