Required fields are in bold.
Zeek DNS activity Reference: https://docs.zeek.org/en/current/scripts/base/protocols/dns/main.zeek.html#type-DNS::Info​
Column | Type | Description |
|
| The earliest time at which a DNS protocol message over the associated connection is observed. |
|
| A unique identifier of the connection over which DNS messages are being transferred. |
|
| The originator’s IP address. |
|
| The originator’s port number. |
|
| The responder’s IP address. |
|
| The responder’s port number. |
|
| The transport layer protocol of the connection. |
|
| A 16-bit identifier assigned by the program that generated the DNS query. Also used in responses to match up replies to outstanding queries. |
|
| The domain name that is the subject of the DNS query. |
|
| The QCLASS value specifying the class of the query. |
|
| A descriptive name for the class of the query. |
|
| A QTYPE value specifying the type of the query. |
|
| A descriptive name for the type of the query. |
|
| The response code value in DNS response messages. |
|
| A descriptive name for the response code value. |
|
| The Authoritative Answer bit for response messages specifies that the responding name server is an authority for the domain name in the question section. |
|
| The Truncation bit specifies that the message was truncated. |
|
| The Recursion Desired bit in a request message indicates that the client wants recursive service for this query. |
|
| The Recursion Available bit in a response message indicates that the name server supports recursive queries. |
|
| A reserved field that is usually zero in queries and responses. |
|
| The set of resource descriptions in the query answer. |
|
| The caching intervals (measured in seconds) of the associated RRs described by the answers field. |
|
| The DNS query was rejected by the server. |
|
| Panther added field with type of log |
|
| Panther added field with unique id (within table) |
|
| Panther added standardize event time (UTC) |
|
| Panther added standardize log parse time (UTC) |
|
| Panther added field with the source id |
|
| Panther added field with the source label |
|
| Panther added field with collection of ip addresses associated with the row |
|
| Panther added field with collection of domain names associated with the row |
|
| Panther added field with collection of SHA1 hashes associated with the row |
|
| Panther added field with collection of MD5 hashes associated with the row |
|
| Panther added field with collection of SHA256 hashes of any algorithm associated with the row |