Enabling DNStap logging on most popular DNS servers

This post details how to enable the dnstap feature in main open source dns servers.

dnstap is a flexible, structured binary log format for DNS servers. It uses Protocol Buffers to encode DNS packets in events.

dnstap can encode any DNS messages with network informations like ip and port. It includes client queries and responses.

Introduction

This dnstap feature has been tested with success with the following dns servers:

	RQ/RS	CQ/CR	AQ/AR	FQ/FR	Unix Socket	TCP Stream	TLS support	Extra Field
Bind	x	x	x		x	x
PowerDNS recursor	x				x	x
PowerDNS dnsdist		x			x	x		x
NSD			x		x
Unbound	x	x		x	x	x	x
CoreDNS		x		x	x	x	x	x
Knot Resolver		x			x
Knot DNS			X		x

ISC bind

Dnstap messages supported:

RESOLVER_QUERY
RESOLVER_RESPONSE
CLIENT_QUERY
CLIENT_RESPONSE
AUTH_QUERY
AUTH_RESPONSE

Build with dnstap support

Since 9.16 version, the dnstap feature is enabled before that you need to download latest source and build-it with dnstap support:

./configure --enable-dnstap
make && make install

Unix socket

Update the configuration file /etc/named.conf to activate the dnstap feature:

options {
    dnstap { client; auth; resolver; forwarder; };
    dnstap-output unix "/var/run/named/dnstap.sock";
    dnstap-identity "dns-bind";
    dnstap-version "bind";
}

Execute the dnstap receiver with named user:

su - named -s /bin/bash -c "dnstap_receiver -u "/var/run/named/dnstap.sock""

If you have some troubles take a look to selinux

TCP stream

Not supported on Bind! You can apply the following workaround with the socat or stunnel command.

while true; do socat unix-listen:/var/run/dnsdist/dnstap.sock tcp4-connect:<ip_dnstap_receiver>:<port_dnstap_receiver>,forever,interval=10, fork; sleep 1; done

PowerDNS - pdns-recursor

Dnstap messages supported:

RESOLVER_QUERY
RESOLVER_RESPONSE

Unix socket

Update the configuration file to activate the dnstap feature:

vim /etc/pdns-recursor/recursor.conf
lua-config-file=/etc/pdns-recursor/recursor.lua

vim /etc/pdns-recursor/recursor.lua
dnstapFrameStreamServer("/var/run/pdns-recursor/dnstap.sock")

Execute the dnstap receiver with pdns-recursor user:

su - pdns-recursor -s /bin/bash -c "dnstap_receiver -u "/var/run/pdns-recursor/dnstap.sock""

TCP stream

Update the configuration file to activate the dnstap feature with tcp mode and execute the dnstap receiver in listening tcp socket mode:

vim /etc/pdns-recursor/recursor.conf
lua-config-file=/etc/pdns-recursor/recursor.lua

vim /etc/pdns-recursor/recursor.lua
dnstapFrameStreamServer("10.0.0.100:6000")

Note: TCP stream are only supported with a recent version of libfstrm.

PowerDNS - dnsdist

Dnstap messages supported:

CLIENT_QUERY
CLIENT_RESPONSE

Unix socket

Create the dnsdist folder where the unix socket will be created:

mkdir -p /var/run/dnsdist/
chown dnsdist.dnsdist /var/run/dnsdist/

Update the configuration file /etc/dnsdist/dnsdist.conf to activate the dnstap feature:

fsul = newFrameStreamUnixLogger("/var/run/dnsdist/dnstap.sock")
addAction(AllRule(), DnstapLogAction("dnsdist", fsul))
addResponseAction(AllRule(), DnstapLogResponseAction("dnsdist", fsul))
-- Cache Hits
addCacheHitResponseAction(AllRule(), DnstapLogResponseAction("dnsdist", fsul))

Execute the dnstap receiver with dnsdist user:

su - dnsdist -s /bin/bash -c "dnstap_receiver -u "/var/run/dnsdist/dnstap.sock""

TCP stream

Update the configuration file /etc/dnsdist/dnsdist.conf to activate the dnstap feature with tcp stream and execute the dnstap receiver in listening tcp socket mode:

fsul = newFrameStreamTcpLogger("127.0.0.1:8888")
addAction(AllRule(), DnstapLogAction("dnsdist", fsul))
addResponseAction(AllRule(), DnstapLogResponseAction("dnsdist", fsul))
-- Cache Hits
addCacheHitResponseAction(AllRule(), DnstapLogResponseAction("dnsdist", fsul))

NLnetLabs - nsd

Dnstap messages supported:

AUTH_QUERY
AUTH_RESPONSE

Build with dnstap support

Download latest source and build-it with dnstap support:

./configure --enable-dnstap
make && make install

Unix socket

Update the configuration file /etc/nsd/nsd.conf to activate the dnstap feature:

dnstap:
    dnstap-enable: yes
    dnstap-socket-path: "/var/run/nsd/dnstap.sock"
    dnstap-send-identity: yes
    dnstap-send-version: yes
    dnstap-log-auth-query-messages: yes
    dnstap-log-auth-response-messages: yes

Execute the dnstap receiver with nsd user:

su - nsd -s /bin/bash -c "dnstap_receiver -u "/var/run/nsd/dnstap.sock""

NLnetLabs - unbound

Dnstap messages supported:

CLIENT_QUERY
CLIENT_RESPONSE
RESOLVER_QUERY
RESOLVER_RESPONSE

Build with dnstap support

Download latest source and build-it with dnstap support:

./configure --enable-dnstap
make && make install

Unix socket

Update the configuration file /etc/unbound/unbound.conf to activate the dnstap feature:

dnstap:
    dnstap-enable: yes
    dnstap-socket-path: "dnstap.sock"
    dnstap-send-identity: yes
    dnstap-send-version: yes
    dnstap-log-resolver-query-messages: yes
    dnstap-log-resolver-response-messages: yes
    dnstap-log-client-query-messages: yes
    dnstap-log-client-response-messages: yes
    dnstap-log-forwarder-query-messages: yes
    dnstap-log-forwarder-response-messages: yes

Execute the dnstap receiver with unbound user:

su - unbound -s /bin/bash -c "dnstap_receiver -u "/usr/local/etc/unbound/dnstap.sock""

TCP stream

Update the configuration file /etc/unbound/unbound.conf to activate the dnstap feature with tcp mode and execute the dnstap receiver in listening tcp socket mode:

dnstap:
    dnstap-enable: yes
    dnstap-socket-path: ""
    dnstap-ip: "10.0.0.100@6000"
    dnstap-tls: no
    dnstap-send-identity: yes
    dnstap-send-version: yes
    dnstap-log-client-query-messages: yes
    dnstap-log-client-response-messages: yes

TLS stream

Update the configuration file /etc/unbound/unbound.conf to activate the dnstap feature with tls mode and execute the dnstap receiver in listening tcp/tls socket mode:

dnstap:
    dnstap-enable: yes
    dnstap-socket-path: ""
    dnstap-ip: "10.0.0.100@6000"
    dnstap-tls: yes
    dnstap-send-identity: yes
    dnstap-send-version: yes
    dnstap-log-client-query-messages: yes
    dnstap-log-client-response-messages: yes

CoreDNS

Dnstap messages supported:

CLIENT_QUERY
CLIENT_RESPONSE
FORWARDER_QUERY
FORWARDER_RESPONSE

Unix socket

corefile example

.:53 {
    dnstap /tmp/dnstap.sock full
    forward . 8.8.8.8:53
}

Then execute CoreDNS with your corefile

 ./coredns -conf corefile

TCP stream

corefile example

.:53 {
        dnstap tcp://10.0.0.51:6000 full
        forward . 8.8.8.8:53
}

Then execute CoreDNS with your corefile

 ./coredns -conf corefile

TLS stream

corefile example

.:53 {
        dnstap tls://10.0.0.51:6000 full {
          skip-verify
        }
        forward . 8.8.8.8:53
}

Then execute CoreDNS with your corefile

 ./coredns -conf corefile

CZ-NIC - Knot Resolver

Unix socket

corefile example

net.listen("0.0.0.0", 5553)

modules.load('nsid')
nsid.name('instance1')

modules = {
    dnstap = {
        socket_path = "/tmp/dnstap.sock",
        identity =  nsid.name() or "",
        version = "knot-resolver" .. package_version(),
        client = {
            log_queries = true,
            log_responses = true,
        },
    }
}

Then execute the Knot Resolver, example with docker

sudo docker run -d -v $PWD/kresd.conf:/etc/knot-resolver/kresd.conf --name=knot --network=host cznic/knot-resolver -n -c /etc/knot-resolver/kresd.conf

Table of Content

Enabling DNStap logging on most popular DNS servers