dnstap
Introduction
dnstap
is a flexible, structured binary log format for DNS software. It uses Protocol Buffers to encode events that occur inside DNS software in an implementation-neutral format.
Currently dnstap
can only encode wire-format DNS messages. It is planned to support additional types of DNS log information.
Support for dnstap
is included in several DNS servers, including:
Knot DNS as of version 1.5.0
Unbound as of version 1.5.0
BIND as of version 9.11
Knot Resolver as of version 1.2.5
CoreDNS as of version 1.5.0
NSD as of version 4.1.26
Dnsdist as of version 1.3.0
A standalone command-line tool for receiving and decoding dnstap
log messages is also being worked on. Check out this example output from the dnstap
command to get an idea of the kind of information that dnstap
can encode.
The current development trees can be found on the Source page.
Presentations
dnstap-whoami: one-legged exfiltration of resolver queries. Slides. Presented in October 2015 at the OARC 2015 Fall Workshop by Robert Edmonds in Montréal.
Passive DNS Collection and Analysis: The 'dnstap' (& fstrm) Approach. Slides. Presented in December 2014 at Verisign Labs by Paul Vixie and Robert Edmonds in Reston, VA.
dnstap: brief intro and update. Slides. Presented in June 2014 at NANOG 61 by Merike Kaeo in Bellevue, WA.
dnstap: introduction and status update. Slides. Presented in May 2014 at the OARC 2014 Spring Workshop by Robert Edmonds in Warsaw.
dnstap: high speed DNS logging without packet capture. Presented in April 2014 at FIRST TC by Jeroen Massar in Amsterdam.
dnstap: high speed DNS logging without packet capture. Slides. Presented in April 2014 at APWG eCrime Researchers Sync-Up IV by Jeroen Massar in Oberammergau, Germany.
dnstap: high speed DNS logging without packet capture. Slides. Video. Tutorial. Presented in February 2014 at NANOG 60 by Robert Edmonds in Atlanta.
Passive DNS Collection and Analysis: The 'dnstap' Approach. Slides. Presented in January 2014 at FloCon 2014 by Paul Vixie in Charleston, SC.
dnstap: high speed DNS server event replication without packet capture. Slides. Presented in June 2013 by Robert Edmonds.
Community
There is a mailing list for everyone interested in discussing dnstap
.
Source code, website code, and presentation material is being hosted on GitHub.