tinydns Log File Format

by Rob Mayoff

tinydns is part of the djbdns package, written by Daniel J. Bernstein, aka djb. I couldn't find any documentation on its log file format. These are my notes on what the log entries mean. If there are any errors here, they are mine and not djb's.

tinydns logs IP addresses as 8 digit hexadecimal strings. For example, 127.0.0.1 is logged as 7f000001.

tinydns logs port numbers, query ids, and query types as 4 digit hexadecimal strings. Common query types:
Hex Symbol
0001 A
0002 NS
0005 CNAME
0006 SOA
000c PTR
000f MX
0010 TXT
001c AAAA
0026 A6
00fb IXFR
00fc AXFR
00ff wildcard

See this file for a possibly canonical list of query types.

Log entry types:

Descriptions

starting tinydns

tinydns logs this entry immediately before entering its receive/process/respond loop.

ip:port:id + type name

tinydns attempted to respond to a request. The attempt may have failed due to a network error, but such errors are not logged.

Field Meaning
ip The IP address from which the request was received, and to which the response was sent.
port The port number from which the request was received, and to which the response was sent.
id The request id, which the client picks and the server includes in the response.
type The type of records requested.
name The domain name for which records were requested.

ip:port:id - type name

tinydns dropped a request because it did not have the authority to answer. It only has the authority to answer if it has an SOA record for name or a suffix of name. Note that if it is unable to open the data.cdb file, it will have no authority for any domain.

The fields have the same meanings as in the + log entry.

ip:port:id I type name

tinydns received a request that it does not implement, or that had invalid bits set in the header, so it responded with an RCODE of 4 (NOTIMP). For example, if the client asks tinydns to perform a recursive query, or any type of query except a standard query, then tinydns creates this type of log entry and responds with a NOTIMP answer.

The fields have the same meanings as in the + log entry.

ip:port:id C type name

tinydns received a query for a class other than IN (Internet) or 255, so it responded with an RCODE of 1 (FORMERR). Class 255 means "any class".

The fields have the same meanings as in the + log entry. Note that the actual class in the query is not logged, so there is no reliable way to decode the meaning of the type field.

ip:port:0000 / 0000 .

tinydns received a request packet that either contained no query, contained more than one query, or otherwise could not be parsed. tinydns dropped the request.

The ip and port fields have the same meanings as in the + log entry. The other field values are hardcoded.





















































(The blank space above allows the last named anchor to appear at the top of your window.)
Thanks to Daniel Biddle for class 255 and dns-parameters.