dnstap

Introduction

dnstap is a flexible, structured binary log format for DNS software. It uses Protocol Buffers to encode events that occur inside DNS software in an implementation-neutral format.

Currently dnstap can only encode wire-format DNS messages. It is planned to support additional types of DNS log information.

Support for dnstap is included in several DNS servers, including:

• Knot DNS as of version 1.5.0

• Unbound as of version 1.5.0

• BIND as of version 9.11

• Knot Resolver as of version 1.2.5

• CoreDNS as of version 1.5.0

• NSD as of version 4.1.26

• Dnsdist as of version 1.3.0

• PowerDNS recursor as of version 4.3.0

A standalone command-line tool for receiving and decoding dnstap log messages is also being worked on. Check out this example output from the dnstap command to get an idea of the kind of information that dnstap can encode.

The current development trees can be found on the Source page.

Presentations

dnstap-whoami: one-legged exfiltration of resolver queries. Slides. Presented in October 2015 at the OARC 2015 Fall Workshop by Robert Edmonds in Montréal.

Passive DNS Collection and Analysis: The 'dnstap' (& fstrm) Approach. Slides. Presented in December 2014 at Verisign Labs by Paul Vixie and Robert Edmonds in Reston, VA.

dnstap: brief intro and update. Slides. Presented in June 2014 at NANOG 61 by Merike Kaeo in Bellevue, WA.

dnstap: introduction and status update. Slides. Presented in May 2014 at the OARC 2014 Spring Workshop by Robert Edmonds in Warsaw.

dnstap: high speed DNS logging without packet capture. Presented in April 2014 at FIRST TC by Jeroen Massar in Amsterdam.

dnstap: high speed DNS logging without packet capture. Slides. Presented in April 2014 at APWG eCrime Researchers Sync-Up IV by Jeroen Massar in Oberammergau, Germany.

dnstap: high speed DNS logging without packet capture. Slides. Video. Tutorial. Presented in February 2014 at NANOG 60 by Robert Edmonds in Atlanta.

Passive DNS Collection and Analysis: The 'dnstap' Approach. Slides. Presented in January 2014 at FloCon 2014 by Paul Vixie in Charleston, SC.

dnstap: high speed DNS server event replication without packet capture. Slides. Presented in June 2013 by Robert Edmonds.

Community

There is a mailing list for everyone interested in discussing dnstap.

Source code, website code, and presentation material is being hosted on GitHub.