Query DNS logs
Calico Cloud pushes DNS activity logs to Elasticsearch, for DNS information that is obtained from trusted DNS servers. The following table details the key/value pairs in the JSON blob, including their Elasticsearch datatype. This information should assist you in constructing queries.
| Name | Datatype | Description |
|---|---|---|
start_time | date | When the collection of the log began in UNIX timestamp format. |
end_time | date | When the collection of the log concluded in UNIX timestamp format. |
type | keyword | This field contains one of the following values: ● LOG: Indicates that this is a normal DNS activity log.● UNLOGGED: Indicates that this log is reporting DNS activity that could not be logged in detail because of DNSLogsFilePerNodeLimit. |
count | long | When type is:● LOG: How many DNS lookups there were, during the log collection interval, with details matching this log.● UNLOGGED: The number of DNS responses that could not be logged in detail because of DNSLogsFilePerNodeLimit. In this case none of the following fields are provided. |
client_ip | ip | The IP address of the client pod. A null value indicates aggregation. |
client_name | keyword | This field contains one of the following values: |
client_name_aggr | keyword | The aggregated name of the client pod. |
client_namespace | keyword | Namespace of the client pod. |
client_labels | array of keywords | Labels applied to the client pod. With aggregation, the label name/value pairs that are common to all aggregated clients. |
qname | keyword | The domain name that was looked up. |
qtype | keyword | The type of the DNS query (e.g. A, AAAA). |
qclass | keyword | The class of the DNS query (e.g. IN). |
rcode | keyword | The result code of the DNS query response (e.g. NoError, NXDomain). |
rrsets | nested | Detailed DNS query response data - see below. |
servers | nested | Details of the DNS servers that provided this response. |
latency_count | long | The number of lookups for which latency was measured. (The same as count above, unless some DNS requests were missed, or latency reporting is disabled - see dnsLogsLatency in the FelixConfiguration resource.) |
latency_mean | long | Mean latency, in nanoseconds. |
latency_max | long | Max latency, in nanoseconds. |
Each nested rrsets object contains response data for a particular name and a particular type and
class of response information. Its key/value pairs are as follows.
| Name | Datatype | Description |
|---|---|---|
name | keyword | The domain name that this information is for. |
type | keyword | The type of the information (e.g. A, AAAA). |
class | keyword | The class of the information (e.g. IN). |
rdata | array of keywords | Array of data, for the name, of that type and class. For example, when type is A, this is an array of IPs for name. |
Each nested servers object provides details of a DNS server that provided the information in the
containing log. Its key/value pairs are as follows.
| Name | Datatype | Description |
|---|---|---|
ip | ip | The IP address of the DNS server. |
name | keyword | This field contains one of the following values: |
name_aggr | keyword | This field contains one of the following values: |
namespace | keyword | Namespace of the DNS server pod, or - if the DNS server is not a pod. |
labels | array of keywords | Labels applied to the DNS server pod or host endpoint; empty if there are no labels or the DNS server is not a pod or host endpoint. |
The latency_* fields provide information about the latency of the DNS lookups that contributed to
this log. For each successful DNS lookup Calico Cloud measures the time between when the DNS
request was sent and when the corresponding DNS response was received.
Query DNS log fields
After a set of DNS logs has accumulated in Elasticsearch, you can perform many interesting queries. For example, if you query on:
-
qname, you can find all of the DNS response information that was provided to clients trying to resolve a particular domain name -
rrsets.rdata, you can find all of the DNS lookups that included a particular IP address in their response data.