Here are some DNS-OARC development highlights from the past couple of months. These updates are usually bi-monthly and previous ones are available on our Medium blog.
DNSTAP coming to dsc!
A long long time ago (2019) an ancient software survey concluded that DNSTAP was quite an interesting piece of technology and now, finally, it has come to dsc!
Okay, maybe not that long ago but it feels like I’ve talked about this for quite some time. Anyway, it’s here(!) with the support of the two new libraries — dnswire and tinyframe (more below).
The next release of dsc, v2.9.0, will include DNSTAP support and it should be rolling out as this development update is posted.
You will be able to receive DNS messages over DNSTAP instead of capturing it on an interface. These messages come directly from the DNS server / daemon / software itself and because of that you can get statistics even on encrypted DNS transmissions.
Currently you can choose to capture on interfaces or get it over DNSTAP. If you go with DNSTAP there are 4 different ways: file, UNIX socket, TCP or UDP (see config options dnstap_file, dnstap_unixsock, dnstap_tcp and dnstap_udp).
As per the design of DNSTAP, some types of DNSTAP message might not include all necessary information for dsc therefore you might need to fill it to be able to produce statistics. This is done via dnstap_network. Check the man-page for more information.
NOTE: the DNSTAP support is currently Work in Progress (WIP), but has been tested to work with bind9 and unbound. Please reach out to me if you have any issues and I would love to hear if anyone will be testing this!
Psst, DNSTAP input for dnscap also planned :)
dnswire released
A new library for encoding and decoding DNS encapsulated formats with helpers functions for reading and writing. Its main focus is to be as lightweight as possible, to use few memory allocations, and to be able to be used on its own or hook into any event engine.
To this end, it does not open files or connections but instead it can read and write against buffers or file descriptors.
Right now it uses Frame Streams as protocol which is well suited for the task and can support multiple content types. The only content type currently supported is DNSTAP using Google’s Protocol Buffers, but more can easily be added.
Currently WIP so missing documentation, but I’ve made a bunch of examples you can look at that hopefully gives a good idea of how it works:
It’s also not restricted in the way of communicating like other Frame Streams implementations, i.e. the consumer listens for connections by the producer, see the daemon_sender_uv and client_receiver_uv for an example of how it can work the other way around.
tinyframe released
Another new, very lightweight and allocation free library for encoding and decoding Frame Streams.
Currently also WIP, thus missing examples and documentation.
dnscap v1.10.4 released
This release is *highly recommended* to upgrade to if you depend on the privilege dropping features as it fixes a bug that made dnscap not drop privileges when not specifying any interface (which is equal to capturing on all interfaces).
Also added functionality to set the supplemental groups when dropping privileges and changing user, or clear them if that is not supported, thanks to a patch from the community.
Other changes includes corrected man-page about -w and an update to documentation.
PacketQ v1.4.2 released
This release updates the list of DNS resource types, thanks Simon Vikström (one.com) for the patch(!), and includes some work on CI and packaging.
Check My DNS — RPKI origin validation for resolvers!
A quick reminder of my previous blog post about RPKI origin validation between DNS resolvers and authority in Check My DNS:
Stay safe & cheers,
Jerry
