DNSTAP coming to dsc!
You will be able to receive DNS messages over DNSTAP instead of capturing it on an interface. These messages come directly from the DNS server / daemon / software itself and because of that you can get statistics even on encrypted DNS transmissions.
Currently you can choose to capture on interfaces or get it over DNSTAP. If you go with DNSTAP there are 4 different ways: file, UNIX socket, TCP or UDP (see config options
As per the design of DNSTAP, some types of DNSTAP message might not include all necessary information for dsc therefore you might need to fill it to be able to produce statistics. This is done via
dnstap_network. Check the man-page for more information.
NOTE: the DNSTAP support is currently Work in Progress (WIP), but has been tested to work with bind9 and unbound. Please reach out to me if you have any issues and I would love to hear if anyone will be testing this!
A new library for encoding and decoding DNS encapsulated formats with helpers functions for reading and writing. Its main focus is to be as lightweight as possible, to use few memory allocations, and to be able to be used on its own or hook into any event engine.
To this end, it does not open files or connections but instead it can read and write against buffers or file descriptors.
Right now it uses Frame Streams as protocol which is well suited for the task and can support multiple content types. The only content type currently supported is DNSTAP using Google’s Protocol Buffers, but more can easily be added.
Currently WIP so missing documentation, but I’ve made a bunch of examples you can look at that hopefully gives a good idea of how it works:
It’s also not restricted in the way of communicating like other Frame Streams implementations, i.e. the consumer listens for connections by the producer, see the
client_receiver_uv for an example of how it can work the other way around.
Another new, very lightweight and allocation free library for encoding and decoding Frame Streams.
Currently also WIP, thus missing examples and documentation.
dnscap v1.10.4 released
This release is *highly recommended* to upgrade to if you depend on the privilege dropping features as it fixes a bug that made dnscap not drop privileges when not specifying any interface (which is equal to capturing on all interfaces).
Also added functionality to set the supplemental groups when dropping privileges and changing user, or clear them if that is not supported, thanks to a patch from the community.
Other changes includes corrected man-page about
-w and an update to documentation.
PacketQ v1.4.2 released
Check My DNS — RPKI origin validation for resolvers!
A quick reminder of my previous blog post about RPKI origin validation between DNS resolvers and authority in Check My DNS:
Stay safe & cheers,