From murray at stokely.org Tue Oct 25 05:56:03 2016 From: murray at stokely.org (Murray Stokely) Date: Mon, 24 Oct 2016 22:56:03 -0700 Subject: [dnstap] dnstap not writing to unix domain sockets with unbound 1.5.10 on FreeBSD 11-STABLE. Message-ID: I'm having trouble getting anything out of dnstap with unbound 1.5.10 on FreeBSD 11-STABLE with dustup gocode freshly installed. I've run the fstrm 0.2.0 unit tests on this box to verify that reading/writing to the unix domain sockets is working properly (has anyone evaluated GRPC rather than fstrm now that google has released a transport for protocol buffers?) The dnstap section of my unbound.conf is: dnstap: dnstap-enable: yes dnstap-socket-path: "/var/run/unbound/dnstap.sock" dnstap-send-identity: yes dnstap-send-version: yes dnstap-log-resolver-response-messages: yes dnstap-log-client-query-messages: yes I'm running unbound in a chroot, but I can't find the socket either in or out of the chroot : server: directory: /usr/local/etc/unbound chroot: /usr/local/etc/unbound First I run two dustup listeners (as I'm not sure if its supposed to be inside the chroot or not): dnstap -u /var/run/unbound/dnstap.sock -w /root/dnstap.1 dnstap -u /usr/local/etc/unbound/var/run/unbound/dnstap.sock -w /root/dnstap.2 Then I start unbound: # sh /usr/local/etc/rc.d/unbound start Obtaining a trust anchor:. Starting unbound. [1477374748] unbound[10467:0] debug: creating udp4 socket 0.0.0.0 53 [1477374748] unbound[10467:0] debug: creating tcp4 socket 0.0.0.0 53 [1477374748] unbound[10467:0] debug: switching log to syslog unbound works fine, but I am not seeing anything written out to my /root/dnstap files. I spent a little time playing around with ktrace and dtrace but I haven't yet really figured out what is going on or why it is not writing out logs. Any pointers for debugging why messages don't seem to be getting sent to the domain socket? Thanks, - Murray -------------- next part -------------- An HTML attachment was scrubbed... URL: From maile.halatuituia at tcc.to Tue Oct 25 07:34:50 2016 From: maile.halatuituia at tcc.to (Maile Halatuituia) Date: Tue, 25 Oct 2016 07:34:50 +0000 Subject: [dnstap] dnstap not writing to unix domain sockets with unbound 1.5.10 on FreeBSD 11-STABLE. In-Reply-To: References: Message-ID: ?Can someone give some info if the dnstap-read can be present on Graph like the DSC software . I believe dnstap is much more detail but i just want to know if this is possible ... thanks ________________________________ From: dnstap on behalf of Murray Stokely Sent: Tuesday, October 25, 2016 6:56 PM To: dnstap at lists.redbarn.org Subject: [dnstap] dnstap not writing to unix domain sockets with unbound 1.5.10 on FreeBSD 11-STABLE. I'm having trouble getting anything out of dnstap with unbound 1.5.10 on FreeBSD 11-STABLE with dustup gocode freshly installed. I've run the fstrm 0.2.0 unit tests on this box to verify that reading/writing to the unix domain sockets is working properly (has anyone evaluated GRPC rather than fstrm now that google has released a transport for protocol buffers?) The dnstap section of my unbound.conf is: dnstap: dnstap-enable: yes dnstap-socket-path: "/var/run/unbound/dnstap.sock" dnstap-send-identity: yes dnstap-send-version: yes dnstap-log-resolver-response-messages: yes dnstap-log-client-query-messages: yes I'm running unbound in a chroot, but I can't find the socket either in or out of the chroot : server: directory: /usr/local/etc/unbound chroot: /usr/local/etc/unbound First I run two dustup listeners (as I'm not sure if its supposed to be inside the chroot or not): dnstap -u /var/run/unbound/dnstap.sock -w /root/dnstap.1 dnstap -u /usr/local/etc/unbound/var/run/unbound/dnstap.sock -w /root/dnstap.2 Then I start unbound: # sh /usr/local/etc/rc.d/unbound start Obtaining a trust anchor:. Starting unbound. [1477374748] unbound[10467:0] debug: creating udp4 socket 0.0.0.0 53 [1477374748] unbound[10467:0] debug: creating tcp4 socket 0.0.0.0 53 [1477374748] unbound[10467:0] debug: switching log to syslog unbound works fine, but I am not seeing anything written out to my /root/dnstap files. I spent a little time playing around with ktrace and dtrace but I haven't yet really figured out what is going on or why it is not writing out logs. Any pointers for debugging why messages don't seem to be getting sent to the domain socket? Thanks, - Murray Confidentiality Notice: This email (including any attachment) is intended for internal use only. Any unauthorized use, dissemination or copying of the content is prohibited. If you are not the intended recipient and have received this e-mail in error, please notify the sender by email and delete this email and any attachment. Confidentiality Notice: This email (including any attachment) is intended for internal use only. Any unauthorized use, dissemination or copying of the content is prohibited. If you are not the intended recipient and have received this e-mail in error, please notify the sender by email and delete this email and any attachment. -------------- next part -------------- An HTML attachment was scrubbed... URL: From edmonds at mycre.ws Tue Oct 25 16:26:16 2016 From: edmonds at mycre.ws (Robert Edmonds) Date: Tue, 25 Oct 2016 12:26:16 -0400 Subject: [dnstap] dnstap not writing to unix domain sockets with unbound 1.5.10 on FreeBSD 11-STABLE. In-Reply-To: References: Message-ID: <20161025162616.ejds4e2p2tlkk6qe@mycre.ws> Murray Stokely wrote: > I'm having trouble getting anything out of dnstap with unbound 1.5.10 on > FreeBSD 11-STABLE with dustup gocode freshly installed. > > I've run the fstrm 0.2.0 unit tests on this box to verify that > reading/writing to the unix domain sockets is working properly (has anyone > evaluated GRPC rather than fstrm now that google has released a transport > for protocol buffers?) Hi, Murray: fstrm 0.3.0 was released a while ago which you might want to upgrade to. There was a bug fix in that release that affected establishing the Unix socket (https://github.com/farsightsec/fstrm/issues/17). It looks like the FreeBSD ports system still has the older 0.2.0 release. gRPC is interesting. I've looked at it a few times but never used it; like a lot of Google's open source projects, it doesn't have a good C binding, and with the exception of PowerDNS most DNS servers are implemented in C, not C++. If you wanted to add gRPC support to the dnstap ecosystem, it would probably be pretty easy to implement a bridge that accepts Frame Streams input over a Unix socket and outputs gRPC to an external endpoint. (This is also how I planned to implement TLS support. Implementing it as a bridge that speaks the plaintext Frame Streams protocol on the local host to the dnstap-enabled DNS server would let us keep the TLS stack out of the DNS server.) If I were re-implementing dnstap from scratch today, I would probably choose to rely on even less Google technology, so I'd probably choose a standardized format like CBOR over protobuf for the serialization format. (The dnstap message format uses protobuf 2 and relies on features in protobuf 2 like optional fields that have been removed from the protobuf 3 format.) > The dnstap section of my unbound.conf is: > > dnstap: > dnstap-enable: yes > dnstap-socket-path: "/var/run/unbound/dnstap.sock" > dnstap-send-identity: yes > dnstap-send-version: yes > dnstap-log-resolver-response-messages: yes > dnstap-log-client-query-messages: yes > > I'm running unbound in a chroot, but I can't find the socket either in or > out of the chroot : The dnstap-socket-path in unbound.conf is the path to a Unix socket that the dnstap client in Unbound will attempt to connect to (and re-connect, if the connection is broken), *not* a path that Unbound will bind a Unix socket to. So the dnstap socket won't appear in the filesystem until the dnstap listener is started. The dnstap client/server socket relationship was modeled on syslog, where the DNS server is a dnstap client (or syslog client). The idea was that you could have multiple DNS servers running on a single system all sending dnstap data to a single collector on the system, or (once TCP or TLS support was implemented, which hasn't happened yet), you could have a pool of machines running DNS servers sending dnstap data to a collector over the network. > server: > directory: /usr/local/etc/unbound > chroot: /usr/local/etc/unbound > > First I run two dustup listeners (as I'm not sure if its supposed to be > inside the chroot or not): > > dnstap -u /var/run/unbound/dnstap.sock -w /root/dnstap.1 > > dnstap -u /usr/local/etc/unbound/var/run/unbound/dnstap.sock -w > /root/dnstap.2 I'm actually not sure about this point without reading the code, but I think that the dnstap socket needs to be inside the chroot, because the connection can be broken and re-established during runtime (e.g. if the collector is restarted). > Then I start unbound: > > # sh /usr/local/etc/rc.d/unbound start > > Obtaining a trust anchor:. > > Starting unbound. > > [1477374748] unbound[10467:0] debug: creating udp4 socket 0.0.0.0 53 > [1477374748] unbound[10467:0] debug: creating tcp4 socket 0.0.0.0 53 > [1477374748] unbound[10467:0] debug: switching log to syslog > > unbound works fine, but I am not seeing anything written out to my > /root/dnstap files. Have you looked in syslog? The dnstap client in Unbound should generate some log messages, at least. > I spent a little time playing around with ktrace and dtrace but I haven't > yet really figured out what is going on or why it is not writing out logs. > > Any pointers for debugging why messages don't seem to be getting sent to > the domain socket? Thanks, You might also ask on the unbound-users mailing list if we can't get your problem solved here :-) -- Robert Edmonds From murray at stokely.org Wed Oct 26 09:39:44 2016 From: murray at stokely.org (Murray Stokely) Date: Wed, 26 Oct 2016 02:39:44 -0700 Subject: [dnstap] dnstap not writing to unix domain sockets with unbound 1.5.10 on FreeBSD 11-STABLE. In-Reply-To: <20161025162616.ejds4e2p2tlkk6qe@mycre.ws> References: <20161025162616.ejds4e2p2tlkk6qe@mycre.ws> Message-ID: Thanks for your reply. I updated the FreeBSD Port to use fstrm 0.3.0 and sent it to the maintainer freebsd at dns-lab.com. In addition to the version upgrade, I added a line to let the FreeBSD Ports system understand the way this port runs its test suite, so "make test" from the Ports Collection will build the test binaries and run the test suite shell scripts and output the results. Eventually Dtrace helped me understand that I was getting permission denied errors when trying to write to the named pipe. FreeBSD runs unbound as the unbound user, but I was running dnstap as the root user. I've filed bug #1142 with unbound with some thoughts about improving the documentation or code. https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=1142 I'm now able to extract this data and create meaningful aggregate statistics and visualizations with R, RProtoBuf, and ggplot2. I'm a long-time protobuf user but wasn't previously aware of the CBOR RFC. Thanks for the pointer. - Murray On Tue, Oct 25, 2016 at 9:26 AM, Robert Edmonds wrote: > Murray Stokely wrote: > > I'm having trouble getting anything out of dnstap with unbound 1.5.10 on > > FreeBSD 11-STABLE with dustup gocode freshly installed. > > > > I've run the fstrm 0.2.0 unit tests on this box to verify that > > reading/writing to the unix domain sockets is working properly (has > anyone > > evaluated GRPC rather than fstrm now that google has released a transport > > for protocol buffers?) > > Hi, Murray: > > fstrm 0.3.0 was released a while ago which you might want to upgrade > to. There was a bug fix in that release that affected establishing the > Unix socket (https://github.com/farsightsec/fstrm/issues/17). > > It looks like the FreeBSD ports system still has the older 0.2.0 > release. > > gRPC is interesting. I've looked at it a few times but never used it; > like a lot of Google's open source projects, it doesn't have a good C > binding, and with the exception of PowerDNS most DNS servers are > implemented in C, not C++. If you wanted to add gRPC support to the > dnstap ecosystem, it would probably be pretty easy to implement a bridge > that accepts Frame Streams input over a Unix socket and outputs gRPC to > an external endpoint. (This is also how I planned to implement TLS > support. Implementing it as a bridge that speaks the plaintext Frame > Streams protocol on the local host to the dnstap-enabled DNS server > would let us keep the TLS stack out of the DNS server.) > > If I were re-implementing dnstap from scratch today, I would probably > choose to rely on even less Google technology, so I'd probably choose a > standardized format like CBOR over protobuf for the serialization > format. (The dnstap message format uses protobuf 2 and relies on > features in protobuf 2 like optional fields that have been removed from > the protobuf 3 format.) > > > The dnstap section of my unbound.conf is: > > > > dnstap: > > dnstap-enable: yes > > dnstap-socket-path: "/var/run/unbound/dnstap.sock" > > dnstap-send-identity: yes > > dnstap-send-version: yes > > dnstap-log-resolver-response-messages: yes > > dnstap-log-client-query-messages: yes > > > > I'm running unbound in a chroot, but I can't find the socket either in or > > out of the chroot : > > The dnstap-socket-path in unbound.conf is the path to a Unix socket that > the dnstap client in Unbound will attempt to connect to (and re-connect, > if the connection is broken), *not* a path that Unbound will bind a Unix > socket to. So the dnstap socket won't appear in the filesystem until the > dnstap listener is started. > > The dnstap client/server socket relationship was modeled on syslog, > where the DNS server is a dnstap client (or syslog client). The idea was > that you could have multiple DNS servers running on a single system all > sending dnstap data to a single collector on the system, or (once TCP or > TLS support was implemented, which hasn't happened yet), you could have > a pool of machines running DNS servers sending dnstap data to a > collector over the network. > > > server: > > directory: /usr/local/etc/unbound > > chroot: /usr/local/etc/unbound > > > > First I run two dustup listeners (as I'm not sure if its supposed to be > > inside the chroot or not): > > > > dnstap -u /var/run/unbound/dnstap.sock -w /root/dnstap.1 > > > > dnstap -u /usr/local/etc/unbound/var/run/unbound/dnstap.sock -w > > /root/dnstap.2 > > I'm actually not sure about this point without reading the code, but I > think that the dnstap socket needs to be inside the chroot, because the > connection can be broken and re-established during runtime (e.g. if the > collector is restarted). > > > Then I start unbound: > > > > # sh /usr/local/etc/rc.d/unbound start > > > > Obtaining a trust anchor:. > > > > Starting unbound. > > > > [1477374748] unbound[10467:0] debug: creating udp4 socket 0.0.0.0 53 > > [1477374748] unbound[10467:0] debug: creating tcp4 socket 0.0.0.0 53 > > [1477374748] unbound[10467:0] debug: switching log to syslog > > > > unbound works fine, but I am not seeing anything written out to my > > /root/dnstap files. > > Have you looked in syslog? The dnstap client in Unbound should generate > some log messages, at least. > > > I spent a little time playing around with ktrace and dtrace but I haven't > > yet really figured out what is going on or why it is not writing out > logs. > > > > Any pointers for debugging why messages don't seem to be getting sent to > > the domain socket? Thanks, > > You might also ask on the unbound-users mailing list if we can't get > your problem solved here :-) > > -- > Robert Edmonds > -------------- next part -------------- An HTML attachment was scrubbed... URL: