ADC

Configure DNS logging

You can configure the NetScaler appliance to log the DNS requests and responses that it handles. The appliance logs the DNS requests and responses in SYSLOG format. You can choose to log either DNS requests or DNS responses, or both, and send the syslog messages to a remote log server. The log messages can be used to:

  • Audit the DNS responses to the client
  • Audit DNS clients
  • Detect and prevent DNS attacks
  • Troubleshoot

A NetScaler appliance can log the following sections in the DNS request or response, based on your configuration:

  • Header Section
  • Questions Section
  • Answer Section
  • Authority Section
  • Additional Section

DNS profiles

You can use a DNS profile to configure the various DNS parameters that you want the DNS endpoint to apply to the DNS traffic. In the profile, you can enable logging, caching, and negative caching.

Important: From the NetScaler 11.0 release, enabling DNS caching using global DNS parameters have been deprecated. You can enable or disable DNS caching using DNS profiles. You can now enable DNS caching for an individual virtual server by enabling DNS caching in a DNS profile and setting the DNS profile to the individual virtual server.

DNS profiles support the following types of DNS logging:

  • DNS Query Logging
  • DNS Answer Section Logging
  • DNS Extended Logging
  • DNS Error Logging

DNS query logging

You can configure a NetScaler appliance to log only the DNS queries that are received by the DNS endpoints on the appliance.

Note: If errors occur during processing of a query, they are logged if this option is set in the DNS profile.

Following is an example of a query log message:

DNS DNS_QUERY 143 0 :  U:10.102.27.70#61297:10.102.27.73#53/22142/Q/
(RD)/NO/1/0/0/0#test.com./1#
<!--NeedCopy-->

DNS answer section logging

You can configure a NetScaler appliance to log all the Answer sections in the DNS responses that the appliance sends to the client. DNS Answer Section logging is useful when the NetScaler is configured as a DNS resolver, or in GLSB use cases.

Following is an example of a DNS answer section log:

DNS DNS_RESPONSE 6678 0 :  U:100.100.100.210#32776:100.100.100.10#
53/61373/Q/(RD,AA,RA,R)/NO/1/1/2/4#n1.citrix.com1./
28#ANS#AAAA/120/1111:2345:6789:ffab:abcd:effa:1234:3212##
<!--NeedCopy-->

DNS extended logging

To configure a NetScaler appliance to log Authority and Additional sections in the DNS responses, enable Extended logging with Answer Section logging.

Note: If errors occur during processing of either queries or responses, the errors are logged if this option is set in the DNS profile.

Following is an example of a message logged when the cache lookup is completed and the response is embedded in the packet:

DNS DNS_RESPONSE 2252 0 :  T:100.100.100.118#21411:100.100.100.10
#53/48537/Q/(RD,AA,CD,RA,R)/NO/1/1/2/6#a1.citrix.com1./1#ANS#A/
120/1.1.1.1##AUTH#citrix.com1/NS/120/n2.citrix.com1#n1.citrix.com1##ADD#n1.citrix.com1
/A/120/1.1.1.1#1.1.1.2##n1.citrix.com1/AAAA/120/
1111:2345:6789:ffab:abcd:effa:1234:3212##n2.citrix.com1/A/120/2.1.1.2
##n2.citrix.com1/AAAA/120/2222:faff:3212:8976:123:1241:64:ff9b##OPT/0/1280/DO##
<!--NeedCopy-->

DNS error logging

You can configure a NetScaler appliance to log the errors or failures that occur when it processes a DNS query or response. For these errors, the appliance logs the DNS header, Question sections and OPT records.

Following is an example of a message logged when an error occurs during processing of a DNS request or response:

DNS DNS_ERROR 149 0 :  U:10.102.27.70#27832:10.102.27.73#53/61153/Q/
(RD)/NO/1/0/0/0#test.com./1140#Packet Dropped
<!--NeedCopy-->

Policy based logging

You can configure custom logging based on DNS expressions by configuring the logAction on DNS policies, Rewrite, or Responder policies. You can specify that logging occurs only when a particular DNS policy evaluates to true. For more information, see Configure policy based logging for DNS.

Understand the NetScaler syslog log message format

NetScaler appliance log DNS requests and responses in the following Syslog format:

<transport> :<client IP>#<client ephemeral port>:<DNS endpoint IP>#<port>
 : <query id> /opcode/header flags/rcode/question section count/answer section count
/ auth section count / additional section count #<queried domain name>
/<queried type>#...
<!--NeedCopy-->
  • <transport>:
    • T = TCP
    • U = UDP
  • <client IP>#< client ephemeral port >: DNS client IP address and port number

  • <DNS endpoint IP>#<port>: NetScaler DNS endpoint IP address and port number

  • <query id>: Query ID

  • <opcode>: Operation code. Supported Values:

    • Q: query
    • I: inverse query
    • S: status
    • X0: unassigned
    • N: notify
    • U: update
    • X1-10: unassigned values
  • <header flags>: Flags. Supported Values:

    • RD: recursion desired
    • TC: truncated
    • AA: authoritative response
    • CD: check disabled
    • AD: authenticated data
    • Z: unassigned
    • RA: recursion available
    • R: response
  • <rcode>: Response Code. Supported Values:

    • NO: no error
    • F format error
    • S: server failure
    • NX: non-existent domain
    • NI: not implemented
    • R: query refused
    • YX: Name Exists when it must not
    • YXR: RR Set Exists when it must not
    • NXR: RR Set that must exist does not
    • NAS: Server Not Authoritative for zone
    • NA: Not Authorized
    • NZ: Name not contained in zone
    • X1-5: unassigned
  • /question section count/answer section count/auth section count/additional section count: Question section, Authority section count, and Additional section count in the DNS request

  • <queried domain name>/<queried type>: Queried domain and queried type in the DNS request

  • #ANS#<record type>/<ttl>/.. #AUTH#<domain name>/<record type>/<ttl>.. #ADD#<domain name>/<record type>/<ttl>…:

    In DNS responses:

    Answer Section is logged if answer section logging is enabled in the DNS profile. Authority and Additional sections are logged if extended logging is enabled in the DNS profile. The log format would differ depending on the type of record. For more information see Understanding the Record Logging Format.

    • ANS: answer section
    • AUTH: authority
    • ADD: Additional section
  • OPT/<edns version>/UDP max payload size/DO: OPT record format in the DNS log

  • OPT/<EDNS version>/<UDP payload size>/<“DO”or empty based on whether DNSSEC OK bit is set or not>/<value of RDLEN>/ECS/<Q/R>/<option length>/<Family>/<Source Prefix-Length>/<Scope Prefix-Length>/<ECS Address>:

    If the DNS query or response includes the EDNS Client Subnet (ECS) option, then that is also logged in the OPT record format in the DNS log file.

    When a DNS query with an ECS option that includes either an IPv4 or IPv6 address is sent, the ECS option is logged with either of the following options;

    • “ECS/Q” indicating that the values in the log are from the query
    • “ECS/R” indicating that the values in the log are from the response.

    The value of Scope Prefix-Length is also set appropriately. In the DNS Query, it is set to zero, and for response, it is set to the calculated value.

    The following table describes the logged details in various scenarios:

Scenario ECS option set in the DNS Query ECS option set in the DNS Response Logged Details
Both query logging and extended logging enabled Yes Yes ECS option is logged with the string “ECS/R/” and the Scope Prefix-Length is set to the calculated value.
Both query logging and extended logging enabled Yes No ECS option is logged with the string “ECS/Q” and the Scope Prefix-Length is set to zero.
Query logging is enabled, but extended logging is not enabled Yes Yes ECS option is logged with the string “ECS/Q/” and the Scope Prefix-Length is set to zero.
Query logging & extended logging are not enabled Yes Yes ECS option is not logged.
Query logging is enabled, but extended logging is not enabled Yes No ECS option is logged with the string “ECS/Q/” and the Scope Prefix-Length is set to zero.
Query logging is not enabled, but extended logging is enabled Yes Yes ECS option is logged with the string “ECS/R/” and the Scope Prefix-Length is set to the calculated value.
Query logging is not enabled, but extended logging is enabled Yes No ECS option is not logged.

Understand the record logging format

Following is an example of the record logging format in a Syslog message:

<domainname>/<record type>/ <record ttl> / <resource record data>#<resource record data>#......##
<!--NeedCopy-->

Where:

Record Type Sample Format Resource Record Data / Format
Address (A) record A/5/1.1.1.1#1.1.1.2#1.1.1.3## IPv4 address
AAAA record AAAA/5/1::1#1::2#1::3## IPv6 address
SOA record SOA/3600/ns1.dnslogging.test./root.dnslogging.test./100/3600/3/3600/5## Origin server, contact, and other details. Resource record format is: //////##
NS record NS/5/ns1.dnslogging.test Host name of the nameserver.
MX record #MX/5/10/host1.dnslogging.test.#11/host2.dnslogging.test.## Preference followed by mail exchange server host name
CNAME record logging CNAME/5/host1.dnslogging.test.## Canonical name
SRV record SRV/5/1/2/3/host1.dnslogging.test.#4/5/6/host2.dnslogging.test.## Resource record format: ///#
TXT record TXT/5/dns+logging## Data comprises all the texts.
NAPTR record NAPTR/5/10/11////dnslogging#20/21/R/SIP//sip.dnslogging.test## Resource record format: /////#
DNSKEY record DNSKEY/5/1/3/5/AwEAAanP0K+i5bfv5SU478L760EjDjnPqI2Ccx6JZgiDBZhSONP29GfO2bkP056xp7+9Wz8X2oo5sANaDwSzUVR0YtZdPw23gAaktH6pFvnwcIHa/PTFw5VcXyiUaDc+AnaOhNNYOPp7iQ6uTdT9cyuGWJ1OfZ0JRt+8EyX6iwRsLk7WSpz8KidvKs2ij9IXZ3OzaVEEMGY4SMfHIlLhqIho1fyADlbAoSsLEbr/7eqKv1/PLXSuVV9elwkH0pqWALUaSEBbmp49/jbCbc8cZKxzaON9p2jp2j4iodfC8cnEHAS2/4W1FEPpRTyYtcdBq6Uc2orBaaxjhsZELvRcWMr+pDc=#1/3/5/AwEAAbJhKdI21LP0pPxv0k1pFBNClZW97TB4FlCW4e4Fuyq7rY7+aiYdDVxV8N9ZXt4RT3MdNznMVMl/R1ldWLjbCf5bFu9khaM1ME8I25HPTS3J2wK5rjj4HMFRMycUKZCK0UOgyUzd6Fm5b3G04wMIAoqkDHeqlwe7yWGaw94NbZuL## Resource record format: ///#
PTR record PTR/3600/test.com.#test4.com.## Domain name

Limitations of DNS logging

DNS logging has the following limitations:

  • If response logging is enabled, only the following record types are logged:

    • Address (A) record
    • AAAA record
    • SOA record
    • NS record
    • MX record
    • CNAME record
    • SRV record
    • TXT record
    • NAPTR record
    • DNSKEY record
    • PTR record

    For all other record types, only L3/L4 parameters, DNS Header, and Question section are logged.

  • RRSIG records are not logged even if response logging is enabled.

  • DNS64 is not supported.

  • DNS proactive update requests or responses are logged according to the settings in the default profile.

  • On the virtual server, if sessionless option and response logging is enabled, L3/L4 parameters, DNS Header, and DNS Question section are logged instead of the response.

  • The maximum size of the syslog message is 1024 bytes.

  • If you have set a DNS profile for a DNS policy with action type Rewrite Response, the NetScaler appliance does not log the query or the manipulated responses. To log the required information you must use an audit message action in the DNS policy.

  • DNS transactions that are due to DNS monitoring traffic are not logged.

Configuring DNS logging

Following is an overview of configuring DNS logging:

  1. Create a Syslog action and enable DNS in the action.
  2. Create a Syslog policy and specify the Syslog action in the policy.
  3. Globally bind the Syslog policy to enable logging of all NetScaler system events. Or, bind the Syslog policy to a specific load balancing virtual server.
  4. Create a DNS profile and define any of the following types of logging that you want to enable:
    • DNS Query Logging
    • DNS Answer Section Logging
    • DNS Extended Logging
    • DNS Error Logging
  5. Configure any of the following, based on your requirement:
    • DNS service and virtual server for DNS
    • ADNS service
    • NetScaler as a forwarder
    • NetScaler as a resolver
  6. Set the created DNS profile to one of the DNS entities.

Configure DNS logging for NetScaler configured as DNS Proxy by using the CLI

  1. Add a syslog action and enable DNS in the action. At the command prompt, type:

    add audit syslogAction <name> (<serverIP> | -lbVserverName <string>) [-serverPort <port>] -logLevel <logLevel> ... [-dateFormat <dateFormat>] [-logFacility <logFacility>] [-tcp ( NONE | ALL )] [-acl ( ENABLED | DISABLED )] [-timeZone ( GMT_TIME | LOCAL_TIME )] [-userDefinedAuditlog ( YES | NO )] [-appflowExport ( ENABLED |DISABLED )] [-lsn ( ENABLED | DISABLED )] [-alg ( ENABLED | DISABLED )] [-transport ( TCP | UDP )] [-tcpProfileName <string>] [-maxLogDataSizeToHold <positive_integer>] [-dns ( ENABLED | DISABLED)]
    <!--NeedCopy-->
    

    Example:

    add audit syslogAction nssyslogact1 10.102.151.136 -logLevel CRITICAL ERROR WARNING NOTICE INFORMATIONAL DEBUG -logFacility LOCAL4 -timeZone LOCAL_TIME -dns ENABLED

  2. Create a syslog policy and specify the created syslog action in the policy. At the command prompt, type:

    add audit syslogPolicy <name> <rule> <action>

    Example:

    add audit syslogPolicy syslogpol1 ns_true nssyslogact1

  3. Bind the syslog policy globally. At the command prompt, type:

    bind system global [<policyName> [-priority <positive_integer>]]

    Example:

    bind system global syslogpol1

  4. Create a DNS profile and enable any of the following type of logs that you want to configure:

    • DNS Query Logging
    • DNS Answer Section Logging
    • DNS Extended Logging
    • DNS Error Logging

    At the command prompt, type:

    add dns profile <dnsProfileName> [-dnsQueryLogging ( ENABLED | DISABLED )] [-dnsAnswerSecLogging ( ENABLED | DISABLED )] [-dnsExtendedLogging (ENABLED | DISABLED )] [-dnsErrorLogging ( ENABLED | DISABLED )] [-cacheRecords ( ENABLED | DISABLED )] [-cacheNegativeResponses ( ENABLED | DISABLED )]

    Example:

    add dns profile dnsprofile1 -dnsQueryLogging ENABLED

  5. Configure service of type DNS. At the command prompt, type:

    add service <name> <serverName> <serviceType> <port>

    Example:

    add service svc1 10.102.84.140 dns 53

  6. Configure a load balancing virtual server of service type DNS.

    add lb vserver <name> <serviceType> <ip> <port>

    Example:

    add lb vserver lb1 dns 100.100.100.10 53

  7. Bind the service to the virtual server. At the command prompt, type:

    bind lb vserver <name> <serviceName>

    Example:

    bind lb vserver lb1 svc1

  8. Set the created DNS profile to the virtual server. At the command prompt, type:

    set lb vserver <name> [ - dnsProfileName <string>]

    Example:

    set lb vserver lb1 –dnsProfileName dnsprofile1

Sample DNS logging configuration for NetScaler appliance configured as DNS proxy

> add audit syslogAction nssyslogact1 10.102.151.136 -logLevel
CRITICAL ERROR WARNING NOTICE INFORMATIONAL DEBUG -logFacility LOCAL4 -timeZone
LOCAL_TIME -dns ENABLED
Done
> add audit syslogPolicy syslogpol1 ns_true nssyslogact1
Done
> bind system global syslogpol1
Done
> add dns profile dnsprofile1 -dnsqueryLogging ENABLED
Done
> add lb vserver lb1 dns 100.100.100.10 53 –dnsProfileName dnsprofile1
Done
> add service svc1 10.102.84.140 dns 53
Done
> bind lb vserver lb1 svc1
Done
<!--NeedCopy-->

Sample DNS logging configuration for NetScaler appliance configured as ADNS

> add audit syslogAction nssyslogact1 10.102.151.136 -logLevel CRITICAL
ERROR WARNING NOTICE INFORMATIONAL DEBUG -logFacility LOCAL4 -timeZone LOCAL_TIME
-dns ENABLED
Done
> add audit syslogPolicy syslogpol1 ns_true nssyslogact1
Done
> bind system global syslogpol1
Done
> add dns profile dnsprofile1 -dnsqueryLogging ENABLED
Done
> add lb vserver lb1 dns 100.100.100.10 53 –dnsProfileName dnsprofile1
Done
> add service svc1 10.102.84.140 dns 53
Done
> bind lb vserver lb1 svc1
Done
<!--NeedCopy-->

Sample DNS logging configuration for NetScaler appliance configured as a forwarder

> add audit syslogAction nssyslogact1 10.102.151.136 -logLevel CRITICAL
ERROR WARNING NOTICE INFORMATIONAL DEBUG -logFacility LOCAL4 -timeZone LOCAL_TIME
-dns ENABLED
Done
> add audit syslogPolicy syslogpol1 ns_true nssyslogact1
Done
> bind system global syslogpol1
Done
> add dns profile dnsprofile1 -dnsqueryLogging ENABLED
Done
> add dns nameserver 8.8.8.8 –dnsProfileName dnsprofile1
Done
<!--NeedCopy-->

Sample DNS logging configuration for a NetScaler appliance configured as a resolver

> add audit syslogAction nssyslogact1 10.102.151.136
-logLevel CRITICAL ERROR WARNING NOTICE INFORMATIONAL DEBUG -logFacility LOCAL4
-timeZone LOCAL_TIME -dns ENABLED
Done
> add audit syslogPolicy syslogpol1 ns_true nssyslogact1
Done
> bind system global syslogpol1
Done
> add dns profile dnsprofile1 -dnsqueryLogging ENABLED
Done
> set dns parameter -recursion enABLED
Done
> add nameserver 1.1.1.100 -local dnsProfileName dnsprofile1
Done
<!--NeedCopy-->

Configure policy based logging for DNS

Policy based logging enables you to specify a format for log messages. The contents of a log message are defined by using an Advanced policy expression. When the message action specified in the policy is performed, the NetScaler appliance constructs the log message from the expression and writes the message to the log file. You can configure the appliance to log only when a particular DNS policy evaluates to True.

Note

If you have set a DNS policy with a DNS profile for the request side, the NetScaler appliance logs only the query.

To configure policy based logging for a DNS policy, you must first configure an audit message action. For more information about configuring an audit message action, see Configure the NetScaler appliance for audit logging. After configuring the audit message action, specify the message action in a DNS policy.

Configure policy based logging for a DNS policy by using the CLI

At the command prompt, type the following commands to configure policy based logging for a DNS policy and verify the configuration:

-  add dns action <actionName> <actionType> [-IPAddress <ip_addr|ipv6_addr> ... | -viewName <string> | -preferredLocList <string> ...] [-TTL <secs>] [-dnsProfileName <string>]
-  set dns policy <name> [<rule>] [-actionName <string>] [-logAction <string>]
-  show dns policy [<name>]
<!--NeedCopy-->

Example 1:

In a GSLB deployment, if you want to respond with different IP addresses to the client requests coming from a particular subnet, instead of responding with IP addresses used for general purposes (such as the IP addresses of internal users), you can configure a DNS policy with the action type as DNS view. In this case, you can configure DNS logging on the specified DNS action such that you can log the specific responses.

> add dns profile dns_prof1 -dnsqueryLogging enABLED -dnsanswerSecLogging enABLED
 Done
> add dns view dns_view1
 Done
> add dns action dns_act1 viewName -view dns_view1 –dnsprofilename dns_prof1
 Done
> add dns policy dns_pol1 "CLIENT.IP.SRC.APPLY_MASK(255.255.255.0).EQ(100.100.100.0)”
dns_act1
 Done
> bind dns global dns_pol1 100 -gotoPriorityExpression END -type REQ_DEFAULT
 Done
> bind gslb service site_1_svc -viewName dns_view1 123.1.1.1
 Done
> bind gslb service site_5_svc -view dns_view1 132.1.1.1
 Done
<!--NeedCopy-->

Note: In the preceding configuration, if you query for the domain configured on a GSLB virtual server, for example, sampletest.com, all the internal users of subnet 100.100.100.0/24 are served with the DNS view IP addresses, and the responses are logged. Client requests for other subnets are not logged.

Example 2:

If you want to log only the queries for the domain example.com, you can create a DNS profile with query logging enabled and set the DNS profile to a DNS action with the action type NOOP, and then create a DNS policy and set the DNS action. For example:

>add dns profile query_logging -dnsqueryLogging ENABLED
Done
>add dns action dns_act1 NOOP -dnsprofileName query_logging
Done
>add dns policy dns_pol1 DNS.REQ.QUESTION.DOMAIN.EQ("example.com")  dns_act1
Done
<!--NeedCopy-->

Configure log action for the DNS policy to log client IP address

Logging action can be used to log the source IPs for the DNS queries using the following expression and use it as part of the log action in the DNS policy.

> add audit messageaction log_act_custom INFORMATIONAL "\"ClientIP:\"CLIENT.IP.SRC\" ECS IP:\"+((DNS.REQ.OPT.ECS.IP).typecast_text_t ALT \"NONE\")"
Done
<!--NeedCopy-->

The earlier expression captures both the source IP as in the IP header and the ECS IP from the DNS ECS option, and either of it can be excluded as required.

Sample DNS logging configuration for a NetScaler appliance to log client IP address

If you want to sample the logging of the DNS queries, it can be done using the following expression. This will log one out of 10 queries.

> add audit messageaction log_action_srcip_1of10 INFORMATIONAL "\"OneOf10: Source IP : \"+client.ip.src"
Done
> add responder policy logsrcip_1of10 "sys.random.mul(10).lt(1)" NOOP -logAction log_action_srcip_1of10
Done
<!--NeedCopy-->