[dsc] Juliano - DNSTAP
Juliano Alves Guidini
jguidini at usp.br
Thu Mar 26 20:27:12 UTC 2020
Hi!
I'm trying to configure DSC to use DNSTAP, but something not working, and I
can't discover what is.
I have a scenario of multi servers, being one DNS Server (Bind 9.16.1
compiled with dnstap support) running DSC and another machine running DSP
(apache 2.4+cgid).
SO on both are Debian 9 amd64.
DSC setup:
- tinyframe commit 13987e6b6a1180390a036dbca3d623d18a848025
- dnswire commit e7b1143b77b76d4b3a567c872a452b3a8ff8babc
- DSC commit d910a84d91b60358fa3af97de46e02a7c293dd85
Parameters to compile DSC: ./configure --enable-threads --enable-dnstap
My dsc.conf (ips ommiteds):
## Start conf
local_address 127.0.0.1;
local_address ::1;
run_dir "/usr/local/dsc/run/e_dns";
minfree_bytes 5000000;
pid_file "/run/dsc.pid";
# DNSTAP confs
dnstap_unixsock /var/lib/named/dnstap.sock;
dnstap_network X.X.X.X ::1 53;
dataset qtype dns All:null Qtype:qtype queries-only;
dataset rcode dns All:null Rcode:rcode replies-only;
dataset opcode dns All:null Opcode:opcode queries-only;
dataset rcode_vs_replylen dns Rcode:rcode ReplyLen:msglen replies-only;
dataset client_subnet dns All:null ClientSubnet:client_subnet queries-only
max-cells=200;
dataset qtype_vs_qnamelen dns Qtype:qtype QnameLen:qnamelen queries-only;
dataset qtype_vs_tld dns Qtype:qtype TLD:tld queries-only,popular-qtypes
max-cells=200;
dataset certain_qnames_vs_qtype dns CertainQnames:certain_qnames
Qtype:qtype queries-only;
dataset client_subnet2 dns Class:query_classification
ClientSubnet:client_subnet queries-only max-cells=200;
dataset client_addr_vs_rcode dns Rcode:rcode ClientAddr:client replies-only
max-cells=50;
dataset chaos_types_and_names dns Qtype:qtype Qname:qname
chaos-class,queries-only;
dataset idn_qname dns All:null IDNQname:idn_qname queries-only;
dataset edns_version dns All:null EDNSVersion:edns_version queries-only;
dataset edns_bufsiz dns All:null EDNSBufSiz:edns_bufsiz queries-only;
dataset do_bit dns All:null D0:do_bit queries-only;
dataset rd_bit dns All:null RD:rd_bit queries-only;
dataset idn_vs_tld dns All:null TLD:tld queries-only,idn-only;
dataset ipv6_rsn_abusers dns All:null ClientAddr:client
queries-only,aaaa-or-a6-only,root-servers-net-only max-cells=50;
dataset transport_vs_qtype dns Transport:transport Qtype:qtype queries-only;
dataset client_port_range dns All:null PortRange:dns_sport_range
queries-only;
dataset direction_vs_ipproto ip Direction:ip_direction IPProto:ip_proto any;
## End conf
Bind conf inside global options section ( Bind run in chroot path
/var/lib/named/ )
dnstap { all; };
dnstap-output unix "dnstap.sock";
DSC collect, move to upload directory (I'm using the upload-ssh.sh with
some modifications) and copy XMLs to DSP server.
DSP server run refile-and-grok.sh and generate de DAT files.
But my DAT files are without data, eg:
cat qtype.dat
...
1585252560
1585252620
1585252680
1585252740
1585252800
1585252860
1585252920
1585252980
1585253040
1585253100
#MD5 e1ae1ba2e962015d1460fb24dfcb713c
Of course, DNS server is working and had clients querying them.
But my first setup was not using DNSTAP, first of all I used pcap method,
and my data, as well as the graphs, was produced. I'm tested DNSTAP reading
a file generated by Bind, but DSC read the file, generate XML and exit. Is
this the behavior expected? If yes, daemon mode is not recommended? Use in
a cron?
I'm doing anything wrong here?
Best Regards,
Juliano Alves Guidini
Analista de Sistemas
USP - STI - CeTI-SP - SCTIN - SCTS
More information about the dsc
mailing list