DNS Keywords

DNS keywords are designed to match on various fields of a DNS request. The buffers are normalized to allow content matching by using the literal domain name.

dns.query

Sticky buffer to match on the content of a DNS request query.

Example:

alert tls any any -> any any (classtype:misc-attack; \
msg:"content matching in dns query field"; \
dns.query; content:"mail.example.com"; sid:1; rev:1;)

Note

The older dns_query keyword is deprecated and should no longer be used.