malhuda/AdGuardDNS
1
0
Fork 0
mirror of https://github.com/AdguardTeam/AdGuardDNS.git synced 2025-02-20 11:23:36 +08:00
Code Issues Actions Packages Projects Releases Wiki Activity
AdGuardDNS/doc/querylog.md
Andrey Meshkov 5de1a253fc Sync v2.1.1
2022-11-07 10:21:24 +03:00

8.3 KiB
Raw Permalink Blame History

AdGuard DNS Query Log Format

The query log is written in the JSONL (JSON Lines) format. The log entries are designed to be concise and easily compressable. An example of the log output:

{"u":"ABCD","b":"prof1234","i":"dev1234","c":"RU","d":"US","n":"example.com.","l":"cdef5678","m":"||example.com^","t":1628590394000,"a":1234,"e":5,"q":1,"f":2,"s":0,"p":8,"r":0}
{"u":"DEFG","b":"prof1234","i":"dev1234","c":"RU","d":"JP","n":"example.org.","l":"hijk9012","m":"||example.org^","t":1628590394100,"a":6789,"e":6,"q":1,"f":2,"s":0,"p":8,"r":0}

AdGuard DNS opens and closes the log file on each write to prevent issues with external log rotation.

Properties

Property names have been chosen to be single-letter but still have mnemonic rules to remember, which property means what. The properties are:

  • u: The unique ID of the request. The short name u stands for “unique”.

    Example: "ABCD1234"

  • b: The detected profile ID (also known as DNS ID and DNS Server ID), if any. The short name b stands for “buyer”.

    Example: "prof1234"

  • i: The detected device ID, if any. The short name i stands for “ID”.

    Example: "dev1234"

  • c: The detected country of the client's IP address as an ISO 3166-1 alpha-2 country code, if any. If none could be detected, this property is absent. The short name c stands for “client country”.

    NOTE: AdGuard DNS uses the common user-assigned ISO 3166-1 alpha-2 code XK for the partially-recognized state of the Republic of Kosovo.

    Example: "AU"

  • d: The detected country of the first IP address in the response sent to the client, as an ISO 3166-1 alpha-2 country code, if any. If none could be detected, this property is absent. The short name d stands for “destination”.

    NOTE: AdGuard DNS uses the common user-assigned ISO 3166-1 alpha-2 code XK for the partially-recognized state of the Republic of Kosovo.

    Example: "US"

  • n: The requested resource name. The short name n stands for “name”.

    Example: "example.com."

  • l: The ID of the first filter the rules of which matched this query. If no rules matched, this property is omitted. The short name l stands for “list of filter rules”.

    Example: "adguard_dns_filter"

    The special reserved values are:

    • blocked_service: the request was blocked by the service blocker. The property m contains the ID of that blocked service.

    • custom: the request was filtered by a custom profile rule.

    • adult_blocking: the request was filtered by the adult content blocking filter.

    • safe_browsing: the request was filtered by the safe browsing filter.

    • general_safe_search: the request was modified by the general safe search filter.

    • youtube_safe_search: the request was modified by the YouTube safe search filter.

  • m: The text of the first rule that matched this query or the ID of the blocked service, if the ID of the filtering rule list is blocked_service. If no rules matched, this property is omitted. The short name m stands for “match”.

    Object examples:

    {
  "l": "adguard_dns_filter",
  "m": "||example.com^",
  "...": "..."
}

    {
  "l": "blocked_service",
  "m": "example",
  "...": "..."
}

  • t: The Unix time at which the request was received, in milliseconds. The short name t stands for “time”.

    Example: 1629974298000

  • a: The detected autonomous system number (aka ASN) of the client's IP address, if any. If none could be detected, this property is absent. The short name a stands for “ASN”.

    Example: 1234

  • e: The time passed since the beginning of the request processing, in milliseconds. The short name e stands for “elapsed”.

    Example: 3

  • q: The type of the resource record of the query. The short name q stands for “question”.

    Example: 1

    See this Wikipedia list for numeric values and their meanings.

  • f: The action taken with this request. The short name f stands for “filtering”. The possible values are:

    0
    Invalid or unknown action. Typically, this value is never used.
    1
    No filtering.
    2
    The request (question) is blocked.
    3
    The response (answer) is blocked.
    4
    The request (question) is allowed by an allowlist rule.
    5
    The response (answer) is allowed by an allowlist rule.
    6
    The request (question) or response (answer) was modified or rewritten by a safety filter or a DNS rewrite rule.

    Example: 2

  • s: The status of whether the response was validated with DNSSEC. 0 means no, 1 means yes. The short name s stands for “secure”.

    Example: 1

  • p: The DNS protocol used to process this request. The short name p stands for “protocol”. The possible values are:

    0
    Invalid or unknown protocol. Typically, this value is never used.
    3
    DNS-over-HTTPS.
    4
    DNS-over-QUIC.
    5
    DNS-over-TLS.
    8
    Plain DNS.
    9
    DNSCrypt.

    Example: 3

  • r: The response code (aka RCODE) sent to the client. The short name r stands for “response”.

    Example: 0

    See this IANA list for numeric values and their meanings.

See also file internal/querylog/entry.go for an explanation of the properties, their names, and mnemonics.