Note: This answer is potentially incomplete as is. I've tried to add as much information as I could find to help carry the torch as far as possible, but I've added it as a community Wiki in hopes that other users will update incomplete or incorrect information.
According to the question DNS debug log dns.log Format Review, the fields map as follows
Date and Time Type Prot Dir Request IP R/Q Flag Record Domain
6/5/2013 10:00:32 AM 0E70 PACKET 00000000033397A0 UDP Rcv 10.161.60.71 5b47 Q [0001 D NOERROR] A (12)somecomputer(6)domain(3)com(0)
Here's a list of the field level info:
- Date and Time - Date and time of DNS traffic
- Type - The type of DNS traffic
- Prot - The Protocol being used [TCP|UDP]
- Dir - The Direction - [Receiving|Sending]
- Request IP - The IP address of the requesting client
- R/Q - Response / Request
- Flag - DNS Update Message Flags
- Record Type - The Type of DNS Record
- Domain - The domain that was originally requested
Lookups
Here's a list of potential lookup values for each of the categories:
Flag Lookup:
- NOERROR -
0 - No error; successful update.
- FORMERR -
1 - Format error; DNS server did not understand the update request.
- SERVFAIL -
0x2 - DNS server encountered an internal error, such as a forwarding timeout
- NXDOMAIN -
0x3 - A name that should exist does not exist.
- NOTIMP -
0x4 - DNS server does not support the specified Operation code.
- REFUSED -
0x5 - DNS server refuses to perform the update because
- YXDOMAIN -
0x6 - A name that should not exist does exist.
- YXRRSET -
0x7 - A resource record set that should not exist does exist.
- NXRRSET -
0x8 - A resource record set that should exist does not exist.
- NOTAUTH -
0x9 - DNS server is not authoritative for the zone named in the Zone section.
- NOTZONE -
0xA - A name used in the Prerequisite or Update sections is not within the zone specified by the Zone section.
Record Type Lookup:
- A -
0x01 - Host record
- NS -
0x02 - Name server record
- CNAME -
0x05 - Alias record
- PTR -
0x0C - Reverse-lookup record
- MX -
0x0F - Mail exchange record
- SRV -
0x21 - Service record
- IXFR -
0xFB - Incremental zone transfer record
- AXFR -
0xFC - Standard zone transfer record
- All -
0xFF - All records Domain
Parsing Script
Here's a cmdlet from Arun Sabale on Read DNS debug log and generate output in readable CSV format.
After running the cmdlet, you can call it like this:
Get-DNSDebugLog -DNSLog ".\DnsDebug.log" | Export-Csv .\ProperlyFormatedLog.csv
Script:
###########################################################################
# NAME: read DNS debug logs
# AUTHOR: Arun Sabale
# COMMENT:
# VERSION HISTORY:
# 1.0 - Initial release
###########################################################################
function Get-DNSDebugLog
{
<#
.SYNOPSIS
This cmdlet parses a Windows DNS Debug log.
.DESCRIPTION
When a DNS log is converted with this cmdlet it will be turned into objects for further parsing.
.EXAMPLE
Get-DNSDebugLog -DNSLog ".\Something.log" | Format-Table
Outputs the contents of the dns debug file "Something.log" as a table.
.EXAMPLE
Get-DNSDebugLog -DNSLog ".\Something.log" | Export-Csv .\ProperlyFormatedLog.csv
Turns the debug file into a csv-file.
.PARAMETER DNSLog
Path to the DNS log or DNS log data. Allows pipelining from for example Get-ChildItem for files, and supports pipelining DNS log data.
#>
[CmdletBinding()]
param(
[Parameter(Mandatory=$false, ValueFromPipeline=$true, ValueFromPipelineByPropertyName=$true)]
[Alias('Fullname')]
[string] $DNSLog = "StringMode")
BEGIN { }
PROCESS {
$TheReverseRegExString="\(\d\)in-addr\(\d\)arpa\(\d\)"
ReturnDNSLogLines -DNSLog $DNSLog | % {
if ( $_ -match "^\d\d" -AND $_ -notlike "*EVENT*") {
$Date=$null
$Time=$null
$DateTime=$null
$Protocol=$null
$Client=$null
$SendReceive=$null
$QueryType=$null
$RecordType=$null
$Query=$null
$Result=$null
$Date=($_ -split " ")[0]
# Check log time format and set properties
if ($_ -match ":\d\d AM|:\d\d PM") {
$Time=($_ -split " ")[1,2] -join " "
$Protocol=($_ -split " ")[7]
$Client=($_ -split " ")[9]
$SendReceive=($_ -split " ")[8]
$RecordType=(($_ -split "]")[1] -split " ")[1]
$Query=($_.ToString().Substring(110)) -replace "\s" -replace "\(\d?\d\)","." -replace "^\." -replace "\.$"
$Result=(((($_ -split "\[")[1]).ToString().Substring(9)) -split "]")[0] -replace " "
}
elseif ($_ -match "^\d\d\d\d\d\d\d\d \d\d:") {
$Date=$Date.Substring(0,4) + "-" + $Date.Substring(4,2) + "-" + $Date.Substring(6,2)
$Time=($_ -split " ")[1] -join " "
$Protocol=($_ -split " ")[6]
$Client=($_ -split " ")[8]
$SendReceive=($_ -split " ")[7]
$RecordType=(($_ -split "]")[1] -split " ")[1]
$Query=($_.ToString().Substring(110)) -replace "\s" -replace "\(\d?\d\)","." -replace "^\." -replace "\.$"
$Result=(((($_ -split "\[")[1]).ToString().Substring(9)) -split "]")[0] -replace " "
}
else {
$Time=($_ -split " ")[1]
$Protocol=($_ -split " ")[6]
$Client=($_ -split " ")[8]
$SendReceive=($_ -split " ")[7]
$RecordType=(($_ -split "]")[1] -split " ")[1]
$Query=($_.ToString().Substring(110)) -replace "\s" -replace "\(\d?\d\)","." -replace "^\." -replace "\.$"
$Result=(((($_ -split "\[")[1]).ToString().Substring(9)) -split "]")[0] -replace " "
}
$DateTime=Get-Date("$Date $Time") -Format "yyyy-MM-dd HH:mm:ss"
if ($_ -match $TheReverseRegExString) {
$QueryType="Reverse"
}
else {
$QueryType="Forward"
}
$returnObj = New-Object System.Object
$returnObj | Add-Member -Type NoteProperty -Name Date -Value $DateTime
$returnObj | Add-Member -Type NoteProperty -Name QueryType -Value $QueryType
$returnObj | Add-Member -Type NoteProperty -Name Client -Value $Client
$returnObj | Add-Member -Type NoteProperty -Name SendReceive -Value $SendReceive
$returnObj | Add-Member -Type NoteProperty -Name Protocol -Value $Protocol
$returnObj | Add-Member -Type NoteProperty -Name RecordType -Value $RecordType
$returnObj | Add-Member -Type NoteProperty -Name Query -Value $Query
$returnObj | Add-Member -Type NoteProperty -Name Results -Value $Result
if ($returnObj.Query -ne $null) {
Write-Output $returnObj
}
}
}
}
END { }
}
function ReturnDNSLogLines
{
param(
$DNSLog)
$PathCorrect=try { Test-Path $DNSLog -ErrorAction Stop } catch { $false }
if ($DNSLog -match "^\d\d" -AND $DNSLog -notlike "*EVENT*" -AND $PathCorrect -ne $true) {
$DNSLog
}
elseif ($PathCorrect -eq $true) {
Get-Content $DNSLog | % { $_ }
}
}
