dnstap

README

dnstap

Name

dnstap - enables logging to dnstap.

Description

dnstap is a flexible, structured binary log format for DNS software; see https://dnstap.info. With this plugin you make CoreDNS output dnstap logging.

Every message is sent to the socket as soon as it comes in, the dnstap plugin has a buffer of 10000 messages, above that number dnstap messages will be dropped (this is logged).

Syntax

dnstap SOCKET [full] {
  [identity IDENTITY]
  [version VERSION]
  [extra EXTRA]
  [skipverify]
}

• SOCKET is the socket (path) supplied to the dnstap command line tool.
• full to include the wire-format DNS message.
• IDENTITY to override the identity of the server. Defaults to the hostname.
• VERSION to override the version field. Defaults to the CoreDNS version.
• EXTRA to define "extra" field in dnstap payload, metadata replacement available here.
• skipverify to skip tls verification during connection. Default to be secure

Examples

Log information about client requests and responses to /tmp/dnstap.sock.

dnstap /tmp/dnstap.sock

Log information including the wire-format DNS message about client requests and responses to /tmp/dnstap.sock.

dnstap unix:///tmp/dnstap.sock full

Log to a remote endpoint.

dnstap tcp://127.0.0.1:6000 full

Log to a remote endpoint by FQDN.

dnstap tcp://example.com:6000 full

Log to a socket, overriding the default identity and version.

dnstap /tmp/dnstap.sock {
  identity my-dns-server1
  version MyDNSServer-1.2.3
}

Log to a socket, customize the "extra" field in dnstap payload. You may use metadata provided by other plugins in the extra field.

forward . 8.8.8.8
metadata
dnstap /tmp/dnstap.sock {
  extra "upstream: {/forward/upstream}"
}

Log to a remote TLS endpoint.

dnstap tls://127.0.0.1:6000 full {
  skipverify
}

You can use dnstap more than once to define multiple taps. The following logs information including the wire-format DNS message about client requests and responses to /tmp/dnstap.sock, and also sends client requests and responses without wire-format DNS messages to a remote FQDN.

dnstap /tmp/dnstap.sock full
dnstap tcp://example.com:6000

Command Line Tool

Dnstap has a command line tool that can be used to inspect the logging. The tool can be found at Github: https://github.com/dnstap/golang-dnstap. It's written in Go.

The following command listens on the given socket and decodes messages to stdout.

$ dnstap -u /tmp/dnstap.sock

The following command listens on the given socket and saves message payloads to a binary dnstap-format log file.

$ dnstap -u /tmp/dnstap.sock -w /tmp/test.dnstap

Listen for dnstap messages on port 6000.

$ dnstap -l 127.0.0.1:6000

Using Dnstap in your plugin

In your setup function, collect and store a list of all dnstap plugins loaded in the config:

x :=  &ExamplePlugin{}

c.OnStartup(func() error {
    if taph := dnsserver.GetConfig(c).Handler("dnstap"); taph != nil {
        for tapPlugin, ok := taph.(*dnstap.Dnstap); ok; tapPlugin, ok = tapPlugin.Next.(*dnstap.Dnstap) {
            x.tapPlugins = append(x.tapPlugins, tapPlugin)
        }
    }
    return nil
})

And then in your plugin:

import (
  "github.com/brankomijuskovic/coredns_custom/plugin/dnstap/msg"
  "github.com/brankomijuskovic/coredns_custom/request"

  tap "github.com/dnstap/golang-dnstap"
)

func (x ExamplePlugin) ServeDNS(ctx context.Context, w dns.ResponseWriter, r *dns.Msg) (int, error) {
    for _, tapPlugin := range x.tapPlugins {
        q := new(msg.Msg)
        msg.SetQueryTime(q, time.Now())
        msg.SetQueryAddress(q, w.RemoteAddr())
        if tapPlugin.IncludeRawMessage {
            buf, _ := r.Pack() // r has been seen packed/unpacked before, this should not fail
            q.QueryMessage = buf
        }
        msg.SetType(q, tap.Message_CLIENT_QUERY)
        
        // if no metadata interpretation is needed, just send the message
        tapPlugin.TapMessage(q)

        // OR: to interpret the metadata in "extra" field, give more context info
        tapPlugin.TapMessageWithMetadata(ctx, q, request.Request{W: w, Req: query})
    }
    // ...
}

See Also

The website dnstap.info has info on the dnstap protocol. The forward plugin's dnstap.go uses dnstap to tap messages sent to an upstream.

Documentation

Index

• type Dnstap
  • func (h Dnstap) Name() string
  • func (h Dnstap) ServeDNS(ctx context.Context, w dns.ResponseWriter, r *dns.Msg) (int, error)
  • func (h Dnstap) TapMessage(m *tap.Message)
  • func (h Dnstap) TapMessageWithMetadata(ctx context.Context, m *tap.Message, state request.Request)
• type ResponseWriter
  • func (w *ResponseWriter) WriteMsg(resp *dns.Msg) error

Types

type Dnstap

type Dnstap struct {
	Next plugin.Handler

	// IncludeRawMessage will include the raw DNS message into the dnstap messages if true.
	IncludeRawMessage bool
	Identity          []byte
	Version           []byte
	ExtraFormat       string
	// contains filtered or unexported fields
}

Dnstap is the dnstap handler.

func (Dnstap) Name

func (h Dnstap) Name() string

Name implements the plugin.Plugin interface.

func (Dnstap) ServeDNS

func (h Dnstap) ServeDNS(ctx context.Context, w dns.ResponseWriter, r *dns.Msg) (int, error)

ServeDNS logs the client query and response to dnstap and passes the dnstap Context.

func (Dnstap) TapMessage

func (h Dnstap) TapMessage(m *tap.Message)

TapMessage sends the message m to the dnstap interface, without populating "Extra" field.

func (Dnstap) TapMessageWithMetadata

func (h Dnstap) TapMessageWithMetadata(ctx context.Context, m *tap.Message, state request.Request)

TapMessageWithMetadata sends the message m to the dnstap interface, with "Extra" field being populated.

type ResponseWriter

type ResponseWriter struct {
	dns.ResponseWriter
	Dnstap
	// contains filtered or unexported fields
}

ResponseWriter captures the client response and logs the query to dnstap.

func (*ResponseWriter) WriteMsg

func (w *ResponseWriter) WriteMsg(resp *dns.Msg) error

WriteMsg writes back the response to the client and THEN works on logging the request and response to dnstap.