xref: /freebsd/contrib/unbound/dnstap/dnstap.proto (revision f4b37ed0f8b307b1f3f0f630ca725d68f1dff30d)
1// dnstap: flexible, structured event replication format for DNS software
2//
3// This file contains the protobuf schemas for the "dnstap" structured event
4// replication format for DNS software.
5
6// Written in 2013-2014 by Farsight Security, Inc.
7//
8// To the extent possible under law, the author(s) have dedicated all
9// copyright and related and neighboring rights to this file to the public
10// domain worldwide. This file is distributed without any warranty.
11//
12// You should have received a copy of the CC0 Public Domain Dedication along
13// with this file. If not, see:
14//
15// <http://creativecommons.org/publicdomain/zero/1.0/>.
16
17package dnstap;
18
19// "Dnstap": this is the top-level dnstap type, which is a "union" type that
20// contains other kinds of dnstap payloads, although currently only one type
21// of dnstap payload is defined.
22// See: https://developers.google.com/protocol-buffers/docs/techniques#union
23message Dnstap {
24    // DNS server identity.
25    // If enabled, this is the identity string of the DNS server which generated
26    // this message. Typically this would be the same string as returned by an
27    // "NSID" (RFC 5001) query.
28    optional bytes      identity = 1;
29
30    // DNS server version.
31    // If enabled, this is the version string of the DNS server which generated
32    // this message. Typically this would be the same string as returned by a
33    // "version.bind" query.
34    optional bytes      version = 2;
35
36    // Extra data for this payload.
37    // This field can be used for adding an arbitrary byte-string annotation to
38    // the payload. No encoding or interpretation is applied or enforced.
39    optional bytes      extra = 3;
40
41    // Identifies which field below is filled in.
42    enum Type {
43        MESSAGE = 1;
44    }
45    required Type       type = 15;
46
47    // One of the following will be filled in.
48    optional Message    message = 14;
49}
50
51// SocketFamily: the network protocol family of a socket. This specifies how
52// to interpret "network address" fields.
53enum SocketFamily {
54    INET = 1;   // IPv4 (RFC 791)
55    INET6 = 2;  // IPv6 (RFC 2460)
56}
57
58// SocketProtocol: the transport protocol of a socket. This specifies how to
59// interpret "transport port" fields.
60enum SocketProtocol {
61    UDP = 1;    // User Datagram Protocol (RFC 768)
62    TCP = 2;    // Transmission Control Protocol (RFC 793)
63}
64
65// Message: a wire-format (RFC 1035 section 4) DNS message and associated
66// metadata. Applications generating "Message" payloads should follow
67// certain requirements based on the MessageType, see below.
68message Message {
69
70    // There are eight types of "Message" defined that correspond to the
71    // four arrows in the following diagram, slightly modified from RFC 1035
72    // section 2:
73
74    //    +---------+               +----------+           +--------+
75    //    |         |     query     |          |   query   |        |
76    //    | Stub    |-SQ--------CQ->| Recursive|-RQ----AQ->| Auth.  |
77    //    | Resolver|               | Server   |           | Name   |
78    //    |         |<-SR--------CR-|          |<-RR----AR-| Server |
79    //    +---------+    response   |          |  response |        |
80    //                              +----------+           +--------+
81
82    // Each arrow has two Type values each, one for each "end" of each arrow,
83    // because these are considered to be distinct events. Each end of each
84    // arrow on the diagram above has been marked with a two-letter Type
85    // mnemonic. Clockwise from upper left, these mnemonic values are:
86    //
87    //   SQ:        STUB_QUERY
88    //   CQ:      CLIENT_QUERY
89    //   RQ:    RESOLVER_QUERY
90    //   AQ:        AUTH_QUERY
91    //   AR:        AUTH_RESPONSE
92    //   RR:    RESOLVER_RESPONSE
93    //   CR:      CLIENT_RESPONSE
94    //   SR:        STUB_RESPONSE
95
96    // Two additional types of "Message" have been defined for the
97    // "forwarding" case where an upstream DNS server is responsible for
98    // further recursion. These are not shown on the diagram above, but have
99    // the following mnemonic values:
100
101    //   FQ:   FORWARDER_QUERY
102    //   FR:   FORWARDER_RESPONSE
103
104    // The "Message" Type values are defined below.
105
106    enum Type {
107        // AUTH_QUERY is a DNS query message received from a resolver by an
108        // authoritative name server, from the perspective of the authorative
109        // name server.
110        AUTH_QUERY = 1;
111
112        // AUTH_RESPONSE is a DNS response message sent from an authoritative
113        // name server to a resolver, from the perspective of the authoritative
114        // name server.
115        AUTH_RESPONSE = 2;
116
117        // RESOLVER_QUERY is a DNS query message sent from a resolver to an
118        // authoritative name server, from the perspective of the resolver.
119        // Resolvers typically clear the RD (recursion desired) bit when
120        // sending queries.
121        RESOLVER_QUERY = 3;
122
123        // RESOLVER_RESPONSE is a DNS response message received from an
124        // authoritative name server by a resolver, from the perspective of
125        // the resolver.
126        RESOLVER_RESPONSE = 4;
127
128        // CLIENT_QUERY is a DNS query message sent from a client to a DNS
129        // server which is expected to perform further recursion, from the
130        // perspective of the DNS server. The client may be a stub resolver or
131        // forwarder or some other type of software which typically sets the RD
132        // (recursion desired) bit when querying the DNS server. The DNS server
133        // may be a simple forwarding proxy or it may be a full recursive
134        // resolver.
135        CLIENT_QUERY = 5;
136
137        // CLIENT_RESPONSE is a DNS response message sent from a DNS server to
138        // a client, from the perspective of the DNS server. The DNS server
139        // typically sets the RA (recursion available) bit when responding.
140        CLIENT_RESPONSE = 6;
141
142        // FORWARDER_QUERY is a DNS query message sent from a downstream DNS
143        // server to an upstream DNS server which is expected to perform
144        // further recursion, from the perspective of the downstream DNS
145        // server.
146        FORWARDER_QUERY = 7;
147
148        // FORWARDER_RESPONSE is a DNS response message sent from an upstream
149        // DNS server performing recursion to a downstream DNS server, from the
150        // perspective of the downstream DNS server.
151        FORWARDER_RESPONSE = 8;
152
153        // STUB_QUERY is a DNS query message sent from a stub resolver to a DNS
154        // server, from the perspective of the stub resolver.
155        STUB_QUERY = 9;
156
157        // STUB_RESPONSE is a DNS response message sent from a DNS server to a
158        // stub resolver, from the perspective of the stub resolver.
159        STUB_RESPONSE = 10;
160    }
161
162    // One of the Type values described above.
163    required Type               type = 1;
164
165    // One of the SocketFamily values described above.
166    optional SocketFamily       socket_family = 2;
167
168    // One of the SocketProtocol values described above.
169    optional SocketProtocol     socket_protocol = 3;
170
171    // The network address of the message initiator.
172    // For SocketFamily INET, this field is 4 octets (IPv4 address).
173    // For SocketFamily INET6, this field is 16 octets (IPv6 address).
174    optional bytes              query_address = 4;
175
176    // The network address of the message responder.
177    // For SocketFamily INET, this field is 4 octets (IPv4 address).
178    // For SocketFamily INET6, this field is 16 octets (IPv6 address).
179    optional bytes              response_address = 5;
180
181    // The transport port of the message initiator.
182    // This is a 16-bit UDP or TCP port number, depending on SocketProtocol.
183    optional uint32             query_port = 6;
184
185    // The transport port of the message responder.
186    // This is a 16-bit UDP or TCP port number, depending on SocketProtocol.
187    optional uint32             response_port = 7;
188
189    // The time at which the DNS query message was sent or received, depending
190    // on whether this is an AUTH_QUERY, RESOLVER_QUERY, or CLIENT_QUERY.
191    // This is the number of seconds since the UNIX epoch.
192    optional uint64             query_time_sec = 8;
193
194    // The time at which the DNS query message was sent or received.
195    // This is the seconds fraction, expressed as a count of nanoseconds.
196    optional fixed32            query_time_nsec = 9;
197
198    // The initiator's original wire-format DNS query message, verbatim.
199    optional bytes              query_message = 10;
200
201    // The "zone" or "bailiwick" pertaining to the DNS query message.
202    // This is a wire-format DNS domain name.
203    optional bytes              query_zone = 11;
204
205    // The time at which the DNS response message was sent or received,
206    // depending on whether this is an AUTH_RESPONSE, RESOLVER_RESPONSE, or
207    // CLIENT_RESPONSE.
208    // This is the number of seconds since the UNIX epoch.
209    optional uint64             response_time_sec = 12;
210
211    // The time at which the DNS response message was sent or received.
212    // This is the seconds fraction, expressed as a count of nanoseconds.
213    optional fixed32            response_time_nsec = 13;
214
215    // The responder's original wire-format DNS response message, verbatim.
216    optional bytes              response_message = 14;
217}
218
219// All fields except for 'type' in the Message schema are optional.
220// It is recommended that at least the following fields be filled in for
221// particular types of Messages.
222
223// AUTH_QUERY:
224//      socket_family, socket_protocol
225//      query_address, query_port
226//      query_message
227//      query_time_sec, query_time_nsec
228
229// AUTH_RESPONSE:
230//      socket_family, socket_protocol
231//      query_address, query_port
232//      query_time_sec, query_time_nsec
233//      response_message
234//      response_time_sec, response_time_nsec
235
236// RESOLVER_QUERY:
237//      socket_family, socket_protocol
238//      query_name, query_type, query_class
239//      query_message
240//      query_time_sec, query_time_nsec
241//      query_zone
242//      response_address, response_port
243
244// RESOLVER_RESPONSE:
245//      socket_family, socket_protocol
246//      query_name, query_type, query_class
247//      query_time_sec, query_time_nsec
248//      query_zone
249//      response_address, response_port
250//      response_message
251//      response_time_sec, response_time_nsec
252
253// CLIENT_QUERY:
254//      socket_family, socket_protocol
255//      query_message
256//      query_time_sec, query_time_nsec
257
258// CLIENT_RESPONSE:
259//      socket_family, socket_protocol
260//      query_time_sec, query_time_nsec
261//      response_message
262//      response_time_sec, response_time_nsec
263