dnstap source

Configuration

Example configurations

{
  "sources": {
    "my_source_id": {
      "type": "dnstap",
      "address": "0.0.0.0:9000",
      "mode": "tcp"
    }
  }
}

[sources.my_source_id]
type = "dnstap"
address = "0.0.0.0:9000"
mode = "tcp"

sources:
  my_source_id:
    type: dnstap
    address: 0.0.0.0:9000
    mode: tcp

{
  "sources": {
    "my_source_id": {
      "type": "dnstap",
      "address": "0.0.0.0:9000",
      "max_frame_length": 102400,
      "mode": "tcp",
      "permit_origin": [
        "192.168.0.0/16"
      ],
      "port_key": "port",
      "shutdown_timeout_secs": 30,
      "socket_file_mode": 511
    }
  }
}

[sources.my_source_id]
type = "dnstap"
address = "0.0.0.0:9000"
max_frame_length = 102_400
mode = "tcp"
permit_origin = [ "192.168.0.0/16" ]
port_key = "port"
shutdown_timeout_secs = 30
socket_file_mode = 511

sources:
  my_source_id:
    type: dnstap
    address: 0.0.0.0:9000
    max_frame_length: 102400
    mode: tcp
    permit_origin:
      - 192.168.0.0/16
    port_key: port
    shutdown_timeout_secs: 30
    socket_file_mode: 511

connection_limit

optional uint

The maximum number of TCP connections that are allowed at any given time.

Relevant when: mode = "tcp"

host_key

optional string literal

Overrides the name of the log field used to add the source path to each event.

The value is the socket path itself.

By default, the global log_schema.host_key option is used.

keepalive

optional object

TCP keepalive settings for socket-based components.

keepalive.time_secs

optional uint

The time to wait before starting to send TCP keepalive probes on an idle connection.

Relevant when: mode = "tcp"

lowercase_hostnames

optional bool

Whether to downcase all DNSTAP hostnames received for consistency

default: false

max_connection_duration_secs

optional uint

Maximum duration to keep each connection open. Connections open for longer than this duration are closed.

This is helpful for load balancing long-lived connections.

Relevant when: mode = "tcp"

max_frame_handling_tasks

optional uint

Maximum number of frames that can be processed concurrently.

max_frame_length

optional uint

Maximum DNSTAP frame length that the source accepts.

If any frame is longer than this, it is discarded.

default: 102400 (bytes)

mode

required string literal enum

The type of dnstap socket to use.

Examples

"tcp"

"unix"

Enum options string literal

Option	Description
`tcp`	Listen on TCP.
`unix`	Listen on a Unix domain socket

multithreaded

optional bool

Whether or not to concurrently process DNSTAP frames.

port_key

optional string literal

Overrides the name of the log field used to add the peer host’s port to each event.

The value will be the peer host’s port i.e. 9000.

By default, "port" is used.

Set to "" to suppress this key.

default: port

Relevant when: mode = "tcp"

raw_data_only

optional bool

Whether or not to skip parsing or decoding of DNSTAP frames.

If set to true, frames are not parsed or decoded. The raw frame data is set as a field on the event (called rawData) and encoded as a base64 string.

receive_buffer_bytes

optional uint

The size of the receive buffer used for each connection.

Relevant when: mode = "tcp"

shutdown_timeout_secs

optional uint

The timeout before a connection is forcefully closed during shutdown.

default: 30 (seconds)

Relevant when: mode = "tcp"

socket_file_mode

optional uint

Unix file mode bits to be applied to the unix socket file as its designated file permissions.

Note: The file mode value can be specified in any numeric format supported by your configuration language, but it is most intuitive to use an octal number.

Examples

Relevant when: mode = "unix"

socket_path

required string literal

Absolute path to the socket file to read DNSTAP data from.

The DNS server must be configured to send its DNSTAP data to this socket file. The socket file is created if it doesn’t already exist when the source first starts.

Relevant when: mode = "unix"

socket_receive_buffer_size

optional uint

The size, in bytes, of the receive buffer used for the socket.

This should not typically needed to be changed.

Warning

System-wide setting of maximum socket send buffer size (i.e. value of ‘/proc/sys/net/core/wmem_max’ on Linux) may need adjustment accordingly.

Relevant when: mode = "unix"

socket_send_buffer_size

optional uint

The size, in bytes, of the send buffer used for the socket.

This should not typically needed to be changed.

Warning

System-wide setting of maximum socket send buffer size (i.e. value of ‘/proc/sys/net/core/wmem_max’ on Linux) may need adjustment accordingly.

Relevant when: mode = "unix"

Enables certificate verification. For components that create a server, this requires that the client connections have a valid client certificate. For components that initiate requests, this validates that the upstream has a valid certificate.

If enabled, certificates must not be expired and must be issued by a trusted issuer. This verification operates in a hierarchical manner, checking that the leaf certificate (the certificate presented by the client/server) is not only valid, but that the issuer of that certificate is also valid, and so on until the verification process reaches a root certificate.

Do NOT set this to false unless you understand the risks of not verifying the validity of certificates.

tls.verify_hostname

optional bool

Enables hostname verification.

If enabled, the hostname used to connect to the remote host must be present in the TLS certificate presented by the remote host, either as the Common Name or as an entry in the Subject Alternative Name extension.

Only relevant for outgoing connections.

Do NOT set this to false unless you understand the risks of not verifying the remote hostname.

Relevant when: mode = "tcp"

Outputs

<component_id>

Default output stream of the component. Use this component’s ID as an input to downstream transforms and sinks.

Output Data

Logs

Warning

The fields shown below will be different if log namespacing is enabled. See Log Namespacing for more details

Event

A single dnstap event.

Fields

dataType optional string literal

Dnstap event data type. Currently only ‘Message’ type is defined.

dataTypeId required uint

Numeric ID of dnstap event data type.

Examples

error optional string literal

Error message upon failure while parsing dnstap data.

Examples

Encountered error : Unexpected number of records in update section: 0

extraInfo optional string literal

Extra data for this event.

Examples

an arbitrary byte-string annotation

messageType optional string literal

Dnstap message type.

messageTypeId required uint

Numeric ID of dnstap message type.

Examples

rawData optional string literal

Raw dnstap binary data encoded in Base64. Presents only upon failures or option ‘raw_data_only’ is enabled.

Examples

ChBqYW1lcy11YnVudHUtZGV2EgtCSU5EIDkuMTYuNXKdAQgCEAEYASIEfwAAASoEfwAAATDRyAM4AFoNB2V4YW1wbGUDY29tAGCTvf76BW3evGImcmlihYQAAAEAAAABAAACaDIHZXhhbXBsZQNjb20AAAYAAcAPAAYAAQAADhAAPQtiZGRzLWRuc3RhcAAKcG9zdG1hc3RlcgJubwVlbWFpbAZwbGVhc2UAJADGPgAADhAAAAJYACeNAAAADhB4AQ==

requestData optional object

Request message data for DNS query/update.

responseAddress required string literal

The network address of the message responder.

Examples

192.0.2.18

fc00::200

responseData optional object

Response message data for DNS query/update.

responsePort optional uint

The transport port of the message responder.

Examples

serverId optional string literal

DNS server identity.

Examples

ns1.example.com

serverVersion optional string literal

DNS server version.

Examples

BIND 9.16.8

socketFamily required string literal

The network protocol family of a socket. This specifies how to interpret ‘sourceAddress’/‘responseAddress’ fields.

Examples

INET

INET6

socketProtocol required string literal

The transport protocol of a socket. This specifies how to interpret ‘sourcePort’/‘responsePort’ fields.

Examples

UDP

TCP

sourceAddress required string literal

The network address of the message initiator.

Examples

192.0.2.8

fc00::100

sourcePort optional uint

The transport port of the message initiator.

Examples

time required uint

The time at which the DNS message was sent or received. This is the number of time units (determined by ’timePrecision’) since the UNIX epoch. For a DNS query/update request event, it’s same as request time. For a DNS query/update response event, it’s same as response time.

Examples

1614781642516276700

timePrecision required string literal

The time precision used by field ’time'.

Examples

ms

us

ns

timestamp required string literal

The same time as of field “time”, but represented as an ISO 8601 date and time string (in UTC time zone).

Examples

2021-04-09T15:08:32.767098Z

Telemetry

Metrics

link

component_discarded_events_total

counter

The number of events dropped by this component.

component_id

The Vector component ID.

component_kind

The Vector component kind.

component_type

The Vector component type.

host optional

The hostname of the system Vector is running on.

intentional

True if the events were discarded intentionally, like a filter transform, or false if due to an error.

pid optional

The process ID of the Vector instance.

component_errors_total

counter

The total number of errors encountered by this component.

component_id

The Vector component ID.

component_kind

The Vector component kind.

component_type

The Vector component type.

error_type

The type of the error

host optional

The hostname of the system Vector is running on.

pid optional

The process ID of the Vector instance.

stage

The stage within the component at which the error occurred.

component_received_bytes_total

counter

The number of raw bytes accepted by this component from source origins.

component_id

The Vector component ID.

component_kind

The Vector component kind.

component_type

The Vector component type.

container_name optional

The name of the container from which the data originated.

file optional

The file from which the data originated.

host optional

The hostname of the system Vector is running on.

mode optional

The connection mode used by the component.

peer_addr optional

The IP from which the data originated.

peer_path optional

The pathname from which the data originated.

pid optional

The process ID of the Vector instance.

pod_name optional

The name of the pod from which the data originated.

uri optional

The sanitized URI from which the data originated.

component_received_event_bytes_total

counter

The number of event bytes accepted by this component either from tagged origins like file and uri, or cumulatively from other origins.

component_id

The Vector component ID.

component_kind

The Vector component kind.

component_type

The Vector component type.

container_name optional

The name of the container from which the data originated.

file optional

The file from which the data originated.

host optional

The hostname of the system Vector is running on.

mode optional

The connection mode used by the component.

peer_addr optional

The IP from which the data originated.

peer_path optional

The pathname from which the data originated.

pid optional

The process ID of the Vector instance.

pod_name optional

The name of the pod from which the data originated.

uri optional

The sanitized URI from which the data originated.

component_received_events_count

histogram

A histogram of the number of events passed in each internal batch in Vector’s internal topology.

Note that this is separate than sink-level batching. It is mostly useful for low level debugging performance issues in Vector due to small internal batches.

component_id

The Vector component ID.

component_kind

The Vector component kind.

component_type

The Vector component type.

container_name optional

The name of the container from which the data originated.

file optional

The file from which the data originated.

host optional

The hostname of the system Vector is running on.

mode optional

The connection mode used by the component.

peer_addr optional

The IP from which the data originated.

peer_path optional

The pathname from which the data originated.

pid optional

The process ID of the Vector instance.

pod_name optional

The name of the pod from which the data originated.

uri optional

The sanitized URI from which the data originated.

component_received_events_total

counter

The number of events accepted by this component either from tagged origins like file and uri, or cumulatively from other origins.

component_id

The Vector component ID.

component_kind

The Vector component kind.

component_type

The Vector component type.

container_name optional

The name of the container from which the data originated.

file optional

The file from which the data originated.

host optional

The hostname of the system Vector is running on.

mode optional

The connection mode used by the component.

peer_addr optional

The IP from which the data originated.

peer_path optional

The pathname from which the data originated.

pid optional

The process ID of the Vector instance.

pod_name optional

The name of the pod from which the data originated.

uri optional

The sanitized URI from which the data originated.

component_sent_event_bytes_total

counter

The total number of event bytes emitted by this component.

component_id

The Vector component ID.

component_kind

The Vector component kind.

component_type

The Vector component type.

host optional

The hostname of the system Vector is running on.

output optional

The specific output of the component.

pid optional

The process ID of the Vector instance.

component_sent_events_total

counter

The total number of events emitted by this component.

component_id

The Vector component ID.

component_kind

The Vector component kind.

component_type

The Vector component type.

host optional

The hostname of the system Vector is running on.

output optional

The specific output of the component.

pid optional

The process ID of the Vector instance.

source_lag_time_seconds

histogram

The difference between the timestamp recorded in each event and the time when it was ingested, expressed as fractional seconds.

component_id

The Vector component ID.

component_kind

The Vector component kind.

component_type

The Vector component type.

host optional

The hostname of the system Vector is running on.

pid optional

The process ID of the Vector instance.

Examples

Dnstap events for a pair of regular DNS query and response.

Given this event...

Send a query to an authoritative BIND DNS server locally with following command:

```bash
	nslookup host.example.com localhost
```

...and this configuration...

sources:
  my_source_id:
    type: dnstap
    mode: unix
    max_frame_length: 102400
    socket_file_mode: 508
    socket_path: /run/bind/dnstap.sock
    max_frame_handling_tasks: 10000

[sources.my_source_id]
type = "dnstap"
mode = "unix"
max_frame_length = 102_400
socket_file_mode = 508
socket_path = "/run/bind/dnstap.sock"
max_frame_handling_tasks = 10_000

{
  "sources": {
    "my_source_id": {
      "type": "dnstap",
      "mode": "unix",
      "max_frame_length": 102400,
      "socket_file_mode": 508,
      "socket_path": "/run/bind/dnstap.sock",
      "max_frame_handling_tasks": 10000
    }
  }
}

...this Vector event is produced:

[{"log":{"dataType":"Message","dataTypeId":1,"messageType":"ClientQuery","messageTypeId":5,"requestData":{"fullRcode":0,"header":{"aa":false,"ad":false,"anCount":0,"arCount":0,"cd":false,"id":49653,"nsCount":0,"opcode":0,"qdCount":1,"qr":0,"ra":false,"rcode":0,"rd":true,"tc":false},"question":[{"class":"IN","domainName":"host.example.com.","questionType":"A","questionTypeId":1}],"rcodeName":"NoError","time":1614781642516276700,"timePrecision":"ns"},"responseAddress":"127.0.0.1","responsePort":0,"serverId":"ns1.example.com","serverVersion":"BIND 9.16.8","socketFamily":"INET","socketProtocol":"UDP","sourceAddress":"127.0.0.1","sourcePort":52398,"time":1614781642516276700,"timePrecision":"ns"}},{"log":{"dataType":"Message","dataTypeId":1,"messageType":"ClientResponse","messageTypeId":6,"responseAddress":"127.0.0.1","responseData":{"answers":[{"class":"IN","domainName":"host.example.com.","rData":"192.0.2.100","recordType":"A","recordTypeId":1,"ttl":3600}],"authority":[{"class":"IN","domainName":"example.com.","rData":"ns1.example.com.","recordType":"NS","recordTypeId":2,"ttl":86400}],"fullRcode":0,"header":{"aa":true,"ad":false,"anCount":1,"arCount":0,"cd":false,"id":49653,"nsCount":1,"opcode":0,"qdCount":1,"qr":1,"ra":true,"rcode":0,"rd":true,"tc":false},"question":[{"class":"IN","domainName":"host.example.com.","questionType":"A","questionTypeId":1}],"rcodeName":"NoError","time":1614781642516276700,"timePrecision":"ns"},"responsePort":0,"serverId":"ns1.example.com","serverVersion":"BIND 9.16.8","socketFamily":"INET","socketProtocol":"UDP","sourceAddress":"127.0.0.1","sourceId":"421bce7d-b4e6-b705-6057-7039628a9847","sourcePort":52398,"time":1614781642516276700,"timePrecision":"ns"}}]

Dnstap events for a pair of DNS update request and response.

Given this event...

Send a dynamic update to an authoritative BIND DNS server locally with following command:

```bash
	nsupdate <<EOF
	server localhost
	update add h1.example.com 3600 a 192.0.2.110
	send
	EOF
```

...and this configuration...

sources:
  my_source_id:
    type: dnstap
    mode: unix
    socket_file_mode: 508
    socket_path: /run/bind/dnstap.sock
    socket_receive_buffer_size: 10485760
    socket_send_buffer_size: 10485760

[sources.my_source_id]
type = "dnstap"
mode = "unix"
socket_file_mode = 508
socket_path = "/run/bind/dnstap.sock"
socket_receive_buffer_size = 10_485_760
socket_send_buffer_size = 10_485_760

{
  "sources": {
    "my_source_id": {
      "type": "dnstap",
      "mode": "unix",
      "socket_file_mode": 508,
      "socket_path": "/run/bind/dnstap.sock",
      "socket_receive_buffer_size": 10485760,
      "socket_send_buffer_size": 10485760
    }
  }
}

...this Vector event is produced:

[{"log":{"dataType":"Message","dataTypeId":1,"messageType":"UpdateQuery","messageTypeId":13,"requestData":{"fullRcode":0,"header":{"adCount":0,"id":47320,"opcode":5,"prCount":0,"qr":0,"rcode":0,"upCount":1,"zoCount":1},"rcodeName":"NoError","time":1599832089886768400,"timePrecision":"ns","update":[{"class":"IN","domainName":"h1.example.com.","rData":"192.0.2.110","recordType":"A","recordTypeId":1,"ttl":3600}],"zone":{"zClass":"IN","zName":"example.com.","zType":"SOA","zTypeId":6}},"responseAddress":"127.0.0.1","responsePort":0,"serverId":"ns1.example.com","serverVersion":"BIND 9.16.8","socketFamily":"INET","socketProtocol":"UDP","sourceAddress":"127.0.0.1","sourcePort":53141,"time":1599832089886768400,"timePrecision":"ns"}},{"log":{"dataType":"Message","dataTypeId":1,"messageType":"UpdateResponse","messageTypeId":14,"responseAddress":"127.0.0.1","responseData":{"fullRcode":0,"header":{"adCount":0,"id":47320,"opcode":5,"prCount":0,"qr":1,"rcode":0,"upCount":0,"zoCount":1},"rcodeName":"NoError","time":1599832089890768400,"timePrecision":"ns","zone":{"zClass":"IN","zName":"example.com.","zType":"SOA","zTypeId":6}},"responsePort":0,"serverId":"ns1.example.com","serverVersion":"BIND 9.16.8","socketFamily":"INET","socketProtocol":"UDP","sourceAddress":"127.0.0.1","sourcePort":53141,"time":1599832089890768400,"timePrecision":"ns"}}]

How it works

Context

By default, the dnstap source augments events with helpful context keys.

Manipulate UDS Buffer Size

The dnstap source supports configuring the UDS buffer for both receiving and sending, which may be helpful for handling DNS traffic spikes more smoothly in high-usage scenarios in which performance is of paramount concern.

To configure the send/receive buffer size for the server UDS, set the socket_receive_buffer_size and socket_send_buffer_size parameters in the component’s configuration. Here’s an example:

[sources.my_dnstap_source]
type = "dnstap"
mode = "unix"
socket_receive_buffer_size = 10_485_760
socket_send_buffer_size = 10_485_760
# Other configs

For the buffer size settings to take effect, you need to ensure that the system-wide settings for send/receive buffer sizes (i.e. the values of /proc/sys/net/core/rmem_max and /proc/sys/net/core/wmem_max on Linux) are large enough.

Server Unix Domain Socket (UDS)

The dnstap source can receive dnstap data through a Unix Domain Socket (aka UDS). The path of the UDS must be explicitly specified in the source’s configuration.

Upon startup, the dnstap source creates a new server UDS at the specified path. If the path of UDS is already in use, Vector automatically deletes it before creating a new path.

The default permissions of the UDS are determined by the current umask value. To customize it to allow the local BIND server to send dnstap data to the UDS, you can specify the desired UDS permissions (for example the file mode) explicitly in the dnstap source configuration. To set its permissions to 0774, for example, add the socket_file_mode option:

[sources.my_dnstap_source]
type = "dnstap"
mode = "unix"
socket_file_mode: 0o774
# Other configs

Using a remote BIND server

While the dnstap source can create server UDS paths only on the local machine, you can also use it with remote BIND servers by forwarding the server UDS from the machine Vector is running on to the remote BIND server (for example via SSH) once Vector starts. Make sure that the Unix domain sockets on both the local and remote machines have appropriate permissions set.

State

This component is stateless, meaning its behavior is consistent across each input.

Transport Layer Security (TLS)

Vector uses OpenSSL for TLS protocols due to OpenSSL’s maturity. You can enable and adjust TLS behavior via the tls.* options and/or via an OpenSSL configuration file. The file location defaults to /usr/local/ssl/openssl.cnf or can be specified with the OPENSSL_CONF environment variable.