DATAGRAM::dns

Description

This iRules command returns DNS header information.

Note: L4 protocol of the packet must be either TCP or UDP for this command to work. Also, the L4 port must be equal to the dns port (typically port 53).

Syntax

DATAGRAM::dns <id | qr | opcode | qdcount | ancount | nscount | arcount>

DATAGRAM::dns id

  • Returns DNS header 16-bit ‘identification’ field as an integer value.

DATAGRAM::dns qr

  • Returns DNS header ‘query/response’ as a boolean value. 0 indicates a ‘query’ and 1 indicates a ‘response’.

DATAGRAM::dns opcode

  • Returns DNS header ‘opcode’ as a string. Values include ‘Query’, ‘IQuery’, ‘Status’, ‘Notify’, ‘Update’ and ‘Unassigned’.

DATAGRAM::dns qdcount

  • Returns DNS header field ‘question count’ as an integer value.

DATAGRAM::dns ancount

  • Returns DNS header field ‘answer count’ as an integer value.

DATAGRAM::dns nscount

  • Returns DNS header field ‘authority record count’ as an integer value.

DATAGRAM::dns qdcount

  • Returns DNS header field ‘additional record count’ as an integer value.

Examples

when FLOW_INIT {
  if { [IP::protocol] == 6 } {
    log local0. "TCP Payload Length = [DATAGRAM::tcp payload_length] Payload: [DATAGRAM::tcp payload 100]"
    log local0. "DNS Header fields ID: [DATAGRAM::dns id] QR: [DATAGRAM::dns qr] OPCODE: [DATAGRAM::dns opcode] QDCOUNT: [DATAGRAM::dns qdcount]"
  }
  if { [IP::protocol] == 17 } {
    log local0. "UDP Payload Length = [DATAGRAM::udp payload_length] Payload: [DATAGRAM::udp payload 100]"
    log local0. "DNS Header fields ID: [DATAGRAM::dns id] QR: [DATAGRAM::dns qr] OPCODE: [DATAGRAM::dns opcode] QDCOUNT: [DATAGRAM::dns qdcount]"
  }
}