DNS tap

About

Installation

Setting up DNStap on Bind

Enable DNStap in Bind

In order for DNStap to be available, Bind needs to have been built with the --enable-dnstap option when invoking ./configure. Distributions such as #Debian appear to include this flag by default. To check for this flag, execute named -V to show all the build options and look for --enable-dnstap.

If this isn’t there, you will need to build Bind from source, and you will need to have the fstrm and protobuf libraries available at compile-time.

Install DNStap requirements

DNStap requires fstrm and protobuf. Install them with the following

sudo apt install fstrm-bin protobuf-compiler protobuf-c-compiler

Configuration

Capturing the DNS queries

Create a new section called dnstap in named.conf.options and Include the following to write to a file, making sure to change the destination:

dnstap {
  auth; 
  resolver query;
  client response;
};
dnstap-output file "/var/tmp/example.dnstap";

I don’t know why, but I couldn’t get dnstap to log to the file until I fully restarted the system. That shouldn’t be necessary and perhaps doing a full systemctl stop command followed by starting bind would have kicked it into gear, but I didn’t try that.

Reviewing the DNS query logs

Bind comes with a tool called dnstap-read that can be used to extract plaintext data out of the dnstap capture file. Point this at the file created by bind based upon the output from the dnstap-output file option configured in the previous step.

References

The following is a list of resources I used to setting up DNStap. It’s a combination of other blog posts and documentation. The list is loosely in order from most helpful to least. I did not include resources that were not helpful (and there were many of those!)