1// dnstap: flexible, structured event replication format for DNS software 2// 3// This file contains the protobuf schemas for the "dnstap" structured event 4// replication format for DNS software. 5 6// Written in 2013-2014 by Farsight Security, Inc. 7// 8// To the extent possible under law, the author(s) have dedicated all 9// copyright and related and neighboring rights to this file to the public 10// domain worldwide. This file is distributed without any warranty. 11// 12// You should have received a copy of the CC0 Public Domain Dedication along 13// with this file. If not, see: 14// 15// <http://creativecommons.org/publicdomain/zero/1.0/>. 16 17package dnstap; 18 19// "Dnstap": this is the top-level dnstap type, which is a "union" type that 20// contains other kinds of dnstap payloads, although currently only one type 21// of dnstap payload is defined. 22// See: https://developers.google.com/protocol-buffers/docs/techniques#union 23message Dnstap { 24 // DNS server identity. 25 // If enabled, this is the identity string of the DNS server which generated 26 // this message. Typically this would be the same string as returned by an 27 // "NSID" (RFC 5001) query. 28 optional bytes identity = 1; 29 30 // DNS server version. 31 // If enabled, this is the version string of the DNS server which generated 32 // this message. Typically this would be the same string as returned by a 33 // "version.bind" query. 34 optional bytes version = 2; 35 36 // Extra data for this payload. 37 // This field can be used for adding an arbitrary byte-string annotation to 38 // the payload. No encoding or interpretation is applied or enforced. 39 optional bytes extra = 3; 40 41 // Identifies which field below is filled in. 42 enum Type { 43 MESSAGE = 1; 44 } 45 required Type type = 15; 46 47 // One of the following will be filled in. 48 optional Message message = 14; 49} 50 51// SocketFamily: the network protocol family of a socket. This specifies how 52// to interpret "network address" fields. 53enum SocketFamily { 54 INET = 1; // IPv4 (RFC 791) 55 INET6 = 2; // IPv6 (RFC 2460) 56} 57 58// SocketProtocol: the transport protocol of a socket. This specifies how to 59// interpret "transport port" fields. 60enum SocketProtocol { 61 UDP = 1; // User Datagram Protocol (RFC 768) 62 TCP = 2; // Transmission Control Protocol (RFC 793) 63} 64 65// Message: a wire-format (RFC 1035 section 4) DNS message and associated 66// metadata. Applications generating "Message" payloads should follow 67// certain requirements based on the MessageType, see below. 68message Message { 69 70 // There are eight types of "Message" defined that correspond to the 71 // four arrows in the following diagram, slightly modified from RFC 1035 72 // section 2: 73 74 // +---------+ +----------+ +--------+ 75 // | | query | | query | | 76 // | Stub |-SQ--------CQ->| Recursive|-RQ----AQ->| Auth. | 77 // | Resolver| | Server | | Name | 78 // | |<-SR--------CR-| |<-RR----AR-| Server | 79 // +---------+ response | | response | | 80 // +----------+ +--------+ 81 82 // Each arrow has two Type values each, one for each "end" of each arrow, 83 // because these are considered to be distinct events. Each end of each 84 // arrow on the diagram above has been marked with a two-letter Type 85 // mnemonic. Clockwise from upper left, these mnemonic values are: 86 // 87 // SQ: STUB_QUERY 88 // CQ: CLIENT_QUERY 89 // RQ: RESOLVER_QUERY 90 // AQ: AUTH_QUERY 91 // AR: AUTH_RESPONSE 92 // RR: RESOLVER_RESPONSE 93 // CR: CLIENT_RESPONSE 94 // SR: STUB_RESPONSE 95 96 // Two additional types of "Message" have been defined for the 97 // "forwarding" case where an upstream DNS server is responsible for 98 // further recursion. These are not shown on the diagram above, but have 99 // the following mnemonic values: 100 101 // FQ: FORWARDER_QUERY 102 // FR: FORWARDER_RESPONSE 103 104 // The "Message" Type values are defined below. 105 106 enum Type { 107 // AUTH_QUERY is a DNS query message received from a resolver by an 108 // authoritative name server, from the perspective of the authorative 109 // name server. 110 AUTH_QUERY = 1; 111 112 // AUTH_RESPONSE is a DNS response message sent from an authoritative 113 // name server to a resolver, from the perspective of the authoritative 114 // name server. 115 AUTH_RESPONSE = 2; 116 117 // RESOLVER_QUERY is a DNS query message sent from a resolver to an 118 // authoritative name server, from the perspective of the resolver. 119 // Resolvers typically clear the RD (recursion desired) bit when 120 // sending queries. 121 RESOLVER_QUERY = 3; 122 123 // RESOLVER_RESPONSE is a DNS response message received from an 124 // authoritative name server by a resolver, from the perspective of 125 // the resolver. 126 RESOLVER_RESPONSE = 4; 127 128 // CLIENT_QUERY is a DNS query message sent from a client to a DNS 129 // server which is expected to perform further recursion, from the 130 // perspective of the DNS server. The client may be a stub resolver or 131 // forwarder or some other type of software which typically sets the RD 132 // (recursion desired) bit when querying the DNS server. The DNS server 133 // may be a simple forwarding proxy or it may be a full recursive 134 // resolver. 135 CLIENT_QUERY = 5; 136 137 // CLIENT_RESPONSE is a DNS response message sent from a DNS server to 138 // a client, from the perspective of the DNS server. The DNS server 139 // typically sets the RA (recursion available) bit when responding. 140 CLIENT_RESPONSE = 6; 141 142 // FORWARDER_QUERY is a DNS query message sent from a downstream DNS 143 // server to an upstream DNS server which is expected to perform 144 // further recursion, from the perspective of the downstream DNS 145 // server. 146 FORWARDER_QUERY = 7; 147 148 // FORWARDER_RESPONSE is a DNS response message sent from an upstream 149 // DNS server performing recursion to a downstream DNS server, from the 150 // perspective of the downstream DNS server. 151 FORWARDER_RESPONSE = 8; 152 153 // STUB_QUERY is a DNS query message sent from a stub resolver to a DNS 154 // server, from the perspective of the stub resolver. 155 STUB_QUERY = 9; 156 157 // STUB_RESPONSE is a DNS response message sent from a DNS server to a 158 // stub resolver, from the perspective of the stub resolver. 159 STUB_RESPONSE = 10; 160 } 161 162 // One of the Type values described above. 163 required Type type = 1; 164 165 // One of the SocketFamily values described above. 166 optional SocketFamily socket_family = 2; 167 168 // One of the SocketProtocol values described above. 169 optional SocketProtocol socket_protocol = 3; 170 171 // The network address of the message initiator. 172 // For SocketFamily INET, this field is 4 octets (IPv4 address). 173 // For SocketFamily INET6, this field is 16 octets (IPv6 address). 174 optional bytes query_address = 4; 175 176 // The network address of the message responder. 177 // For SocketFamily INET, this field is 4 octets (IPv4 address). 178 // For SocketFamily INET6, this field is 16 octets (IPv6 address). 179 optional bytes response_address = 5; 180 181 // The transport port of the message initiator. 182 // This is a 16-bit UDP or TCP port number, depending on SocketProtocol. 183 optional uint32 query_port = 6; 184 185 // The transport port of the message responder. 186 // This is a 16-bit UDP or TCP port number, depending on SocketProtocol. 187 optional uint32 response_port = 7; 188 189 // The time at which the DNS query message was sent or received, depending 190 // on whether this is an AUTH_QUERY, RESOLVER_QUERY, or CLIENT_QUERY. 191 // This is the number of seconds since the UNIX epoch. 192 optional uint64 query_time_sec = 8; 193 194 // The time at which the DNS query message was sent or received. 195 // This is the seconds fraction, expressed as a count of nanoseconds. 196 optional fixed32 query_time_nsec = 9; 197 198 // The initiator's original wire-format DNS query message, verbatim. 199 optional bytes query_message = 10; 200 201 // The "zone" or "bailiwick" pertaining to the DNS query message. 202 // This is a wire-format DNS domain name. 203 optional bytes query_zone = 11; 204 205 // The time at which the DNS response message was sent or received, 206 // depending on whether this is an AUTH_RESPONSE, RESOLVER_RESPONSE, or 207 // CLIENT_RESPONSE. 208 // This is the number of seconds since the UNIX epoch. 209 optional uint64 response_time_sec = 12; 210 211 // The time at which the DNS response message was sent or received. 212 // This is the seconds fraction, expressed as a count of nanoseconds. 213 optional fixed32 response_time_nsec = 13; 214 215 // The responder's original wire-format DNS response message, verbatim. 216 optional bytes response_message = 14; 217} 218 219// All fields except for 'type' in the Message schema are optional. 220// It is recommended that at least the following fields be filled in for 221// particular types of Messages. 222 223// AUTH_QUERY: 224// socket_family, socket_protocol 225// query_address, query_port 226// query_message 227// query_time_sec, query_time_nsec 228 229// AUTH_RESPONSE: 230// socket_family, socket_protocol 231// query_address, query_port 232// query_time_sec, query_time_nsec 233// response_message 234// response_time_sec, response_time_nsec 235 236// RESOLVER_QUERY: 237// socket_family, socket_protocol 238// query_name, query_type, query_class 239// query_message 240// query_time_sec, query_time_nsec 241// query_zone 242// response_address, response_port 243 244// RESOLVER_RESPONSE: 245// socket_family, socket_protocol 246// query_name, query_type, query_class 247// query_time_sec, query_time_nsec 248// query_zone 249// response_address, response_port 250// response_message 251// response_time_sec, response_time_nsec 252 253// CLIENT_QUERY: 254// socket_family, socket_protocol 255// query_message 256// query_time_sec, query_time_nsec 257 258// CLIENT_RESPONSE: 259// socket_family, socket_protocol 260// query_time_sec, query_time_nsec 261// response_message 262// response_time_sec, response_time_nsec 263