Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-03 15:18:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2
zeek/doc/scripts/base/protocols/dns/consts.zeek.rst
Tim Wojtulewicz ded98cd373 Copy docs into Zeek repo directly 
This is based on commit 2731def9159247e6da8a3191783c89683363689c from the
zeek-docs repo.
2025-09-26 02:58:29 +00:00

325 lines
9.8 KiB
ReStructuredText
Raw Permalink Blame History

:tocdepth: 3
base/protocols/dns/consts.zeek
==============================
.. zeek:namespace:: DNS
Types, errors, and fields for analyzing DNS data. A helper file
for DNS analysis scripts.
:Namespace: DNS
Summary
~~~~~~~
Constants
#########
=============================================================================================== ======================================================================
:zeek:id:`DNS::ANY`: :zeek:type:`count` A QTYPE value describing a request for all records.
:zeek:id:`DNS::EDNS`: :zeek:type:`count` An OPT RR TYPE value described by EDNS.
:zeek:id:`DNS::PTR`: :zeek:type:`count` RR TYPE value for a domain name pointer.
:zeek:id:`DNS::algorithms`: :zeek:type:`table` :zeek:attr:`&default` = :zeek:type:`function` Possible values of the algorithms used in DNSKEY, DS and RRSIG records
:zeek:id:`DNS::base_errors`: :zeek:type:`table` :zeek:attr:`&default` = :zeek:type:`function` Errors used for non-TSIG/EDNS types.
:zeek:id:`DNS::classes`: :zeek:type:`table` :zeek:attr:`&default` = :zeek:type:`function` Possible values of the CLASS field in resource records or QCLASS
field in query messages.
:zeek:id:`DNS::digests`: :zeek:type:`table` :zeek:attr:`&default` = :zeek:type:`function` Possible digest types used in DNSSEC.
:zeek:id:`DNS::edns_zfield`: :zeek:type:`table` :zeek:attr:`&default` = ``"?"`` This deciphers EDNS Z field values.
:zeek:id:`DNS::query_types`: :zeek:type:`table` :zeek:attr:`&default` = :zeek:type:`function` Mapping of DNS query type codes to human readable string
representation.
:zeek:id:`DNS::svcparam_keys`: :zeek:type:`table` :zeek:attr:`&default` = :zeek:type:`function` SVCB/HTTPS SvcParam keys as defined in
https://datatracker.ietf.org/doc/html/rfc9460#name-initial-contents
Keep in sync with src/analyzer/protocol/dns/DNS.h SVCPARAM_Key.
=============================================================================================== ======================================================================
Detailed Interface
~~~~~~~~~~~~~~~~~~
Constants
#########
.. zeek:id:: DNS::ANY
:source-code: base/protocols/dns/consts.zeek 9 9
:Type: :zeek:type:`count`
:Default: ``255``
A QTYPE value describing a request for all records.
.. zeek:id:: DNS::EDNS
:source-code: base/protocols/dns/consts.zeek 8 8
:Type: :zeek:type:`count`
:Default: ``41``
An OPT RR TYPE value described by EDNS.
.. zeek:id:: DNS::PTR
:source-code: base/protocols/dns/consts.zeek 7 7
:Type: :zeek:type:`count`
:Default: ``12``
RR TYPE value for a domain name pointer.
.. zeek:id:: DNS::algorithms
:source-code: base/protocols/dns/consts.zeek 154 154
:Type: :zeek:type:`table` [:zeek:type:`count`] of :zeek:type:`string`
:Attributes: :zeek:attr:`&default` = :zeek:type:`function`
:Default:
::
{
[254] = "PrivateOID",
[2] = "Diffie_Hellman",
[15] = "Ed25519",
[6] = "DSA_NSEC3_SHA1",
[14] = "ECDSA_curveP384withSHA384",
[16] = "Ed448",
[255] = "reserved255",
[8] = "RSA_SHA256",
[252] = "Indirect",
[253] = "PrivateDNS",
[1] = "RSA_MD5",
[5] = "RSA_SHA1",
[7] = "RSA_SHA1_NSEC3_SHA1",
[10] = "RSA_SHA512",
[4] = "Elliptic_Curve",
[12] = "GOST_R_34_10_2001",
[13] = "ECDSA_curveP256withSHA256",
[3] = "DSA_SHA1",
[0] = "reserved0"
}
Possible values of the algorithms used in DNSKEY, DS and RRSIG records
.. zeek:id:: DNS::base_errors
:source-code: base/protocols/dns/consts.zeek 107 107
:Type: :zeek:type:`table` [:zeek:type:`count`] of :zeek:type:`string`
:Attributes: :zeek:attr:`&default` = :zeek:type:`function`
:Default:
::
{
[19] = "BADMODE",
[3842] = "BADSIG",
[20] = "BADNAME",
[2] = "SERVFAIL",
[14] = "unassigned-14",
[15] = "unassigned-15",
[6] = "YXDOMAIN",
[16] = "BADVERS",
[8] = "NXRRSet",
[23] = "BADCOOKIE",
[9] = "NOTAUTH",
[1] = "FORMERR",
[11] = "unassigned-11",
[7] = "YXRRSET",
[5] = "REFUSED",
[10] = "NOTZONE",
[21] = "BADALG",
[4] = "NOTIMP",
[22] = "BADTRUNC",
[13] = "unassigned-13",
[12] = "unassigned-12",
[18] = "BADTIME",
[17] = "BADKEY",
[3] = "NXDOMAIN",
[0] = "NOERROR"
}
Errors used for non-TSIG/EDNS types.
.. zeek:id:: DNS::classes
:source-code: base/protocols/dns/consts.zeek 144 144
:Type: :zeek:type:`table` [:zeek:type:`count`] of :zeek:type:`string`
:Attributes: :zeek:attr:`&default` = :zeek:type:`function`
:Default:
::
{
[254] = "C_NONE",
[2] = "C_CSNET",
[3] = "C_CHAOS",
[255] = "C_ANY",
[4] = "C_HESIOD",
[1] = "C_INTERNET"
}
Possible values of the CLASS field in resource records or QCLASS
field in query messages.
.. zeek:id:: DNS::digests
:source-code: base/protocols/dns/consts.zeek 177 177
:Type: :zeek:type:`table` [:zeek:type:`count`] of :zeek:type:`string`
:Attributes: :zeek:attr:`&default` = :zeek:type:`function`
:Default:
::
{
[0] = "reserved0",
[2] = "SHA256",
[4] = "SHA384",
[1] = "SHA1",
[3] = "GOST_R_34_11_94"
}
Possible digest types used in DNSSEC.
.. zeek:id:: DNS::edns_zfield
:source-code: base/protocols/dns/consts.zeek 137 137
:Type: :zeek:type:`table` [:zeek:type:`count`] of :zeek:type:`string`
:Attributes: :zeek:attr:`&default` = ``"?"``
:Default:
::
{
[0] = "NOVALUE",
[32768] = "DNS_SEC_OK"
}
This deciphers EDNS Z field values.
.. zeek:id:: DNS::query_types
:source-code: base/protocols/dns/consts.zeek 13 13
:Type: :zeek:type:`table` [:zeek:type:`count`] of :zeek:type:`string`
:Attributes: :zeek:attr:`&default` = :zeek:type:`function`
:Default:
::
{
[19] = "X25",
[20] = "ISDN",
[33] = "SRV",
[39] = "DNAME",
[30] = "NXT",
[46] = "RRSIG",
[15] = "MX",
[65422] = "XPF",
[28] = "AAAA",
[64] = "SVCB",
[106] = "L64",
[9] = "MR",
[253] = "MAILB",
[107] = "LP",
[53] = "SMIMEA",
[55] = "HIP",
[52] = "TLSA",
[251] = "IXFR",
[21] = "RT",
[4] = "MF",
[12] = "PTR",
[41] = "OPT",
[58] = "TALINK",
[17] = "RP",
[105] = "L32",
[254] = "MAILA",
[32768] = "TA",
[25] = "KEY",
[32769] = "DLV",
[65281] = "WINS",
[29] = "LOC",
[16] = "TXT",
[255] = "*",
[59] = "CDS",
[38] = "A6",
[252] = "AXFR",
[63] = "ZONEMD",
[42] = "APL",
[57] = "RKEY",
[1] = "A",
[11] = "WKS",
[35] = "NAPTR",
[108] = "EUI48",
[22] = "NSAP",
[256] = "URI",
[43] = "DS",
[102] = "GID",
[257] = "CAA",
[65521] = "INTEGRITY",
[3] = "MD",
[44] = "SSHFP",
[34] = "ATMA",
[45] = "IPSECKEY",
[40] = "SINK",
[36] = "KX",
[250] = "TSIG",
[14] = "MINFO",
[6] = "SOA",
[31] = "EID",
[23] = "NSAP-PTR",
[8] = "MG",
[27] = "GPOS",
[56] = "NINFO",
[7] = "MB",
[10] = "NULL",
[32] = "NIMLOC",
[13] = "HINFO",
[26] = "PX",
[65] = "HTTPS",
[62] = "CSYNC",
[101] = "UID",
[47] = "NSEC",
[50] = "NSEC3",
[2] = "NS",
[65282] = "WINS-R",
[48] = "DNSKEY",
[24] = "SIG",
[99] = "SPF",
[49] = "DHCID",
[109] = "EUI64",
[249] = "TKEY",
[103] = "UNSPEC",
[5] = "CNAME",
[104] = "NID",
[61] = "OPENPGPKEY",
[60] = "CDNSKEY",
[100] = "UINFO",
[51] = "NSEC3PARAM",
[37] = "CERT",
[18] = "AFSDB"
}
Mapping of DNS query type codes to human readable string
representation.
.. zeek:id:: DNS::svcparam_keys
:source-code: base/protocols/dns/consts.zeek 188 188
:Type: :zeek:type:`table` [:zeek:type:`count`] of :zeek:type:`string`
:Attributes: :zeek:attr:`&default` = :zeek:type:`function`
:Default:
::
{
[2] = "no-default-alpn",
[3] = "port",
[5] = "ech",
[0] = "mandatory",
[6] = "ipv6hint",
[4] = "ipv4hint",
[1] = "alpn"
}
SVCB/HTTPS SvcParam keys as defined in
https://datatracker.ietf.org/doc/html/rfc9460#name-initial-contents
Keep in sync with src/analyzer/protocol/dns/DNS.h SVCPARAM_Key.
Reference in a new issue View git blame Copy permalink