1
// dnstap: flexible, structured event replication format for DNS software
3
// This file contains the protobuf schemas for the "dnstap" structured event
4
// replication format for DNS software.
6
// Written in 2013-2014 by Farsight Security, Inc.
8
// To the extent possible under law, the author(s) have dedicated all
9
// copyright and related and neighboring rights to this file to the public
10
// domain worldwide. This file is distributed without any warranty.
12
// You should have received a copy of the CC0 Public Domain Dedication along
13
// with this file. If not, see:
15
// <http://creativecommons.org/publicdomain/zero/1.0/>.
19
// "Dnstap": this is the top-level dnstap type, which is a "union" type that
20
// contains other kinds of dnstap payloads, although currently only one type
21
// of dnstap payload is defined.
22
// See: https://developers.google.com/protocol-buffers/docs/techniques#union
24
// DNS server identity.
25
// If enabled, this is the identity string of the DNS server which generated
26
// this message. Typically this would be the same string as returned by an
27
// "NSID" (RFC 5001) query.
28
optional bytes identity = 1;
30
// DNS server version.
31
// If enabled, this is the version string of the DNS server which generated
32
// this message. Typically this would be the same string as returned by a
33
// "version.bind" query.
34
optional bytes version = 2;
36
// Extra data for this payload.
37
// This field can be used for adding an arbitrary byte-string annotation to
38
// the payload. No encoding or interpretation is applied or enforced.
39
optional bytes extra = 3;
41
// Identifies which field below is filled in.
45
required Type type = 15;
47
// One of the following will be filled in.
48
optional Message message = 14;
51
// SocketFamily: the network protocol family of a socket. This specifies how
52
// to interpret "network address" fields.
54
INET = 1; // IPv4 (RFC 791)
55
INET6 = 2; // IPv6 (RFC 2460)
58
// SocketProtocol: the transport protocol of a socket. This specifies how to
59
// interpret "transport port" fields.
61
UDP = 1; // User Datagram Protocol (RFC 768)
62
TCP = 2; // Transmission Control Protocol (RFC 793)
65
// Message: a wire-format (RFC 1035 section 4) DNS message and associated
66
// metadata. Applications generating "Message" payloads should follow
67
// certain requirements based on the MessageType, see below.
70
// There are eight types of "Message" defined that correspond to the
71
// four arrows in the following diagram, slightly modified from RFC 1035
74
// +---------+ +----------+ +--------+
75
// | | query | | query | |
76
// | Stub |-SQ--------CQ->| Recursive|-RQ----AQ->| Auth. |
77
// | Resolver| | Server | | Name |
78
// | |<-SR--------CR-| |<-RR----AR-| Server |
79
// +---------+ response | | response | |
80
// +----------+ +--------+
82
// Each arrow has two Type values each, one for each "end" of each arrow,
83
// because these are considered to be distinct events. Each end of each
84
// arrow on the diagram above has been marked with a two-letter Type
85
// mnemonic. Clockwise from upper left, these mnemonic values are:
92
// RR: RESOLVER_RESPONSE
93
// CR: CLIENT_RESPONSE
96
// Two additional types of "Message" have been defined for the
97
// "forwarding" case where an upstream DNS server is responsible for
98
// further recursion. These are not shown on the diagram above, but have
99
// the following mnemonic values:
101
// FQ: FORWARDER_QUERY
102
// FR: FORWARDER_RESPONSE
104
// The "Message" Type values are defined below.
107
// AUTH_QUERY is a DNS query message received from a resolver by an
108
// authoritative name server, from the perspective of the authorative
112
// AUTH_RESPONSE is a DNS response message sent from an authoritative
113
// name server to a resolver, from the perspective of the authoritative
117
// RESOLVER_QUERY is a DNS query message sent from a resolver to an
118
// authoritative name server, from the perspective of the resolver.
119
// Resolvers typically clear the RD (recursion desired) bit when
123
// RESOLVER_RESPONSE is a DNS response message received from an
124
// authoritative name server by a resolver, from the perspective of
126
RESOLVER_RESPONSE = 4;
128
// CLIENT_QUERY is a DNS query message sent from a client to a DNS
129
// server which is expected to perform further recursion, from the
130
// perspective of the DNS server. The client may be a stub resolver or
131
// forwarder or some other type of software which typically sets the RD
132
// (recursion desired) bit when querying the DNS server. The DNS server
133
// may be a simple forwarding proxy or it may be a full recursive
137
// CLIENT_RESPONSE is a DNS response message sent from a DNS server to
138
// a client, from the perspective of the DNS server. The DNS server
139
// typically sets the RA (recursion available) bit when responding.
142
// FORWARDER_QUERY is a DNS query message sent from a downstream DNS
143
// server to an upstream DNS server which is expected to perform
144
// further recursion, from the perspective of the downstream DNS
148
// FORWARDER_RESPONSE is a DNS response message sent from an upstream
149
// DNS server performing recursion to a downstream DNS server, from the
150
// perspective of the downstream DNS server.
151
FORWARDER_RESPONSE = 8;
153
// STUB_QUERY is a DNS query message sent from a stub resolver to a DNS
154
// server, from the perspective of the stub resolver.
157
// STUB_RESPONSE is a DNS response message sent from a DNS server to a
158
// stub resolver, from the perspective of the stub resolver.
161
// TOOL_QUERY is a DNS query message sent from a DNS software tool to a
162
// DNS server, from the perspective of the tool.
165
// TOOL_RESPONSE is a DNS response message received by a DNS software
166
// tool from a DNS server, from the perspective of the tool.
170
// One of the Type values described above.
171
required Type type = 1;
173
// One of the SocketFamily values described above.
174
optional SocketFamily socket_family = 2;
176
// One of the SocketProtocol values described above.
177
optional SocketProtocol socket_protocol = 3;
179
// The network address of the message initiator.
180
// For SocketFamily INET, this field is 4 octets (IPv4 address).
181
// For SocketFamily INET6, this field is 16 octets (IPv6 address).
182
optional bytes query_address = 4;
184
// The network address of the message responder.
185
// For SocketFamily INET, this field is 4 octets (IPv4 address).
186
// For SocketFamily INET6, this field is 16 octets (IPv6 address).
187
optional bytes response_address = 5;
189
// The transport port of the message initiator.
190
// This is a 16-bit UDP or TCP port number, depending on SocketProtocol.
191
optional uint32 query_port = 6;
193
// The transport port of the message responder.
194
// This is a 16-bit UDP or TCP port number, depending on SocketProtocol.
195
optional uint32 response_port = 7;
197
// The time at which the DNS query message was sent or received, depending
198
// on whether this is an AUTH_QUERY, RESOLVER_QUERY, or CLIENT_QUERY.
199
// This is the number of seconds since the UNIX epoch.
200
optional uint64 query_time_sec = 8;
202
// The time at which the DNS query message was sent or received.
203
// This is the seconds fraction, expressed as a count of nanoseconds.
204
optional fixed32 query_time_nsec = 9;
206
// The initiator's original wire-format DNS query message, verbatim.
207
optional bytes query_message = 10;
209
// The "zone" or "bailiwick" pertaining to the DNS query message.
210
// This is a wire-format DNS domain name.
211
optional bytes query_zone = 11;
213
// The time at which the DNS response message was sent or received,
214
// depending on whether this is an AUTH_RESPONSE, RESOLVER_RESPONSE, or
216
// This is the number of seconds since the UNIX epoch.
217
optional uint64 response_time_sec = 12;
219
// The time at which the DNS response message was sent or received.
220
// This is the seconds fraction, expressed as a count of nanoseconds.
221
optional fixed32 response_time_nsec = 13;
223
// The responder's original wire-format DNS response message, verbatim.
224
optional bytes response_message = 14;
227
// All fields except for 'type' in the Message schema are optional.
228
// It is recommended that at least the following fields be filled in for
229
// particular types of Messages.
232
// socket_family, socket_protocol
233
// query_address, query_port
235
// query_time_sec, query_time_nsec
238
// socket_family, socket_protocol
239
// query_address, query_port
240
// query_time_sec, query_time_nsec
242
// response_time_sec, response_time_nsec
245
// socket_family, socket_protocol
247
// query_time_sec, query_time_nsec
249
// response_address, response_port
251
// RESOLVER_RESPONSE:
252
// socket_family, socket_protocol
253
// query_time_sec, query_time_nsec
255
// response_address, response_port
257
// response_time_sec, response_time_nsec
260
// socket_family, socket_protocol
262
// query_time_sec, query_time_nsec
265
// socket_family, socket_protocol
266
// query_time_sec, query_time_nsec
268
// response_time_sec, response_time_nsec