Network DNS Traffic
Passive DNS transaction logs — query/response pairs for A, AAAA, CNAME, MX, TXT, PTR, SRV, SOA, NS, and DNSKEY records. Mixed internal/external resolvers with NXDOMAIN, SERVFAIL, and REFUSED errors.
Quick Start
uv tool install eventum-generator
git clone https://github.com/eventum-generator/content-packs.git
cd content-packs
eventum generate \
--path generators/network-dns/generator.yml \
--id dns \
--live-mode trueEvent Types
| Event ID | Description | Frequency | Category |
|---|---|---|---|
| A | IPv4 address lookup | ~60% | network |
| AAAA | IPv6 address lookup | ~16% | network |
| PTR | Reverse DNS lookup | ~8% | network |
| CNAME | Alias resolution with CDN chains | ~4% | network |
| HTTPS | SVCB/HTTPS service binding | ~3% | network |
| TXT | SPF/DKIM/DMARC records | ~3% | network |
| MX | Mail exchange lookup | ~2% | network |
| SRV | Service location (AD, SIP) | ~2% | network |
| NS | Nameserver delegation | ~1% | network |
| SOA | Zone authority info | ~0.6% | network |
Realism Features
- Weighted query type distribution matching typical enterprise DNS traffic
- Mixed internal/external domains per template (e.g. 35% internal for A records, 90% for SRV)
- Response code distribution — ~86% NOERROR, ~10% NXDOMAIN, ~3% SERVFAIL, ~1% REFUSED
- Realistic answer data — CNAME chains, MX priorities, SRV records for Active Directory services
- 40 real-world external domains and 30 internal service hostnames
- Transport variation — UDP (~97%) vs TCP (~3%), higher TCP for TXT and SOA queries
Sample Output
{
"@timestamp": "2026-02-21T12:00:01.234567+00:00",
"dns": {
"answers": [{ "data": "142.250.80.4", "name": "www.google.com", "type": "A" }],
"question": { "name": "www.google.com", "type": "A" },
"response_code": "NOERROR",
"type": "answer"
},
"event": {
"category": ["network"],
"dataset": "network_traffic.dns",
"kind": "event"
},
"network": { "protocol": "dns", "transport": "udp" }
}Parameters
| Parameter | Default | Description |
|---|---|---|
| hostname | SENSOR01 | Packetbeat sensor hostname |
| dns_server_ip | 10.0.0.10 | Monitored DNS server IP |
| internal_domain | contoso.local | Internal domain suffix |
| agent_id | b59c76de-... | Packetbeat agent ID |
| agent_version | 8.17.0 | Packetbeat version |
Related Generators
Cisco ASA Firewall
Cisco ASA adaptive security appliance syslog — TCP/UDP/ICMP connection lifecycle, ACL permit/deny decisions, NAT translations, VPN tunnel events, and failover status messages.
Check Point Security Gateway
Check Point Security Gateway SmartLog — 8 software blades including Firewall, IPS, Application Control, URL Filtering, Anti-Bot, Anti-Virus, Threat Emulation, and Identity Awareness.
Network Traffic (Continent-Level Geo)
Network traffic events enriched with continent-level geographic information. Models cross-continent and same-continent flows for both inbound and outbound directions, with realistic allow/deny outcomes based on geographic policy.