Guides
ProductDeveloperPartnerPersonal
Guides

DNS Log Formats

DNS logs show traffic that has reached our DNS resolvers.

Table of Contents

Examples

Example of DNS Log for Allowed Action:

"2024-09-11 18:46:00","Active Directory User ([[email protected]](mailto:[email protected]))","Active Directory User ([[email protected]](mailto:[email protected])),WIN11-SNG01-Example","10.10.1.100","24.123.132.133","Allowed","1 (A)","NOERROR","domain-visited.com.","Software/Technology,Business Services,Allow List,Infrastructure and Content Delivery Networks,SaaS and B2B,Application","AD Users","AD Users,Anyconnect Roaming Client","","506165","","8234970"

The example entry is 480 bytes. To estimate the size of your S3 Logs, see Estimate the Size of Your Logs.

Example of DNS Log for Blocked Action with Blocked Categories:

"2024-09-11 18:46:00","Active Directory User ([[email protected]](mailto:[email protected]))","Active Directory User ([[email protected]](mailto:[email protected])),WIN11-SNG01-Example","10.10.1.100","24.123.132.133","Blocked","1 (A)","NOERROR","domain-visited.com.","Chat,Social Networking","AD Users","AD Users,Anyconnect Roaming Client","Social Networking","506165","","8234970"

Order of Fields in the DNS Log

<timestamp><most granular identity><identities><internal ip><external ip><action><query type><response code><domain><categories><most granular identity type><identity types><blocked categories><rule id><destination countries><organization id>

  • Timestamp—When this request was made in UTC. This is different than the Umbrella dashboard, which converts the time to your specified time zone.
  • Most Granular Identity—The first identity matched with this request in order of granularity.
  • Identities—All identities associated with this request.
  • Internal IP—The internal IP address that made the request.
  • External IP—The external IP address that made the request.
  • Action—Whether the request was allowed or blocked.
  • Query Type—The type of DNS request that was made. For more information, see Common DNS Request Types.
  • Response Code—The DNS return code for this request. For more information, see Common DNS return codes for any DNS service (and Umbrella).
  • Domain—The domain that was requested.
  • Categories—The security or content categories that the destination matches. For category definitions, see Understanding Security Categories and Understanding Content Categories.
  • Most Granular Identity Type—The first identity type matched with this request in order of granularity. Available in version 3 and above.
  • Identity Types—The type of identity that made the request. For example, Roaming Computer, Network, and so on. Available in version 3 and above.
  • Blocked Categories—The categories that resulted in the destination being blocked. Available in version 4 and above.
  • Rule ID—The ID of the access rule when the DNS request is matched by a policy.
  • Destination Countries—The two-character country identifier of the domain that was requested.
  • Organization ID—The Umbrella organization ID. For more information, see Find Your Organization ID.

Data Loss Prevention (DLP) Log Formats < DNS Log Formats > IPS Log Formats