Ping a Specific Port

Question

KyleMit

Asked: 2015-04-23 11:12:32 +0800 CST2015-04-23 11:12:32 +0800 CST 2015-04-23 11:12:32 +0800 CST

What's in the DNS Debug Log Message Fields

772

I've enable debug logging options on the DNS server, and I'm trying to parse through the output in dns.log. Here's a guide from technet on how to use server debug logging options, but I can't find anything authoritative as to what the standard format for each field would be, let alone when details are included.

Here's a sample log line from the question What Do the Numbers In Parentheses Mean In My Windows DNS Debug Log?:

6/5/2013 10:00:32 AM 0E70 PACKET  00000000033397A0 UDP Rcv 10.161.60.71    5b47   Q [0001   D   NOERROR] A      (12)somecomputer(6)domain(3)com(0)

Unfortunately, that answer didn't go into what any of the other fields mean.

Technet's How DNS Works gives a good review of some of the fields, but nothing specific to the debug log formatting.

What are all the fields?

Bonus points for a powershell script that parses the info.

1 Answers

Voted

KyleMit · Answer 1 · 2015-04-23T11:14:00+08:00

Note: This answer is potentially incomplete as is. I've tried to add as much information as I could find to help carry the torch as far as possible, but I've added it as a community Wiki in hopes that other users will update incomplete or incorrect information.

According to the question DNS debug log dns.log Format Review, the fields map as follows

Date and Time             Type                     Prot Dir Request IP           R/Q             Flag     Record Domain
6/5/2013 10:00:32 AM 0E70 PACKET  00000000033397A0 UDP  Rcv 10.161.60.71    5b47   Q [0001   D   NOERROR] A      (12)somecomputer(6)domain(3)com(0)

Here's a list of the field level info:

Date and Time - Date and time of DNS traffic
Type - The type of DNS traffic
Prot - The Protocol being used [TCP|UDP]
Dir - The Direction - [Receiving|Sending]
Request IP - The IP address of the requesting client
R/Q - Response / Request
Flag - DNS Update Message Flags
Record Type - The Type of DNS Record
Domain - The domain that was originally requested

Lookups

Here's a list of potential lookup values for each of the categories:

Flag Lookup:

NOERROR - 0 - No error; successful update.
FORMERR - 1 - Format error; DNS server did not understand the update request.
SERVFAIL - 0x2 - DNS server encountered an internal error, such as a forwarding timeout
NXDOMAIN - 0x3 - A name that should exist does not exist.
NOTIMP - 0x4 - DNS server does not support the specified Operation code.
REFUSED - 0x5 - DNS server refuses to perform the update because
YXDOMAIN - 0x6 - A name that should not exist does exist.
YXRRSET - 0x7 - A resource record set that should not exist does exist.
NXRRSET - 0x8 - A resource record set that should exist does not exist.
NOTAUTH - 0x9 - DNS server is not authoritative for the zone named in the Zone section.
NOTZONE - 0xA - A name used in the Prerequisite or Update sections is not within the zone specified by the Zone section.

Record Type Lookup:

A - 0x01 - Host record
NS - 0x02 - Name server record
CNAME - 0x05 - Alias record
PTR - 0x0C - Reverse-lookup record
MX - 0x0F - Mail exchange record
SRV - 0x21 - Service record
IXFR - 0xFB - Incremental zone transfer record
AXFR - 0xFC - Standard zone transfer record
All - 0xFF - All records Domain

Parsing Script

Here's a cmdlet from Arun Sabale on Read DNS debug log and generate output in readable CSV format.

After running the cmdlet, you can call it like this:

Get-DNSDebugLog -DNSLog ".\DnsDebug.log" | Export-Csv .\ProperlyFormatedLog.csv

Script:

###########################################################################
# NAME: read DNS debug logs
# AUTHOR:  Arun Sabale
# COMMENT: 
# VERSION HISTORY:
# 1.0  - Initial release
###########################################################################

function Get-DNSDebugLog
{
    <#
    .SYNOPSIS
    This cmdlet parses a Windows DNS Debug log.

    .DESCRIPTION
    When a DNS log is converted with this cmdlet it will be turned into objects for further parsing.

    .EXAMPLE
    Get-DNSDebugLog -DNSLog ".\Something.log" | Format-Table

    Outputs the contents of the dns debug file "Something.log" as a table.

    .EXAMPLE
    Get-DNSDebugLog -DNSLog ".\Something.log" | Export-Csv .\ProperlyFormatedLog.csv

    Turns the debug file into a csv-file.

    .PARAMETER DNSLog
    Path to the DNS log or DNS log data. Allows pipelining from for example Get-ChildItem for files, and supports pipelining DNS log data.

    #>

    [CmdletBinding()]
    param(
      [Parameter(Mandatory=$false, ValueFromPipeline=$true, ValueFromPipelineByPropertyName=$true)]
      [Alias('Fullname')]
      [string] $DNSLog = "StringMode")


    BEGIN { }

    PROCESS {

        $TheReverseRegExString="\(\d\)in-addr\(\d\)arpa\(\d\)"

        ReturnDNSLogLines -DNSLog $DNSLog | % {
            if ( $_ -match "^\d\d" -AND $_ -notlike "*EVENT*") {
                $Date=$null
                $Time=$null
                $DateTime=$null
                $Protocol=$null
                $Client=$null
                $SendReceive=$null
                $QueryType=$null
                $RecordType=$null
                $Query=$null
                $Result=$null

                $Date=($_ -split " ")[0]

                # Check log time format and set properties
                if ($_ -match ":\d\d AM|:\d\d  PM") {
                    $Time=($_ -split " ")[1,2] -join " "
                    $Protocol=($_ -split " ")[7]
                    $Client=($_ -split " ")[9]
                    $SendReceive=($_ -split " ")[8]
                    $RecordType=(($_ -split "]")[1] -split " ")[1]
                    $Query=($_.ToString().Substring(110)) -replace "\s" -replace "\(\d?\d\)","." -replace "^\." -replace "\.$"
                    $Result=(((($_ -split "\[")[1]).ToString().Substring(9)) -split "]")[0] -replace " "
                }
                elseif ($_ -match "^\d\d\d\d\d\d\d\d \d\d:") {
                    $Date=$Date.Substring(0,4) + "-" + $Date.Substring(4,2) + "-" + $Date.Substring(6,2)
                    $Time=($_ -split " ")[1] -join " "
                    $Protocol=($_ -split " ")[6]
                    $Client=($_ -split " ")[8]
                    $SendReceive=($_ -split " ")[7]
                    $RecordType=(($_ -split "]")[1] -split " ")[1]
                    $Query=($_.ToString().Substring(110)) -replace "\s" -replace "\(\d?\d\)","." -replace "^\." -replace "\.$"
                    $Result=(((($_ -split "\[")[1]).ToString().Substring(9)) -split "]")[0] -replace " "
                }
                else {
                    $Time=($_ -split " ")[1]
                    $Protocol=($_ -split " ")[6]
                    $Client=($_ -split " ")[8]
                    $SendReceive=($_ -split " ")[7]
                    $RecordType=(($_ -split "]")[1] -split " ")[1]
                    $Query=($_.ToString().Substring(110)) -replace "\s" -replace "\(\d?\d\)","." -replace "^\." -replace "\.$"
                    $Result=(((($_ -split "\[")[1]).ToString().Substring(9)) -split "]")[0] -replace " "
                }

                $DateTime=Get-Date("$Date $Time") -Format "yyyy-MM-dd HH:mm:ss"


                if ($_ -match $TheReverseRegExString) {
                    $QueryType="Reverse"
                }
                else {
                    $QueryType="Forward"
                }

                $returnObj = New-Object System.Object
                $returnObj | Add-Member -Type NoteProperty -Name Date -Value $DateTime
                $returnObj | Add-Member -Type NoteProperty -Name QueryType -Value $QueryType
                $returnObj | Add-Member -Type NoteProperty -Name Client -Value $Client
                $returnObj | Add-Member -Type NoteProperty -Name SendReceive -Value $SendReceive
                $returnObj | Add-Member -Type NoteProperty -Name Protocol -Value $Protocol
                $returnObj | Add-Member -Type NoteProperty -Name RecordType -Value $RecordType
                $returnObj | Add-Member -Type NoteProperty -Name Query -Value $Query
                $returnObj | Add-Member -Type NoteProperty -Name Results -Value $Result

                if ($returnObj.Query -ne $null) {
                    Write-Output $returnObj
                }
            }
        }

    }

    END { }
}



function ReturnDNSLogLines
{
param(
$DNSLog)

$PathCorrect=try { Test-Path $DNSLog -ErrorAction Stop } catch { $false }

    if ($DNSLog -match "^\d\d" -AND $DNSLog -notlike "*EVENT*" -AND $PathCorrect -ne $true) {
        $DNSLog
    }
    elseif ($PathCorrect -eq $true) {
        Get-Content $DNSLog | % { $_ }
    }
}

What's in the DNS Debug Log Message Fields

Lookups

Parsing Script

Can you pass user/pass for HTTP Basic Authentication in URL parameters?

Ping a Specific Port

Check if port is open or closed on a Linux server?

How to automate SSH login with password?

How do I tell Git for Windows where to find my private RSA key?

What's the default superuser username/password for postgres after a new install?

What port does SFTP use?

Command line to list users in a Windows Active Directory group?

What is a Pem file and how does it differ from other OpenSSL Generated Key File Formats?

How to determine if a bash variable is empty?