[dsc] Fwd: Juliano - DNSTAP

Juliano Alves Guidini jguidini at usp.br
Fri Mar 27 14:56:39 UTC 2020 

Hi All!

I found my mistakes!

>From my Bind conf:

# chroot dir = /var/lib/named

        dnstap { all; };
        dnstap-output unix "dnstap.sock";

        directory "/databases";

I was using the wrong path in DSC conf key dnstap_unixsock
/var/lib/named/dnstap.sock;
The correct one is from the Bind chroot and directory reference.
The correct entry is: dnstap_unixsock /var/lib/named/databases/dnstap.sock;

But, I do another mistake.. the owner and permission from socket.

Correct is:
0 srwxr-xr-x  1 bind bind    0 Mar 27 10:41 dnstap.sock

Because otherwise Bind cannot write to socket.

To adjust the things correctly DSC have run with Bind user (you can have
troubles with pcap se not setup correctly) or run DSC with a user who
permit Bind write on this socket and DSC read from ther.

Best Regards!!

Juliano Alves Guidini
Analista de Sistemas
USP - STI -  CeTI-SP - SCTIN - SCTS


---------- Forwarded message ---------
De: Juliano Alves Guidini <jguidini at usp.br>
Date: qui., 26 de mar. de 2020 às 17:27
Subject: Juliano - DNSTAP
To: <dsc at lists.dns-oarc.net>


Hi!

I'm trying to configure DSC to use DNSTAP, but something not working, and I
can't discover what is.

I have a scenario of multi servers, being one DNS Server (Bind 9.16.1
compiled with dnstap support) running DSC and another machine running DSP
(apache 2.4+cgid).
SO on both are Debian 9 amd64.

DSC setup:
- tinyframe commit 13987e6b6a1180390a036dbca3d623d18a848025
- dnswire commit e7b1143b77b76d4b3a567c872a452b3a8ff8babc
- DSC commit d910a84d91b60358fa3af97de46e02a7c293dd85

Parameters to compile DSC: ./configure --enable-threads --enable-dnstap

My dsc.conf (ips ommiteds):
## Start conf
local_address 127.0.0.1;
local_address ::1;
run_dir "/usr/local/dsc/run/e_dns";
minfree_bytes 5000000;
pid_file "/run/dsc.pid";

# DNSTAP confs
dnstap_unixsock /var/lib/named/dnstap.sock;
dnstap_network X.X.X.X ::1 53;

dataset qtype dns All:null Qtype:qtype queries-only;
dataset rcode dns All:null Rcode:rcode replies-only;
dataset opcode dns All:null Opcode:opcode queries-only;
dataset rcode_vs_replylen dns Rcode:rcode ReplyLen:msglen replies-only;
dataset client_subnet dns All:null ClientSubnet:client_subnet queries-only
max-cells=200;
dataset qtype_vs_qnamelen dns Qtype:qtype QnameLen:qnamelen queries-only;
dataset qtype_vs_tld dns Qtype:qtype TLD:tld queries-only,popular-qtypes
max-cells=200;
dataset certain_qnames_vs_qtype dns CertainQnames:certain_qnames
Qtype:qtype queries-only;
dataset client_subnet2 dns Class:query_classification
ClientSubnet:client_subnet queries-only max-cells=200;
dataset client_addr_vs_rcode dns Rcode:rcode ClientAddr:client replies-only
max-cells=50;
dataset chaos_types_and_names dns Qtype:qtype Qname:qname
chaos-class,queries-only;
dataset idn_qname dns All:null IDNQname:idn_qname queries-only;
dataset edns_version dns All:null EDNSVersion:edns_version queries-only;
dataset edns_bufsiz dns All:null EDNSBufSiz:edns_bufsiz queries-only;
dataset do_bit dns All:null D0:do_bit queries-only;
dataset rd_bit dns All:null RD:rd_bit queries-only;
dataset idn_vs_tld dns All:null TLD:tld queries-only,idn-only;
dataset ipv6_rsn_abusers dns All:null ClientAddr:client
queries-only,aaaa-or-a6-only,root-servers-net-only max-cells=50;
dataset transport_vs_qtype dns Transport:transport Qtype:qtype queries-only;
dataset client_port_range dns All:null PortRange:dns_sport_range
queries-only;
dataset direction_vs_ipproto ip Direction:ip_direction IPProto:ip_proto any;
## End conf

Bind conf inside global options section ( Bind run in chroot path
/var/lib/named/ )
 dnstap { all; };
 dnstap-output unix "dnstap.sock";

DSC collect, move to upload directory (I'm using the upload-ssh.sh with
some modifications) and copy XMLs to DSP server.
DSP server run refile-and-grok.sh and generate de DAT files.

But my DAT files are without data, eg:
cat qtype.dat
...
1585252560
1585252620
1585252680
1585252740
1585252800
1585252860
1585252920
1585252980
1585253040
1585253100
#MD5 e1ae1ba2e962015d1460fb24dfcb713c

Of course, DNS server is working and had clients querying them.
But my first setup was not using DNSTAP, first of all I used pcap method,
and my data, as well as the graphs, was produced. I'm tested DNSTAP reading
a file generated by Bind, but DSC read the file, generate XML and exit. Is
this the behavior expected? If yes, daemon mode is not recommended? Use in
a cron?

I'm doing anything wrong here?

Best Regards,

Juliano Alves Guidini
Analista de Sistemas
USP - STI -  CeTI-SP - SCTIN - SCTS

More information about the dsc mailing list