log enables query logging to standard output.


By just using log you dump all queries (and parts for the reply) on standard output. Options exist to tweak the output a little. The date/time prefix on log lines is RFC3339 formatted with milliseconds.

Note that for busy servers logging will incur a performance hit.


  • With no arguments, a query log entry is written to stdout in the common log format for all requests

Or if you want/need slightly more control:

  • NAME is the name to match in order to be logged
  • FORMAT is the log format to use (default is Common Log Format)

You can further specify the classes of responses that get logged:

log [NAME] [FORMAT] {
    class CLASSES...
  • CLASSES is a space-separated list of classes of responses that should be logged

The classes of responses have the following meaning:

  • success: successful response
  • denial: either NXDOMAIN or NODATA (name exists, type does not)
  • error: SERVFAIL, NOTIMP, REFUSED, etc. Anything that indicates the remote server is not willing to resolve the request.
  • all: the default - nothing is specified. Using of this class means that all messages will be logged whatever we mix together with “all”.

If no class is specified, it defaults to all.

Log Format

You can specify a custom log format with any placeholder values. Log supports both request and response placeholders.

The following place holders are supported:

  • {type}: qtype of the request
  • {name}: qname of the request
  • {class}: qclass of the request
  • {proto}: protocol used (tcp or udp)
  • {remote}: client’s IP address, for IPv6 addresses these are enclosed in brackets: [::1]
  • {local}: server’s IP address, for IPv6 addresses these are enclosed in brackets: [::1]
  • {size}: request size in bytes
  • {port}: client’s port
  • {duration}: response duration
  • {rcode}: response RCODE
  • {rsize}: raw (uncompressed), response size (a client may receive a smaller response)
  • {>rflags}: response flags, each set flag will be displayed, e.g. “aa, tc”. This includes the qr bit as well
  • {>bufsize}: the EDNS0 buffer size advertised in the query
  • {>do}: is the EDNS0 DO (DNSSEC OK) bit set in the query
  • {>id}: query ID
  • {>opcode}: query OPCODE
  • {/[LABEL]}: any metadata label is accepted as a place holder if it is enclosed between {/ and }. the place holder will be replaced by the corresponding metadata value or the default value - if label is not defined.

The default Common Log Format is:

`{remote}:{port} - {>id} "{type} {class} {name} {proto} {size} {>do} {>bufsize}" {rcode} {>rflags} {rsize} {duration}`

Each of these logs will be outputted with log.Infof, so a typical example looks like this:

2018-10-30T19:10:07.547Z [INFO] [::1]:50759 - 29008 "A IN example.org. udp 41 false 4096" NOERROR qr,rd,ra,ad 68 0.037990251s

## Examples

Log all requests to stdout

~~~ corefile
. {

Custom log format, for all zones (.)

. {
    log . "{proto} Request: {name} {type} {>id}"

Only log denials for example.org (and below to a file)

. {
    log example.org {
        class denial

Log all queries which were not resolved successfully

. {
    log . {
        class denial error

Log all queries on which we did not get errors

. {
    log . {
        class denial success

Also the multiple statements can be OR-ed, for example, we can rewrite the above case as following:

. {
    log . {
        class denial
        class success