For performance reasons the DNS request and response packets are joined into a single row, to avoid having to do an expensive join operation with large tables. Besides DNS information there is also IP and TCP/UDP and meta information added to each row.
The table below contains all available columns, the protocol indicates the network protocol the column data is extracted from. The type can be either request, response or meta. The meta type is used for columns that contain data that is not directly extracted from network packet data. Meta data is descriptive data about the network data, such as the geographical location for an IP address.
| column | protocol | type | description |
|---|---|---|---|
| id | DNS | query | message id |
| rcode | DNS | response | rcode (-1 is no matching server response is found) |
| opcode | DNS | query | opcode |
| query_ts | - | META | packet timestamp in milliseconds UTC |
| time | - | META | milliseconds since January 1, 1970, 00:00:00 UTC |
| qname | DNS | request | qname from request |
| qtype | DNS | request | qtype from request |
| domainname | DNS | META | secondlevel domainname (extracted from qname) |
| labels | DNS | META | count of the number of qname labels |
| src | IP | request | source IP address |
| dst | IP | request | destination IP address |
| ttl | IP | request | TTL |
| frag | IP | request | fragment count |
| ipv | IP | request | IP version, 4 or 6 |
| prot | IP | request | protocol, 6(TCP) or 17(UDP) |
| srcp | UDP/TCP | request | source port |
| dstp | UDP/TCP | request | destination port |
| req_len | DNS | response | length of the DNS request message |
| res_len | DNS | response | length of the DNS response message |
| aa | DNS | response header | Authoritative Answer |
| tc | DNS | response header | Truncation |
| rd | DNS | request header | Recursion Desired |
| ra | DNS | response header | Recursion Available |
| z | DNS | request header | Zero |
| ad | DNS | response header | Authenticated data (DNSSEC) |
| cd | DNS | request header | Checking Disabled (DNSSEC) |
| ancount | DNS | response header | Answer Record Count |
| arcount | DNS | response header | Additional Record Count |
| nscount | DNS | response header | Authority Record Count |
| qdcount | DNS | request header | Question Count |
| country | IP | META | country location of the source IP address |
| asn | IP | META | autonomous system number of the source IP address |
| edns_udp | DNS | request | max UDP packet length supported by client |
| edns_version | DNS | request | EDNS0 version |
| edns_do | DNS | request | DNSSEC do-bit |
| edns_ping | DNS | request | EDNS0 ping option of powerdns |
| edns_nsid | DNS | request | name server identifier (rfc5001) |
| edns_dnssec_dau | DNS | request | DNSSEC Algorithm signalling, DNSSEC Algorithm Understood, (rfc6975) |
| edns_dnssec_dhu | DNS | request | DNSSEC Algorithm signalling, DS Hash Understoodd, (rfc6975) |
| edns_dnssec_n3u | DNS | request | DNSSEC Algorithm signalling, NSEC3 Hash Understood, (rfc6975) |
| edns_client_subnet | DNS | request | Client subnet option (draft-ietf-dnsop-edns-client-subnet-00) |
| edns_client_subnet_asn | - | META | asn of the client subnet |
| edns_client_subnet_country | - | META | country location of the client subnet IP address |
| edns_other | DNS | request | All other used EDNS0 options (concatenated as string) |
| resp_frag | IP | request | the number of IP packet fragments required for the DNS response |
| proc_time | - | META | the number microseconds between the request and the response |
| server_location | META | request | location of the anycast node, only if anycast encoding is used for the file input directory |
| edns_padding | DNS | request | Is EDNS0 Padding used |
| pcap_file | DNS | request | Name of the input pcap file |
| edns_keytag_count | DNS | request | number of EDNS0 keytags found |
| edns_keytag_list | DNS | request | EDNS0 keytags as comma separated list |
| q_tc | DNS | request | TC flag from request header |
| q_ra | DNS | request | RA flag from request header |
| q_ad | DNS | request | AD flag from request header |
| q_rcode | DNS | request | RCODE flag from request header |
| pub_resolver | DNS | request | Public resolver used e.g. Google, OpenDNS … |
| tcp_hs_rtt | TCP | META | RTT of TCP handshake |
| tcp_pk_rtt | TCP | META | RTT of TCP packet |
| year | META | request | year part of timestamp |
| month | META | query | month part of timestamp |
| day | META | request | day part of timestamp |
| server | DNS | request | The name server the DNS request was sent to |
The list of public resolver IP addresses is automatically fetched updated every day.
For more information about the DNS fields see DNS RFC 1035. The table column names match the RFC field names. For more information about possible DNS columns values see IANA DNS parameters.