NAME
dnscache-log -- Format of the dnscache log
LOG ENTRIES
During operation, dnscache writes the following log entry types:
o cached type name
o cached cname name cname
o cached ns control server
o cached nxdomain name
o [u|t].drop serial error
o servflagged [%|-] serverip
o lame serverip name control
o nodata serverip ttl type name
o nxdomain serverip ttl name
o [u|t].query serial clientip:clientport:id type name
o rr serverip ttl type name data
o rr serverip ttl cname name cname
o rr serverip ttl mx name preference exchanger
o rr serverip ttl ns name server
o rr serverip ttl ptr name pname
o rr serverip ttl soa server email serial refresh retry expire
minimum
o [u|t].sent serial length
o servfail name error
o starting dnscache listening on ip ... sending queries from ip ....
udp maxsize =
o stats query-count cache-motion udp-active edn-active tcp-active
o tcpopen clientip:clientport
o tcpclose clientip:clientport error
o tx gluelessness type name control [!|~|-|+|*] serverips...
IP addresses, ports, ids, and query types are given in hexadecimal
format. [u|t] denotes UDP or TCP transmission.
DESCRIPTION
-> cached type name
dnscache needs some records and found them in the cache. It may have
needed the records because the client requested them, or it may have
needed the addresses of a name server in order to look up some other
records. The actual cached data is not recorded with this log entry.
The cached data may include several records, but dnscache makes only
one log entry.
Field Meaning
type The type of records needed.
name The domain name for which records were needed.
-> cached cname name cname
dnscache found the answer to a client query in its cache, and the
answer was a CNAME record. In this case, dnscache starts over, looking
for the same record type but with the "canonical name".
Field Meaning
name The domain name for which the client wants records.
cname The "canonical name" for name.
(Meaning: That name should be treated as an alias for cname.)
-> cached ns control server
dnscache needed to know the authoritative nameservers for some domain,
and found a set of nameservers for the domain, or some ancestor of it, in the cache.
dnscache creates one log entry for each nameserver in the set.
The actual name for which dnscache needed to find nameservers is
on the query log entry preceding the set of cached ns log entries.
For example:
u.query 673 7f000001:09b6:7c48 1 www.windows.com.
cached ns com. a.root-servers.net.
cached ns com. e.gtld-servers.net.
cached ns com. f.gtld-servers.net.
cached ns com. j.gtld-servers.net.
cached ns com. k.gtld-servers.net.
cached ns com. a.gtld-servers.net.
cached ns com. m.gtld-servers.net.
cached ns com. g.gtld-servers.net.
cached ns com. c.gtld-servers.net.
cached ns com. i.gtld-servers.net.
cached ns com. b.gtld-servers.net.
cached ns com. d.gtld-servers.net.
dnscache needed to know the authoritative nameservers for
www.windows.com, and the nearest set of nameservers in its cache was
the set of nameservers that are authoritative for com.
Field Meaning
control The domain name for which server is authoritative.
server The name of a server that is authoritative for control.
-> cached nxdomain name
dnscache needs to find records for name and found a cached nxdomain
entry in the cache.
Field Meaning
name The domain name for which records were requested.
dnscache received an AXFR request.
-> out of memory
dnscache could not allocate memory for parsing a query packet or
building a response.
-> servflagged [%|-] serverip
dnscache was instructed to omitt name server with '% serverip' or to
use a standard query for '- serverip'.
-> lame serverip name control
dnscache found a lame delegation. This means that the server is
supposed to be authoritative for some domain, but isn't.
Field Meaning
serverip The IP address of the lame server.
name The domain name for which records were requested.
control The domain for which the server is supposed to be authoritative, but isn't.
-> nodata serverip ttl type name
dnscache received a "no data" response. This means that the server has
records for the requested name, but no records of the requested type.
Field Meaning
serverip The IP address of the responding server.
ttl The time-to-live of the SOA record in the response.
(This is how long dnscache is allowed to cache the negative response.
dnscache will not cache a negative response for more than one hour in any case.)
type The requested record type.
name The domain name for which records were requested.
-> nxdomain serverip ttl name
dnscache received a "Name Error" response. This means that the server
has no records of any type for the requested name.
Field Meaning
serverip The IP address of the responding server.
ttl The time-to-live of the SOA record in the response.
(This is how long dnscache is allowed to cache the negative response.
dnscache will not cache a negative response for more than one hour in any case.)
name The domain name for which records were requested.
-> [u|t].query serial clientip:clientport:id type name
dnscache received a packet containing a query and intends to try to
answer it.
-> [u|t].sent serial length
dnscache finished constructing a response to a query. If the query came
over UDP [u], then dnscache also sent the response. If the query came over
TCP [t], then dnscache did not send the response before making this log
entry. (Sending over TCP may block so dnscache trickles the data out as
part of its main loop.)
Field Meaning
serial The serial number of the client request to which dnscache responded.
(See query for an explanation of client request serial numbers.)
length The number of bytes in the response.
-> servfail name error
dnscache sent a packet with rcode 2, "Server failure", because it
encountered an error. Some of the errors that can make dnscache do
this:
failure to allocate storage for a received DNS packet
failure to create a UDP socket
failure to set the O_NONBLOCK flag on the UDP socket
failure to bind the UDP socket to a port
failure to transmit a packet to any of up to 16 nameservers and
receive a response packet with an rcode of 0 (no error) or 3
(NXDOMAIN), with four attempts per nameserver
failure to create a TCP socket
failure to set the O_NONBLOCK flag on the TCP socket
failure to bind the TCP socket to a port
failure to connect the TCP socket to any of up to 16 nameservers
(one attempt per nameserver), transmit a query to the nameserver,
and receive a response packet with an rcode of 0 (no error) or 3
(NXDOMAIN)
Field Meaning
name The domain name for which the dnscache was trying to find records.
error Error message will always be "input/output error".
-> starting dnscache listening on IP ... sending queries from ... udp
maxsize
dnscache logs this entry when it starts up and providing information on
it's binding and the default UDP maximum message size it uses.
tcp-active Number of queries that dnscache has received via TCP but not yet responded to or dropped.
-> tx gluelessness type name control [!|~|-|+|*] serverips...
This line indicates that dnscache transmitted a query.
Field Meaning
gluelessness The amount of gluelessness that generated this query.
(Read djb's explanation of gluelessness.)
type The requested record type.
name The domain name for which records are being requested.
control The authoritative anchestor domain.
[!|~|-|+|*] Field indicating the server qualification.
(Currently, '-' means none, and '+' says CurveDNS qualification.)
serverips List of IP addresses referencing authoritive servers
for control used for random name lookup.
EXAMPLE FOR NAME RESOLUTION
Suppose the cache is empty, and you ask dnscache for the A records for
example.com. First, dnscache will send a query to a root server,
because the root server is authoritative for the root domain (written
"."). So the tx line for the query will have "." in the control field.
The root server will give dnscache a list of servers that are
authoritative for the com domain. dnscache will ask one of the com
servers for the A records for example.com, and the log entry will have
com. in the control field.
Suppose the com server says that ns.example.net is authoritative for
example.com. Then when dnscache asks ns.example.net for A records for
example.com, the log entry will have example.com in the control field.
EXAMPLE FOR GLUELESSNESS
For the case of www.monty.de, the queries dnscache sent for
www.monty.de have gluelessness 0. The query sent for ns.norplex.net
has gluelessness 1. The query for vserver.neptun11.de has gluelessness
2. The query sent for ns.germany.net has gluelessness 3. And so on.
SEE ALSO
dnscache (8), dnscache-conf (8)
REFERENCE
http://www.dqd.com/~mayoff/notes/djbdns/dnscache-log.html (used by
permission)
Man(1) output converted with
man2html