[dns-operations] 'dnstap' (Re: Prevalence of query/response logging?)

Robert Edmonds edmonds at mycre.ws
Sat Jul 5 17:30:50 UTC 2014

Roland Dobbins wrote:
> On Jul 5, 2014, at 5:04 AM, Paul Vixie <paul at redbarn.org> wrote:
> > dnstap is completely open source, with a BSD-style license (Apache 2.0). it is sponsored by farsight because we need a uniform DNS telemetry
> > format for our business purposes. 
> I read the dnstap preso with great interest when it was posted, and this appears to be the way to go, moving forward - one hopes we can get the option for dnstap telemetry natively exported over IPFIX, as this would make it easier to perform combinatorial analytics with flow telemetry generated via network infrastructure, as well as speed up the implementation of operationally useful collection/analytical systems.

dnstap payloads are protobufs; they can be embedded in any binary clean
transport.  For instance, our fstrm I/O library [0] was designed with
dnstap/protobuf payloads in mind, but this does not prevent dnstap
payloads from being carried over other transports, such as HTTP, or even
pcap.  (However, for pcap one would need to have a new linktype value
assigned, and very large DNS messages (~64K) would not be representable
due to pcap's 64K frame size limit.)

We have no plans to replace the current protobuf encoding used in dnstap
with any other serialization format.  Of course, this not prevent
re-encoding dnstap payloads into other formats, or implementing dnstap
input plugins in existing systems, etc.

See [1] for the protobuf definition file used in dnstap.

[0] https://github.com/farsightsec/fstrm

[1] https://github.com/dnstap/dnstap.pb

Robert Edmonds

More information about the dns-operations mailing list