DNS Query/Response Log Message Mapping

This topic contains information about supported fields in DNS query/response log messages for NIOS, BloxOne Threat Defense, and BloxOne DDI. It also contains corresponding field elements in CEF and LEEF formats via the syslog protocol and Splunk CIM via Splunk forwarder.

CEF and LEEF messages use standard headers, as described below.

CEF message header

CEF:0|Infoblox|Data Connector|1.0.0|dns-query-IN-A|DNS Query IN A|3|

Note

Note: "IN" and "A" are variable in the example above.

LEEF message header

The following table contains supported fields in DNS query/response logs and their corresponding field elements for other supported message formats.

Internal field	Product	CEF	LEEF	Splunk CIM	Description
Timestamp	NIOS, B1TD, B1DDI	Timestamp*	Timestamp*	Timestamp*	UTC timezone
<name server ip> rip	NIOS	dst	dst	dest	IP address of the DNS server
<client IP> qip	NIOS, B1TD, B1DDI	src	src	src	IP address of the client
<port> qport	NIOS	spt	srcPort	src_port	Source port
<dns view>, view	NIOS	InfobloxDNSView	InfobloxDNSView	dns_view	DNS View
<qname>	NIOS, B1TD, B1DDI	destinationDnsDomain	url	query	Requested domain name
<class name> qclass	NIOS, B1TD, B1DDI	InfobloxDNSQClass	InfobloxDNSQClass	record_type	Request class
<type name> qtype	NIOS, B1TD, B1DDI	InfobloxDNSQType	InfobloxDNSQType	query_type	Request record type
<flags> qqr, qaa, qtc, qrd, qra, qad, qcd, qdo,	NIOS, B1TD, B1DDI	InfobloxDNSQFlags	InfobloxDNSQFlags	dns_request_flags	DNS request options
<flags> rqr, raa, rtc, rrd, rra, rad, rcd, rdo	NIOS, B1TD, B1DDI	InfobloxDNSQFlags	InfobloxDNSQFlags	dns_response_flags	DNS response options
protocol	NIOS, B1TD, B1DDI	proto	proto	transport	TCP or UDP
-	NIOS, B1TD, B1DDI	app	app		DNS
-	NIOS, B1TD, B1DDI			query_count	Query count
<rcode>	NIOS, B1TD, B1DDI	InfobloxDNSRCode	InfobloxDNSRCode	reply_code, reply_code_id	Response code
[<RR in text format>] rrr1, rrr2, rrr3	NIOS, B1TD, B1DDI	msg	msg	answer dns_record	Returned resource records
				ttl	RR's TTL
arcount	B1TD, B1DDI	InfobloxArCount	InfobloxArCount	additional_answer_count	Response. Additional RR count
ancount	B1TD, B1DDI	InfobloxAnCount	InfobloxAnCount	answer_count	Response. RR count
nscount	B1TD, B1DDI	InfobloxNsCount	InfobloxNsCount	authority_answer_count	Response. Authoritative RR count
rport	B1TD, B1DDI			dest_port	DNS Server's port
	NIOS, B1TD, B1DDI			message_type	DNS Query or DNS Response
tid	B1TD, B1DDI			transaction_id	Transaction id
-	NIOS, B1TD, B1DDI			vendor_product	For CIM: Infoblox NIOS Infoblox BloxOne TD Infoblox BloxOne DDI
opcode	B1TD, B1DDI			opcode	Operational code
source	B1TD, B1DDI			source_id	Source ID
type	B1TD, B1DDI			dns_packet_type	DNS packet type
pid				policy_id	Policy ID
cid				client_id	Client ID
anonymized				anonymized	Anonymized
DNS Query/Response: Additional Metadata
region	B1TD	InfobloxB1Region	InfobloxB1Region	ib_b1_region	B1 PoP Region
pname	B1TD	InfobloxB1ConnectionType	InfobloxB1ConnectionType	ib_b1_connection_type	Connection type: remote_client, DFP, direct (NAT/Network)
display_name	B1TD	InfobloxB1OPHName	InfobloxB1OPHName	oph_name	On-prem host name
ip_address	B1TD	InfobloxB1OPHIPAddress	InfobloxB1OPHIPAddress	oph_ip_address	On-prem host IP
network	B1TD	InfobloxB1Network	InfobloxB1Network	src_network	Network name (Network, DFP, Client)
user_name	B1TD	suser	usrName	user_name	User name
device_name	B1TD	dvchost	identHostName	src_device_name	User's device name
mac_address or cmac	B1TD	smac	srcMAC	src_mac	User's device MAC
device_ip	B1TD	dvc		src_ip	User's device IP
os_version	B1TD	InfobloxB1SrcOSVersion	InfobloxB1SrcOSVersion	src_os_version	User's device OS
dhcp_fingerprint	B1TD	InfobloxB1DHCPFingerprint	InfobloxB1DHCPFingerprint	src_dhcp_fingerprint	User's device DHCP Fingerprint
all_tags	B1TD	InfobloxB1DNSTags	InfobloxB1DNSTags	ib_dns_tags	DNS request categorization tags

DNS Query/Response Log Message Mapping

CEF message header

LEEF message header

DNS Query/Response: Additional Metadata