ON THIS PAGE
DNS Request Filtering System Logging Error Messages
The message format for system logs related to DNS request filtering differs slightly for the Next Gen Services MX-SPC3 services card versus early services cards. This topic describes the differences in the DNS request filtering related system log messages and provides a description of all fields in these messages.
System Logging for DNS Request Filtering Overview
Next Gen Services DNS request filtering system logging generates these events:
-
DNS match events (DNS_SR_MATCH_EVENT)
-
A single syslog is generated for each DNS match to the list of filtered domains.
-
-
Per-term statistics (DNS_SR_CUSTOMER_STATS)
-
Each term in the template represents a customer, enabling you to collect per-customer statistics.
-
You can configure the interval in which you want to collect statistics in each template.
-
-
You can report an event each time a DNS disallow-list file is added or updated (DNS_SR_FILE_UPDATE_NOTICE)
-
You can collect per-PIC Summary report statistics (DNS_SR_REPORT_STATS)
-
Statistics are generated every 5 minutes. This interval value is not configurable.
-
These stats are generated per-PIC basis.
Note:To enable these logs you must configure a syslog for each
service-set
for which you’ve configured dns-filtering.All system log messages for Next Gen Services are configured at the
service-set
level using the following statement:user@host# edit services service-set service-set-name syslog
To collect DNS request filtering system log messages, include
urlf
in thelocal-category
statement:[edit services service-set ss1 syslog] user@host# set local-category urlf
-
-
You can collect per-client IP statistics (DNS_SR_CLIENT_IP_STATS)
-
This statistics are generated per-profile.
-
The interval for collecting these statistics is configurable per-profile.
-
DNS Match-Event Syslog Format
System system log messages for Next Gen Services DNS request filtering doesn’t include the FPC slot/PIC slot and UTC time.
Table 1 describes the fields contained in DNS request filtering match events.
Field Name |
Description |
Example |
---|---|---|
Time Stamp |
Time when log entry was generated |
Oct 27 10:04:19 |
Router Name |
Host name of the router generating the record |
Jnpr-router-01 |
Log Handle |
Log handle to identify the log category |
junos-url-filter |
Match |
Indicates a DNS match was detected. |
JSERVICES_URLF_MATCH_EVENT: DNS_SR_MATCH_EVENT |
Tag |
Log-prefix configured |
Tag=<value> |
svc-set-name |
Service-set name |
svc-set-name=<value> |
ID |
ID assigned to the domain name (Size of ID is assumed to be a 32-bit number) |
ID=12345 |
IP_Src |
Source IP |
IP_Src=10.1.5.72 |
IP_Dst |
Destination IP (DNS resolver) |
IP_Dst=10.1.1.10 |
Src_Prt |
Source Port |
Src_Prt=37344 |
Dst_Prt |
Destination Port |
Dst_Prt=53 |
Sinkhole_IP |
IP of sinkhole server from Domain Name Input List |
Sinkhole_IP=10.1.50.64 |
Sinkhole_IPv6 |
IP of IPv6 sinkhole server from Domain Name Input List |
Sinkhole_IPv6=2001:db8: 1003:1004:1005:1006:1007:1008 |
Sinkhole_fqdn |
Sinkhole FQDN |
Sinkhole_fqdn=NA |
Count |
Counter for match events to accommodate identical event records |
Count=54 |
Replaced |
Designates replacement of response domain (i.e. sinkholing) |
Replaced=Y |
Reason_Mask |
Reason for action (if Replaced=N) [See table below for bit position enumeration] |
Reason_Mask=0x0 |
QType |
Query Type of the DNS request (A, AAAA, MX, CNAME, SRV, TXT) |
QType=A |
Profile |
Profile Name [The Web filter profile name as configured] |
Profile=profile_01 |
Template |
Template Name [The DNS filter template name as configured] |
Template=template_01 |
Term |
Term Name [The DNS filter term name as configured] |
Term=term_01 |
Time |
UNIX timestamp |
Time=Wed Dec 20 12:25:24 2017 |
Here’s an example of MX-SPC3 DNS filtering syslog format:
Feb 20 17:06:36 ce-bras-mx480-o junos-url-filter: JSERVICES_URLF_MATCH_EVENT:
DNS_SR_MATCH_EVENT, Tag=tag, svc-set-name= s1, ID=1235,
IP_SRC=10.2.2.3,
IP_DST=10.101.10.100,
SRC_PRT=34342, DST_PRT=53,
Sinkhole_IP=10.1.1.1,
Sinkhole_IPv6=NA, Sinkhole_fqdn=NA, Count=9, Replaced=Y, Reason_Mask=0x0, QType=A,
Profile=webf-prof-1, Template=dnsf-temp-1, Term=dnsf-term-1, Time=Tue Jan 23 13:45:52
2018
Here’s an example of MS-MPC DNS filtering syslog format:
Jan 23 13:45:52 cliq (FPC Slot 1, PIC Slot 1) 2018-01-23 21:45:52:
{s1}[jservices-urlf]: JSERVICES_URLF_MATCH_EVENT: DNS_SR_MATCH_EVENT ID=1235,
IP_SRC=10.2.2.3,
IP_DST=10.101.10.100,
SRC_PRT=34342, DST_PRT=53,
Sinkhole_IP=10.1.1.1,
Sinkhole_IPv6=NA, Sinkhole_fqdn=NA, Count=9, Replaced=Y, Reason_Mask=0x0, QType=A,
Profile=webf-prof-1, Template=dnsf-temp-1, Term=dnsf-term-1, Time=Tue Jan 23 13:45:52
2018
Reason Mask Values & Interpretations for DNS Filtering
Table 2 describes the reason mask value fields and interpretations for MX Next Gen Services DNS filtering.
Bit Position |
Hex Value |
Interpretation |
Additional Comments |
---|---|---|---|
|
0x0 |
Replaced |
|
0 |
0x1 |
Reason Other |
Examples:Fragmented packets, malformed packets |
1 |
0x2 |
Not a supported DNS request type |
Examples: SRV, TXT |
2 |
0x4 |
Indicator action set to “Report-Only” |
This is to enable testing of new indicators before putting them into Production. |
3 |
0x8 |
Replace A/AAAA record error |
|
4 |
0x10 |
Replacement information not available |
The domain name entry is marked “replace” but the sinkhole-ip/sinkhole-ipv6/sinkhole-fqdn is not provided. |
Here’s an example of MX Next Gen Services syslog format for DNS filtering showing the reason mask and interpretation:
Feb 20 17:06:36 ce-bras-mx480-o junos-url-filter: JSERVICES_URLF_MATCH_EVENT:
DNS_SR_MATCH_EVENT, Tag=tag, svc-set-name= s1, ID=1235,
IP_SRC=10.2.2.3,
IP_DST=10.101.10.100,
SRC_PRT=34342, DST_PRT=53,
Sinkhole_IP=10.1.1.1,
Sinkhole_IPv6=NA, Sinkhole_fqdn=NA, Count=9, Replaced=Y, Reason_Mask=0x0, QType=A,
Profile=webf-prof-1, Template=dnsf-temp-1, Term=dnsf-term-1, Time=Tue Jan 23 13:45:52 2018
Here’s an example of MS-MPC DNS filtering syslog format:
Jan 23 13:45:52 cliq (FPC Slot 1, PIC Slot 1) 2018-01-23 21:45:52:
{s1}[jservices-urlf]: JSERVICES_URLF_MATCH_EVENT: DNS_SR_MATCH_EVENT ID=1235,
IP_SRC=10.2.2.3,
IP_DST=10.101.10.100,
SRC_PRT=34342, DST_PRT=53,
Sinkhole_IP=10.1.1.1,
Sinkhole_IPv6=NA, Sinkhole_fqdn=NA, Count=9, Replaced=Y, Reason_Mask=0x0, QType=A,
Profile=webf-prof-1, Template=dnsf-temp-1, Term=dnsf-term-1, Time=Tue Jan 23 13:45:52 2018
Per-Term Statistics Syslog Format
Table 3 describes the fields for MX Next Gen Services DNS filtering per-term statistics syslog format.
Field Name |
Description |
Example |
---|---|---|
Time Stamp |
Time when log entry was generated |
Oct 27 10:04:17 |
Router Name |
Host name of the router generating the record |
Jnpr-router-01 |
Log Handle |
Log handle to identify the log category |
junos-url-filter |
Match |
A term(customer) statistics record |
JSERVICES_URLF_CUSTOMER_STATS: DNS_SR_CUSTOMER_STATS |
Tag |
Log-prefix configured |
Tag=<value> |
svc-set-name |
Service-set name |
svc-set-name=<value> |
Profile |
Profile Name [The Web filter profile name as configured] |
Profile=profile_01 |
Template |
Template Name [The DNS filter template name as configured] |
Template=template_01 |
Term |
Term Name [The DNS filter term name as configured] |
Term=term_01 |
Packets_Processed |
Total DNS Requests Processed |
Requests_Processed=200 |
DNS_UDP_Packets_Processed |
DNS UDP Requests Processed |
DNS_UDP_Requests_Processed=98 |
DNS_TCP_Packets_Processed |
DNS TCP Requests Processed |
DNS_TCP_Requests_Processed=35 |
DNS_UDP_Requests_sinkholed |
DNS UDP Requests sink-holed |
DNS_UDP_Requests_Sinkholed =50 |
DNS_TCP_Requests_sinkholed |
DNS TCP Requests sink-holed |
DNS_TCP_Requests_Sinkholed =50 |
DNS_UDP_Requests_reported |
DNS UDP Requests reported |
DNS_UDP_Requests_Reported =50 |
DNS_TCP_Requests_reported |
DNS TCP Requests reported |
DNS_TCP_Requests_Reported =50 |
Time |
UNIX timestamp |
Time=Wed Dec 20 12:25:24 2017 |
Count |
Counter to accommodate identical event records |
Count=10 |
Here’s an example of MX-SPC3 DNS filtering syslog format for per-term statistics:
Feb 25 14:25:45 curve junos-url-filter: JSERVICES_URLF_CUSTOMER_STATS:
DNS_SR_CUSTOMER_STATS, Tag , svc-set-name s1, Profile=DNS_CUSTOMER-A, Template=DNS_CUSTOMER-A,
Term=DNS_CUSTOMER-A, Requests_Processed=0, DNS_UDP_Requests_Processed=0,
DNS_TCP_Requests_Processed=0, DNS_UDP_Requests_Sinkholed=0, DNS_TCP_Requests_Sinkholed=0,
DNS_UDP_Requests_Reported=0, DNS_TCP_Requests_Reported=0, Time=Mon Feb 25 14:25:45 2019,
Count=13
Here’s an example of MS-MPC DNS filtering syslog format:
Mar 8 12:16:05 iphone3gs (FPC Slot 5, PIC Slot 0) 2019-03-08 20:16:04:
{ATT-Zone5}[jservices-urlf]: JSERVICES_URLF_CUSTOMER_STATS: DNS_SR_CUSTOMER_STATS,
Profile=ATT-Profile-5-Zone5, Template=ATT-Profile-5-Zone5-Area1,
Term=ATT-Profile-5-Zone5-Area1-Customer3, Requests_Processed=0, DNS_UDP_Requests_Processed=0,
DNS_TCP_Requests_Processed=0, DNS_UDP_Requests_Sinkholed=0, DNS_TCP_Requests_Sinkholed=0,
DNS_UDP_Requests_Reported=0, DNS_TCP_Requests_Reported=0, Time=Fri Mar 08 12:16:05 2019,
Count=111
DNS Filtering Disallow-List File Add/Change Syslog Format
Table 4 describes the fields for MX Next Gen Services DNS filtering disallow-list file additions and updates syslog format.
Field Name |
Description |
Example |
---|---|---|
Time Stamp |
Time when log entry was generated |
Oct 27 10:04:17 |
Router Name |
Host name of the router generating the record |
Jnpr-router-01 |
Log Handle |
Log handle to identify the log category |
junos-url-filter |
Match |
The domain disallow-list file updated for the template. . |
JSERVICES_URLF_FILE_UPDATE_NOTICE: DNS_SR_FILE_UPDATE_NOTICE |
Tag |
Log-prefix configured |
Tag=<value> |
svc-set-name |
Service-set name |
svc-set-name=<value> |
File Name |
Name of the file |
File_Name=shdb.txt |
File Version |
Version of the file |
File_Version=20170314_01 |
Updated |
File Update Time |
Domain_Filter_File_Updated=Fri Oct 27 10:56:42 2017 |
Profile |
Profile Name [The Web filter profile name as configured] |
Profile=profile_01 |
Template |
Template Name [The DNS filter template name as configured] |
Template=template_01 |
Domains |
Number of Domains in the file |
Domains=12 |
Report-Only-Domains |
Number of Report-Only domains in the file |
Report_Only_Domains=3 |
Here’s an example of the syslog format for MX-SPC3 DNS filtering disallow-list add/change file updates:
Feb 25 14:36:47 curve junos-url-filter: JSERVICES_URLF_FILE_UPDATE_NOTICE:
DNS_SR_FILE_UPDATE_NOTICE, Tag=, svc-set-name=s1, File_Name=test_dns_sink.txt,
File_Version=20180911 01, Domain_Filter_File_Updated=Mon Feb 25 14:36:47 2019
Profile=DNS_CUSTOMER-A, Template=DNS_CUSTOMER-A, Domains=18, Report_Only_Domains=0
Here’s an example of the syslog format for DNS filtering disallow-list file changes with the MS-MPC services card:
Jan 23 13:34:34 cliq (FPC Slot 1, PIC Slot 1) 2018-01-23 21:34:33:
{s1}[jservices-urlf]: JSERVICES_URLF_FILE_UPDATE_NOTICE: DNS_SR_FILE_UPDATE_NOTICE,
File_Name=dnsf1_hashed.txt, File_Version=20170314_01, Domain_Filter_File_Updated=Tue Jan 23
13:34:34 2018 Profile=webf-prof-1, Template=dnsf-temp-1, Domains=4, Report_Only_Domains=1
DNS Filtering Summary Report Statistics Syslog Format
Summary report statistics syslog format Stats will be reported in syslog with the following format:
Here’s an example summary report syslog message for MX-SPC3 Next Gen Services DNS filtering:
Feb 25 11:50:39 curve junos-url-filter: JSERVICES_URLF_REPORT_STATS:
DNS_SR_REPORT_STATS, Tag=, svc-set-name=s1, TCP_DNS_Packets=0, TCP_DNS_Non_Segmented=0,
TCP_DNS_Segmented=0, Count=1
Here’s an example summary report syslog message for MS-MPC services card DNS filtering:
Mar 8 12:20:41 iphone3gs (FPC Slot 5, PIC Slot 1) 2019-03-08 20:20:40:
{ATT-Zone1}[jservices-urlf]: JSERVICES_URLF_REPORT_STATS: DNS_SR_REPORT_STATS,
TCP_DNS_Packets=0, TCP_DNS_Non_Segmented=0, TCP_DNS_Segmented=0, Count=169
DNS Filtering Per-Client-IP Statistics Syslog Format
Table 5 describes the syslog fields for MX-SPC3 DNS filtering per-client-IP statistics that is reported per-PIC, per-profile for all known client IP addresses known to the system.
Field Name |
Description |
Example |
---|---|---|
Time Stamp |
Time when log entry was generated |
Oct 27 10:04:17 |
Router Name |
Host name of the router generating the record |
Jnpr-router-01 |
Log Handle |
Log handle to identify the log category |
junos-url-filter |
Match |
Log for per-Client IP stats |
JSERVICES_URLF_CLIENT_IP_STATS: DNS_SR_CLIENT_IP_STATS |
Tag |
Log-prefix configured |
Tag=<value> |
svc-set-name |
Service-set name |
svc-set-name=<value> |
Client-IP |
IP address of the client |
Client-IP=10.1.1.1 |
Profile |
Profile Name [The Web filter profile name as configured] |
Profile=profile_01 |
Template |
Template Name [The DNS filter template name as configured] |
Template=template_01 |
Term |
Term Name [The DNS filter term name as configured] |
Term=term_01 |
A_Req |
DNS A-Record Requests Processed |
A_Req=10 |
AAAA_Req |
DNS AAAA-Record Requests Processed |
AAAA_Req=10 |
MX_Req |
DNS MX-Record Requests Processed |
MX_Req=4 |
CNAME_Req |
DNS CNAME-Record Requests Processed |
CNAME_Req=4 |
SRV_Req |
DNS SRV-Record Requests Processed |
SRV_Req=4 |
TXT_Req |
DNS TXT-Record Requests Processed |
TXT_Req=4 |
ANY_Req |
DNS ANY-Record Requests Processed |
ANY_Req=4 |
A_Req_SH |
DNS A-Record Requests sink-holed |
A_Req_SH =5 |
AAAA_Req_SH |
DNS AAAA-Record Requests sink-holed |
AAAA_Req_SH=5 |
MX_Req_SH |
DNS MX-Record Requests Sink-holed |
MX_Req_SH=4 |
CNAME_Req_SH |
DNS CNAME-Record Requests Sink-holed |
CNAME_Req_SH=4 |
SRV_Req_SH |
DNS SRV-Record Requests Sink-holed |
SRV_Req_SH=4 |
TXT_Req_SH |
DNS TXT-Record Requests Sink-holed |
TXT_Req_SH=4 |
ANY_Req_SH |
DNS ANY-Record Requests Sink-holed |
ANY_Req_SH=4 |
Req_Rep |
DNS Requests reported |
Req_Rep=5 |
Here’s an example per-client-IP-statitics for MX-SPC3 DNS filtering:
Feb 25 11:50:39 curve junos-url-filter: JSERVICES_URLF_CLIENT_IP_STATS:
DNS_SR_CLIENT_IP_STATS, Tag=tag, svc-set-name=s1,
Client-IP=10.2.2.3,
Profile=webf-prof-1, Template=dnsf-temp-1, Term=dnsf-term-1, A_Req=0, AAAA_Req=0, MX_Req=0,
CNAME_Req=0, SRV_Req=0, TXT_Req=0, ANY_Req=2, A_Req_SH=0, AAAA_Req_SH=0, MX_Req_SH=0,
CNAME_Req_SH=0, SRV_Req_SH=0, TXT_Req_SH=0, ANY_Req_SH=0, Req_Rep=2
Here’s an example syslog message for DNS filtering client-IP statistics on MS-MPC services cards:
Mar 7 17:58:54 iphone3gs (FPC Slot 5, PIC Slot 3) 2019-03-08 01:58:54:
{dns}[jservices-urlf]: JSERVICES_URLF_CLIENT_IP_STATS: DNS_SR_CLIENT_IP_STATS,
Client-IP=2008:db8:2228:8001::1,
Profile=dns-profile1, Template=dns1, Term=3, A_Req=19, AAAA_Req=19, MX_Req=0, CNAME_Req=0,
SRV_Req=0, TXT_Req=0, ANY_Req=0, A_Req_SH=19, AAAA_Req_SH=19, MX_Req_SH=0, CNAME_Req_SH=0,
SRV_Req_SH=0, TXT_Req_SH=0, ANY_Req_SH=0, Req_Rep=0