According to the RFC 1035, DNS query or response have several fields in their header which are not yet defined in CybOX. Therefore, it could be relevant to add these identifiers to DNSQueryObjectType :
- ID : A 16 bit identifier assigned by the program that generates any kind of query. This identifier is copied the corresponding reply and can be used by the requester to match up replies to outstanding queries.
<xs:element minOccurs="0" name="Identifier" type="cyboxCommon:HexBinaryObjectPropertyType">
<xs:annotation>
<xs:documentation> The Identifier field specifies the ID field of the DNS Query.</xs:documentation>
</xs:annotation>
</xs:element>
- QR : A one bit field that specifies whether this message is a query (0), or a response (1).
<xs:element minOccurs="0" name="Response" type="xs:boolean">
<xs:annotation>
<xs:documentation> The Response field specifies whether this message is a query (0), or a response (1)</xs:documentation>
</xs:annotation>
</xs:element>
- OPCODE : A four bit field that specifies kind of query in this message. This value is set by the originator of a query and copied into the response. The values are:
- 0 : a standard query (QUERY)
- 1 : an inverse query (IQUERY)
- 2 : a server status request (STATUS)
- 3-15 : reserved for future
<xs:element minOccurs="0" name="Opcode" type="cyboxCommon:HexBinaryObjectPropertyType">
<xs:annotation>
<xs:documentation> The Opcode field specifies the kind of the DNS Query. The values are 0 for a standard query (QUERY), 1 for an inverse query (IQUERY) and 2 for a server status request (STATUS)</xs:documentation>
</xs:annotation>
<xs:restriction base="xs:hexBinary">
<xsd:maxExclusive value="15" />
</xs:restriction>
</xs:element>
- AA : Authoritative Answer - this bit is valid in responses, and specifies that the responding name server is an authority for the domain name in question section. Note that the contents of the answer section may have multiple owner names because of aliases. The AA bit corresponds to the name which matches the query name, or the first owner name in the answer section.
<xs:element minOccurs="0" name="Authoritative" type="xs:boolean">
<xs:annotation>
<xs:documentation> The Authoritative field specifies if the responding name server is an authority (1) for the domain name in question section </xs:documentation>
</xs:annotation>
</xs:element>
- TC : TrunCation - specifies that this message was truncated due to length greater than that permitted on the transmission channel.
<xs:element minOccurs="0" name="Truncation" type="xs:boolean">
<xs:annotation>
<xs:documentation> The Truncation field specifies if the DNS query was truncated due to length greater than that permitted on the transmission channel</xs:documentation>
</xs:annotation>
</xs:element>
- RD : Recursion Desired - this bit may be set in a query and is copied into the response. If RD is set, it directs the name server to pursue the query recursively. Recursive query support is optional.
<xs:element minOccurs="0" name="RecursionDesired" type="xs:boolean">
<xs:annotation>
<xs:documentation> The Recursion Desired field specifies if the recursion is desired in the DNS query.</xs:documentation>
</xs:annotation>
</xs:element>
- RA : Recursion Available - this be is set or cleared in a response, and denotes whether recursive query support is available in the name server.
<xs:element minOccurs="0" name="RecursionAvailable" type="xs:boolean">
<xs:annotation>
<xs:documentation> The Recursion Available field specifies in the DNS response if the support of recursive query is available in the name server.</xs:documentation>
</xs:annotation>
</xs:element>
- Z : Reserved for future use. Must be zero in all queries and responses.
<xs:element minOccurs="0" name="Z" type="cyboxCommon:HexBinaryObjectPropertyType">
<xs:annotation>
<xs:documentation> The Z field is reserved for future use and must be zero in all DNS queries and responses.</xs:documentation>
</xs:annotation>
</xs:element>
- RCODE : Response code - this 4 bit field is set as part of responses. The values have the following interpretation:
- 0 : No error condition
- 1 : Format error - The name server was unable to interpret the query.
- 2 : Server failure - The name server was unable to process this query due to a problem with the name server.
- 3 : Name Error - Meaningful only for responses from an authoritative name server, this code signifies that the domain name referenced in the query does not exist.
- 4 : Not Implemented - The name server does not support the requested kind of query.
- 5 : Refused - The name server refuses to perform the specified operation for policy reasons. For example, a name server may not wish to provide the information to the particular requester, or a name server may not wish to perform a particular operation (e.g., zone transfer) for particular data.
- 6-15 : Reserved for future use.
<xs:element minOccurs="0" name="ResponseCode" type="cyboxCommon:HexBinaryObjectPropertyType">
<xs:annotation>
<xs:documentation> The Response code field specifies the status of the response of the DNS Server. The values are 0 for a successful query, 1 - Format Error - if the name server was unable to interpret the query, 2 - Server failure- if the name server was unable to process this query due to a problem with the name server, 3 - Name Error - the domain name referenced in the query does not exist, 4 - Not Implemented - The name server does not support the requested kind of query, 5 - Refused - The name server refuses to perform the specified operation. </xs:documentation>
</xs:annotation>
<xs:restriction base="xs:hexBinary">
<xsd:maxExclusive value="15" />
</xs:restriction>
</xs:element>
The addition of these fields causes the "uselessness" of the following fields:
DNSQueryObjectType:successfulis a duplicate ofResponseCodeand doesn't allow to know the reason for the failure of the request.DNSRecordObjectType:Flagsis a duplicate of previous fields defined in the header.