tinydns Log File Format

`tinydns` Log File Format

by Rob Mayoff

tinydns is part of the djbdns package, written by Daniel J. Bernstein, aka djb. I couldn't find any documentation on its log file format. These are my notes on what the log entries mean. If there are any errors here, they are mine and not djb's.
tinydns logs IP addresses as 8 digit hexadecimal strings. For example, 127.0.0.1 is logged as 7f000001.
tinydns logs port numbers, query ids, and query types as 4 digit hexadecimal strings. Common query types:

Hex Symbol

0001 A

0002 NS

0005 CNAME

0006 SOA

000c PTR

000f MX

0010 TXT

001c AAAA

0026 A6

00fb IXFR

00fc AXFR

00ff wildcard

See this file for a possibly canonical list of query types.
Log entry types:

starting tinydns
ip:port:id + type name
ip:port:id - type name
ip:port:id I type name
ip:port:id C type name
ip:port:0000 / 0000 .

Hex	Symbol
0001	A
0002	NS
0005	CNAME
0006	SOA
000c	PTR
000f	MX
0010	TXT
001c	AAAA
0026	A6
00fb	IXFR
00fc	AXFR
00ff	wildcard

Descriptions

starting tinydns

tinydns logs this entry immediately before entering its receive/process/respond loop.

ip:port:id + type name

tinydns attempted to respond to a request. The attempt may have failed due to a network error, but such errors are not logged.

Field Meaning

ip The IP address from which the request was received, and to which the response was sent.

port The port number from which the request was received, and to which the response was sent.

id The request id, which the client picks and the server includes in the response.

type The type of records requested.

name The domain name for which records were requested.

ip:port:id - type name

tinydns dropped a request because it did not have the authority to answer. It only has the authority to answer if it has an SOA record for name or a suffix of name. Note that if it is unable to open the data.cdb file, it will have no authority for any domain.
The fields have the same meanings as in the + log entry.

ip:port:id I type name

tinydns received a request that it does not implement, or that had invalid bits set in the header, so it responded with an RCODE of 4 (NOTIMP). For example, if the client asks tinydns to perform a recursive query, or any type of query except a standard query, then tinydns creates this type of log entry and responds with a NOTIMP answer.
The fields have the same meanings as in the + log entry.

ip:port:id C type name

tinydns received a query for a class other than IN (Internet) or 255, so it responded with an RCODE of 1 (FORMERR). Class 255 means "any class".
The fields have the same meanings as in the + log entry. Note that the actual class in the query is not logged, so there is no reliable way to decode the meaning of the type field.

ip:port:0000 / 0000 .

tinydns received a request packet that either contained no query, contained more than one query, or otherwise could not be parsed. tinydns dropped the request.
The ip and port fields have the same meanings as in the + log entry. The other field values are hardcoded.

Field	Meaning
`ip`	The IP address from which the request was received, and to which the response was sent.
`port`	The port number from which the request was received, and to which the response was sent.
`id`	The request id, which the client picks and the server includes in the response.
`type`	The type of records requested.
`name`	The domain name for which records were requested.

(The blank space above allows the last named anchor to appear at the top of your window.)

Thanks to Daniel Biddle for class 255 and dns-parameters.