Product Documentation

Configuring DNS Logging

Aug 31, 2016
You can configure the NetScaler appliance to log the DNS requests and responses that it handles. The appliance logs the DNS requests and responses in SYSLOG format. You can choose to log either DNS requests or DNS responses, or both, and send the syslog messages to a remote log server. The log messages can be used to:
  • Audit the DNS responses to the client
  • Audit DNS clients
  • Detect and prevent DNS attacks
  • Troubleshoot
A NetScaler appliance can log the following sections in the DNS request or response, on the basis of your configuration:
  • Header Section
  • Questions Section
  • Answer Section
  • Authority Section
  • Additional Section

DNS Profiles

You can use a DNS profile to configure various DNS parameters that you want the DNS endpoint to apply to the DNS traffic. In the profile, you can enable logging, caching and negative caching.

Important: From NetScaler 11.0 release, enabling DNS caching using global DNS parameters has been deprecated. You can enable or disable DNS caching using DNS profiles. You can now enable DNS caching for an individual virtual server by enabling DNS caching in a DNS profile and setting the DNS profile to the individual virtual server.
DNS profiles support the following types of DNS logging:
  • DNS Query Logging
  • DNS Answer Section Logging
  • DNS Extended Logging
  • DNS Error Logging
DNS Query Logging

You can configure a NetScaler appliance to log only the DNS queries that are received by the DNS endpoints on the appliance.

Note: If errors occur during processing of a query, they are logged if this option is set in the DNS profile.

Following is an example of a query log message:
DNS DNS_QUERY 143 0 :  U:10.102.27.70#61297:10.102.27.73#53/22142/Q/ 
(RD)/NO/1/0/0/0#test.com./1#
DNS Answer Section Logging
You can configure a NetScaler appliance to log all the Answer sections in the DNS responses that appliance sends to the client. DNS Answer Section logging is very useful when NetScaler is configured as a DNS resolver, or in GLSB use cases.
Following is an example of a DNS answer section log:
DNS DNS_RESPONSE 6678 0 :  U:100.100.100.210#32776:100.100.100.10# 
53/61373/Q/(RD,AA,RA,R)/NO/1/1/2/4#n1.citrix.com1./ 
28#ANS#AAAA/120/1111:2345:6789:ffab:abcd:effa:1234:3212##
DNS Extended logging

To configure a NetScaler appliance to log Authority and Additional sections in the DNS responses, enable Extended logging with Answer Section logging.

Note: If errors occur during processing of either queries or responses, the errors are logged if this option is set in the DNS profile.

Following is an example of a message logged when the cache lookup is completed and the response is embedded in the packet:
DNS DNS_RESPONSE 2252 0 :  T:100.100.100.118#21411:100.100.100.10 
#53/48537/Q/(RD,AA,CD,RA,R)/NO/1/1/2/6#a1.citrix.com1./1#ANS#A/ 
120/1.1.1.1##AUTH#citrix.com1/NS/120/n2.citrix.com1#n1.citrix.com1##ADD#n1.citrix.com1 
/A/120/1.1.1.1#1.1.1.2##n1.citrix.com1/AAAA/120/ 
1111:2345:6789:ffab:abcd:effa:1234:3212##n2.citrix.com1/A/120/2.1.1.2 
##n2.citrix.com1/AAAA/120/2222:faff:3212:8976:123:1241:64:ff9b##OPT/0/1280/DO##
DNS Error Logging

You can configure a NetScaler appliance to log the errors or failures that occur when it processes a DNS query or response. For these errors, the appliance logs the DNS header, Question sections and OPT records.

Following is an example of a message logged when an error occurs during processing of a DNS request or response:
DNS DNS_ERROR 149 0 :  U:10.102.27.70#27832:10.102.27.73#53/61153/Q/ 
(RD)/NO/1/0/0/0#test.com./1140#Packet Dropped
Policy Based Logging

You can configure custom logging based on DNS expressions by configuring the logAction on DNS policies, Rewrite, or Responder policies. You can specify that logging occurs only when a particular DNS policy evaluates to true. For more information, see Configuring Policy Based Logging for DNS.

Understanding the NetScaler Syslog Log Message Format

NetScaler appliance log DNS requests and responses in the following Syslog format:

<transport> :<client IP>#<client ephemeral port>:<DNS endpoint IP>#<port> 
 : <query id> /opcode/header flags/rcode/question section count/answer section count  
/ auth section count / additional section count #<queried domain name> 
/<queried type>#...

The following table describes the fields in the Syslog message format:

Field Values
<transport>
  • T = TCP
  • U = UDP
<client IP>#< client ephemeral port > DNS client IP address and port number
<DNS endpoint IP>#<port> NetScaler DNS endpoint IP address and port number
<query id> Query ID
<opcode>

Operation code. Supported Values:

  • Q : query
  • I : inverse query
  • S: status
  • X0: unassigned
  • N : notify
  • U : update
  • X1-10: unassigned values
<header flags>

Flags. Supported Values:

  • RD : recursion desired
  • TC : truncated
  • AA : authoritative response
  • CD : check disabled
  • AD : authenticated data
  • Z : unassigned
  • RA : recursion available
  • R : response
<rcode>

Response Code. Supported Values:

  • NO : no error
  • F format error
  • S : server failure
  • NX : non-existent domain
  • NI : not implemented
  • R: query refused
  • YX : Name Exists when it should not
  • YXR : RR Set Exists when it should not
  • NXR: RR Set that should exist does not
  • NAS : Server Not Authoritative for zone
  • NA : Not Authorized
  • NZ : Name not contained in zone
  • X1-5: unassigned
/question section count/answer section count/auth section count/additional section count Question section, Authority section count, and Additional section count in the DNS request
<queried domain name>/<queried type> Queried domain and queried type in the DNS request
#ANS#<record type>/<ttl>/.. #AUTH#<domain name>/<record type>/<ttl>.. #ADD#<domain name>/<record type>/<ttl>…

In case of DNS responses:

  • Answer Section is logged if answer section logging is enabled in the DNS profile.
  • Authority and Additional sections are logged if extended logging is enabled in the DNS profile.

The log format would differ depending on the type of record. For more information see Understanding the Record Logging Format.

  • ANS: answer section
  • AUTH: authority
  • ADD: Additional section
OPT/<edns version>/UDP max payload size/DO OPT record format in the DNS log
OPT/<EDNS version>/<UDP payload size>/<"DO"or empty based on whether DNSSEC OK bit is set or not>/<value of RDLEN>/ECS/<Q/R>/<option length>/<Family>/<Source Prefix-Length>/<Scope Prefix-Length>/<ECS Address>

If the DNS query or response includes the EDNS Client Subnet (ECS) option, then that is also logged in the OPT record format in the DNS log file.

When a DNS query with ECS option that includes either IPv4 or IPv6 address is sent, the ECS option is logged with either "ECS/Q" indicating that the values in the log are from the query or "ECS/R" indicating that the values in the log are from the response.

The value of Scope Prefix-Length is also set appropriately. In case of the DNS Query, it is set to zero,and for response, it is set to the calculated value.

The following table describes the logged details in various scenarios:

Scenario ECS option set in the DNS Query ECS option set in the DNS Response Logged Details
Both query logging and extended logging enabled
Yes Yes ECS option is logged with the string "ECS/R/" and the Scope Prefix-Length is set to the calculated value.
Both query logging and extended logging enabled Yes No ECS option is logged with the string "ECS/Q" and the Scope Prefix-Length is set to zero.
Query logging is enabled, but extended logging is not enabled Yes Yes ECS option is logged with the string "ECS/Q/" and the Scope Prefix-Length is set to zero.
Query logging & extended logging are not enabled Yes Yes ECS option is not logged.
Query logging is enabled, but extended logging is not enabled Yes No ECS option is logged with the string "ECS/Q/" and the Scope Prefix-Length is set to zero.
Query logging is not enabled, but extended logging is enabled Yes Yes ECS option is logged with the string "ECS/R/" and the Scope Prefix-Length is set to the calculated value.
Query logging is not enabled, but extended logging is enabled Yes No ECS option is not logged.

Understanding the Record Logging Format

Following is an example of the record logging format in a Syslog message:

<domainname>/<record type>/ <record ttl> / <resource record data>#<resource record data>#......##
where:
Record Type Sample Format Resource Record Data / Format
Address (A) record A/5/1.1.1.1#1.1.1.2#1.1.1.3## IPv4 address
AAAA record AAAA/5/1::1#1::2#1::3## IPv6 address
SOA record SOA/3600/ns1.dnslogging.test./
root.dnslogging.test./100/3600/3/3600/5##
Origin server, contact, and other details. Resource record format is :

< originServer >/<contact>/<serial number>/<refresh rate>/<retry>/<expire>/<minimum>##

NS record NS/5/ns1.dnslogging.test Host name of the nameserver.
MX record #MX/5/10/host1.dnslogging.test.#11
/host2.dnslogging.test.##
Preference followed by mail exchange server host name
CNAME record logging CNAME/5/host1.dnslogging.test.## Canonical name
SRV record SRV/5/1/2/3/host1.dnslogging.test.#4/
5/6/host2.dnslogging.test.##
Resource record format: <priority>/<weight>/<port>/<target>#
TXT record TXT/5/dns+logging## Data comprises all the texts.
NAPTR record NAPTR/5/10/11////dnslogging#20/21/R
/SIP//sip.dnslogging.test##
Resource record format: <order>/<preference>/<flags>/<services>/
<regular expression>/<replacement string>#
DNSKEY record DNSKEY/5/1/3/5/AwEAAanP0K+i5bfv5SU
478L760EjDjnPqI2Ccx6JZgiDBZhSONP29G
fO2bkP056xp7+9Wz8X2oo5sANaDwSzUVR
0YtZdPw23gAaktH6pFvnwcIHa/PTFw5VcXy
iUaDc+AnaOhNNYOPp7iQ6uTdT9cyuGWJ1O
fZ0JRt+8EyX6iwRsLk7WSpz8KidvKs2ij9IXZ3
OzaVEEMGY4SMfHIlLhqIho1fyADlbAoSsLEbr
/7eqKv1/PLXSuVV9elwkH0pqWALUaSEBbmp
49/jbCbc8cZKxzaON9p2jp2j4iodfC8cnEHAS2
/4W1FEPpRTyYtcdBq6Uc2orBaaxjhsZELvRcW
Mr+pDc=#1/3/5/AwEAAbJhKdI21LP0pPxv0k
1pFBNClZW97TB4FlCW4e4Fuyq7rY7+aiYdDV
xV8N9ZXt4RT3MdNznMVMl/R1ldWLjbCf5bFu9
khaM1ME8I25HPTS3J2wK5rjj4HMFRMycUKZC
K0UOgyUzd6Fm5b3G04wMIAoqkDHeqlwe7yW
Gaw94NbZuL##
Resource record format: <flags>/<protocol>/<algorithm>/
<public key in base64 encoding>#
PTR record PTR/3600/test.com.#test4.com.## Domain name

Limitations of DNS Logging

DNS Logging has the following limitations:
  • If response logging is enabled, only the following record types are logged:
    • Address (A) record
    • AAAA record
    • SOA record
    • NS record
    • MX record
    • CNAME record
    • SRV record
    • TXT record
    • NAPTR record
    • DNSKEY record
    • PTR record

    For all other record types, only L3/L4 parameters, DNS Header, and Question section are logged.

  • RRSIG records are not logged even if response logging is enabled.
  • DNS64 is not supported.
  • DNS proactive update requests or responses are logged according to the settings in the default profile.
  • On the virtual server, if sessionless option and response logging is enabled, L3/L4 parameters, DNS Header, and DNS Question section are logged instead of the response.
  • The maximum size of the syslog message is 1024 bytes.
  • If you have set DNS profile for a DNS policy with action type Rewrite Response, NetScaler appliance does not log the query or the manipulated responses. To log the required information you need to use audit message action in the DNS policy.
  • DNS transactions that are due to DNS monitoring traffic are not logged.

Configuring DNS Logging

Following is an overview of configuring DNS logging:
  1. Create a Syslog action and enable DNS in the action.
  2. Create a Syslog policy and specify the Syslog action in the policy.
  3. Globally bind the Syslog policy to enable logging of all NetScaler system events. Or, bind the Syslog policy to a specific load balancing virtual server.
  4. Create a DNS profile and define any of the following type of logging that you want to enable:
    • DNS Query Logging
    • DNS Answer Section Logging
    • DNS Extended Logging
    • DNS Error Logging
  5. Configure any of the following, based on your requirement:
    • DNS service and virtual server for DNS
    • ADNS service
    • NetScaler as a forwarder
    • NetScaler as a resolver
  6. Set the created DNS profile to one of the DNS entities.
To configure DNS logging for NetScaler configured as DNS Proxy by using the command line interface
  1. Add a syslog action and enable DNS in the action. At the command prompt, type:

    add audit syslogAction <name> (<serverIP> | -lbVserverName <string>) [-serverPort <port>] -logLevel <logLevel> ... [-dateFormat <dateFormat>] [-logFacility <logFacility>] [-tcp ( NONE | ALL )] [-acl ( ENABLED | DISABLED )] [-timeZone ( GMT_TIME | LOCAL_TIME )] [-userDefinedAuditlog ( YES | NO )] [-appflowExport ( ENABLED |DISABLED )] [-lsn ( ENABLED | DISABLED )] [-alg ( ENABLED | DISABLED )] [-transport ( TCP | UDP )] [-tcpProfileName <string>] [-maxLogDataSizeToHold <positive_integer>] [-dns ( ENABLED | DISABLED)]

    Example:

    add audit syslogAction nssyslogact1 10.102.151.136 -logLevel CRITICAL ERROR WARNING NOTICE INFORMATIONAL DEBUG -logFacility LOCAL4 -timeZone LOCAL_TIME -dns ENABLED

  2. Create a syslog policy and specify the created syslog action in the policy. At the command prompt, type:

    add audit syslogPolicy <name> <rule> <action>

    Example:

    add audit syslogPolicy syslogpol1 ns_true nssyslogact1

  3. Bind the syslog policy globally. At the command prompt, type:

    bind system global [<policyName> [-priority <positive_integer>]]

    Example:

    bind system global syslogpol1

  4. Create a DNS profile and enable any of the following type of logs that you want to configure:
    • DNS Query Logging
    • DNS Answer Section Logging
    • DNS Extended Logging
    • DNS Error Logging

    At the command prompt, type:

    add dns profile <dnsProfileName> [-dnsQueryLogging ( ENABLED | DISABLED )] [-dnsAnswerSecLogging ( ENABLED | DISABLED )] [-dnsExtendedLogging (ENABLED | DISABLED )] [-dnsErrorLogging ( ENABLED | DISABLED )] [-cacheRecords ( ENABLED | DISABLED )] [-cacheNegativeResponses ( ENABLED | DISABLED )]

    Example:

    add dns profile dnsprofile1 -dnsQueryLogging ENABLED

  5. Configure service of type DNS. At the command prompt, type:

    add service <name> <serverName> <serviceType> <port>

    Example:

    add service svc1 10.102.84.140 dns 53

  6. Configure a load balancing virtual server of service type DNS.

    add lb vserver <name> <serviceType> <ip> <port>

    Example:

    add lb vserver lb1 dns 100.100.100.10 53

  7. Bind the service to the virtual server. At the command prompt, type:

    bind lb vserver <name> <serviceName>

    Example:

    bind lb vserver lb1 svc1

  8. Set the created DNS profile to the virtual server. At the command prompt, type:

    set lb vserver <name> [ - dnsProfileName <string>]

    Example:

    set lb vserver lb1 –dnsProfileName dnsprofile1

Sample DNS Logging Configuration for NetScaler Appliance Configured as DNS Proxy
> add audit syslogAction nssyslogact1 10.102.151.136 -logLevel  
CRITICAL ERROR WARNING NOTICE INFORMATIONAL DEBUG -logFacility LOCAL4 -timeZone  
LOCAL_TIME -dns ENABLED  
Done 
> add audit syslogPolicy syslogpol1 ns_true nssyslogact1  
Done 
> bind system global syslogpol1 
Done 
> add dns profile dnsprofile1 -dnsqueryLogging ENABLED 
Done 
> add lb vserver lb1 dns 100.100.100.10 53 –dnsProfileName dnsprofile1 
Done 
> add service svc1 10.102.84.140 dns 53 
Done 
> bind lb vserver lb1 svc1 
Done
Sample DNS Logging Configuration for NetScaler Appliance Configured as ADNS
> add audit syslogAction nssyslogact1 10.102.151.136 -logLevel CRITICAL  
ERROR WARNING NOTICE INFORMATIONAL DEBUG -logFacility LOCAL4 -timeZone LOCAL_TIME  
-dns ENABLED  
Done 
> add audit syslogPolicy syslogpol1 ns_true nssyslogact1  
Done 
> bind system global syslogpol1 
Done 
> add dns profile dnsprofile1 -dnsqueryLogging ENABLED 
Done 
> add lb vserver lb1 dns 100.100.100.10 53 –dnsProfileName dnsprofile1 
Done 
> add service svc1 10.102.84.140 dns 53 
Done 
> bind lb vserver lb1 svc1 
Done
Sample DNS Logging Configuration for NetScaler Appliance Configured as a Forwarder
> add audit syslogAction nssyslogact1 10.102.151.136 -logLevel CRITICAL  
ERROR WARNING NOTICE INFORMATIONAL DEBUG -logFacility LOCAL4 -timeZone LOCAL_TIME  
-dns ENABLED  
Done 
> add audit syslogPolicy syslogpol1 ns_true nssyslogact1  
Done 
> bind system global syslogpol1 
Done 
> add dns profile dnsprofile1 -dnsqueryLogging ENABLED 
Done 
> Add dns nameserver 8.8.8.8 –dnsProfileName dnsprofile1  
Done
Sample DNS Logging Configuration for NetScaler Appliance Configured as a Resolver
> add audit syslogAction nssyslogact1 10.102.151.136  
-logLevel CRITICAL ERROR WARNING NOTICE INFORMATIONAL DEBUG -logFacility LOCAL4  
-timeZone LOCAL_TIME -dns ENABLED  
Done 
> add audit syslogPolicy syslogpol1 ns_true nssyslogact1  
Done 
> bind system global syslogpol1 
Done 
> add dns profile dnsprofile1 -dnsqueryLogging ENABLED 
Done 
> set dns parameter -recursion enABLED 
Done 
> add nameserver 1.1.1.100 -local dnsProfileName dnsprofile1 
Done

Configuring Policy Based Logging for DNS

Policy based logging enables you to specify a format for log messages. The contents of a log message are defined by using a default syntax expression. When the message action specified in the policy is performed, the NetScaler appliance constructs the log message from the expression and writes the message to the log file. You can configure the appliance to log only when a particular DNS policy evaluates to True.

Note: If you have set a DNS policy with a DNS profile for the request side, NetScaler appliance logs only the query.

To configure policy based logging for a DNS policy, you must first configure an audit message action. For more information about configuring an audit message action, see Configuring Policy-Based Logging. After configuring the audit message action, specify the message action in a DNS policy.

To configure policy based logging for a DNS policy by using the command line interface

At the command prompt, type the following commands to configure policy based logging for a DNS policy and verify the configuration:
  • add dns action <actionName> <actionType> [-IPAddress <ip_addr|ipv6_addr> ... | -viewName <string> | -preferredLocList <string> ...] [-TTL <secs>] [-dnsProfileName <string>]
  • set dns policy <name> [<rule>] [-actionName <string>] [-logAction <string>]
  • show dns policy [<name>]

Example 1:

In a GSLB deployment, if you want to respond with different IP addresses to the client requests coming from a particular subnet, instead of responding with IP addresses used for general purposes (such as the IP addresses of internal users), you can configure a DNS policy with the action type as DNS view. In this case, you can configure DNS logging on the specified DNS action such that you can log the specific responses.

For example:
> add dns profile dns_prof1 -dnsqueryLogging enABLED -dnsanswerSecLogging enABLED 
 Done 
> add dns view dns_view1 
 Done 
> add dns action dns_act1 viewName -view dns_view1 –dnsprofilename dns_prof1 
 Done 
> add dns policy dns_pol1 "CLIENT.IP.SRC.APPLY_MASK(255.255.255.0).EQ(100.100.100.0)”  
dns_act1 
 Done 
> bind dns global dns_pol1 100 -gotoPriorityExpression END -type REQ_DEFAULT 
 Done 
> bind gslb service site_1_svc -viewName dns_view1 123.1.1.1 
 Done 
> bind gslb service site_5_svc -view dns_view1 132.1.1.1 
 Done
Note: In the above configuration, if you query for the domain configured on a GSLB virtual server, for example, sampletest.com, all the internal users of subnet 100.100.100.0/24 are served with the DNS view IP addresses, and the responses are logged. Client requests for other subnets are not logged.

Example 2:

If you want to log only the queries for the domain example.com, you can create a DNS profile with query logging enabled and set the DNS profile to a DNS action with the action type NOOP, and then create a DNS policy and set the DNS action. For example:
>add dns profile query_logging -dnsqueryLogging ENABLED 
Done 
>add dns action dns_act1 NOOP -dnsprofileName query_logging 
Done 
>add dns policy dns_pol1 DNS.REQ.QUESTION.DOMAIN.EQ("example.com")  dns_act1 
Done