[dnstap] reading DNSTAP from a remote machine

Robert Edmonds edmonds at mycre.ws
Fri Feb 27 23:14:27 UTC 2015


Joseph Gersch wrote:
>    Is there already a way to have a DNSTAP reader on a remote machine read the framestream from a network socket (IP, port)?  It looks like unbound writes to a LINUX socket, so maybe there is a way to just specify the IP and port # instead of a file path.  On the other hand maybe a reader process has to read the Linux socket and write to a network socket or use TLS.  Has anyone done this yet?  

Hi, Joe:

The technical term is usually "Unix domain socket" (or AF_UNIX /
AF_LOCAL, to be really technical, and the SOCK_STREAM variant of AF_UNIX
in particular); it's not Linux-specific.  The nice thing about Unix
sockets is that they can be both plaintext and secure, as long as you
trust Unix permissions, because the socket can only be connected by
processes running on the same machine.

Being able to collect dnstap payload data from multiple remote machines
over a TCP or TLS connection was definitely envisaged in the original
dnstap design, and that was part of the reason for preferring a byte
stream over a message stream; it makes it really easy to mirror the byte
stream into a network connection.  (Since IP datagrams are limited to
64K, and a dnstap payload is potentially >64K, it would have been hard
to use a message-based design over the network without adding our own
custom fragmentation scheme.)

Unfortunately, this mirroring capability doesn't exist quite yet, but
it's definitely planned, and the design accomodates it.  So the answer
is, not yet.

BTW, the reason for using Unix sockets in the first place and using a
helper utility to mirror data into a TLS connection is that it avoids
the risk of directly exposing the DNS server implementation to an SSL
implementation, which we originally concluded DNS server implementers
would be averse to.  (Actually, I think Unbound uses SSL for its remote
control socket, but I believe a patch implementing Unix sockets for the
daemon's control socket was merged recently.)

-- 
Robert Edmonds


More information about the dnstap mailing list