[dnstap] dnstap not writing to unix domain sockets with unbound 1.5.10 on FreeBSD 11-STABLE.

Robert Edmonds edmonds at mycre.ws
Tue Oct 25 16:26:16 UTC 2016


Murray Stokely wrote:
> I'm having trouble getting anything out of dnstap with unbound 1.5.10 on
> FreeBSD 11-STABLE with dustup gocode freshly installed.
> 
> I've run the fstrm 0.2.0 unit tests on this box to verify that
> reading/writing to the unix domain sockets is working properly (has anyone
> evaluated GRPC rather than fstrm now that google has released a transport
> for protocol buffers?)

Hi, Murray:

fstrm 0.3.0 was released a while ago which you might want to upgrade
to. There was a bug fix in that release that affected establishing the
Unix socket (https://github.com/farsightsec/fstrm/issues/17).

It looks like the FreeBSD ports system still has the older 0.2.0
release.

gRPC is interesting. I've looked at it a few times but never used it;
like a lot of Google's open source projects, it doesn't have a good C
binding, and with the exception of PowerDNS most DNS servers are
implemented in C, not C++. If you wanted to add gRPC support to the
dnstap ecosystem, it would probably be pretty easy to implement a bridge
that accepts Frame Streams input over a Unix socket and outputs gRPC to
an external endpoint. (This is also how I planned to implement TLS
support. Implementing it as a bridge that speaks the plaintext Frame
Streams protocol on the local host to the dnstap-enabled DNS server
would let us keep the TLS stack out of the DNS server.)

If I were re-implementing dnstap from scratch today, I would probably
choose to rely on even less Google technology, so I'd probably choose a
standardized format like CBOR over protobuf for the serialization
format. (The dnstap message format uses protobuf 2 and relies on
features in protobuf 2 like optional fields that have been removed from
the protobuf 3 format.)

> The dnstap section of my unbound.conf is:
> 
> dnstap:
>   dnstap-enable: yes
>   dnstap-socket-path: "/var/run/unbound/dnstap.sock"
>   dnstap-send-identity: yes
>   dnstap-send-version: yes
>   dnstap-log-resolver-response-messages: yes
>   dnstap-log-client-query-messages: yes
> 
> I'm running unbound in a chroot, but I can't find the socket either in or
> out of the chroot :

The dnstap-socket-path in unbound.conf is the path to a Unix socket that
the dnstap client in Unbound will attempt to connect to (and re-connect,
if the connection is broken), *not* a path that Unbound will bind a Unix
socket to. So the dnstap socket won't appear in the filesystem until the
dnstap listener is started.

The dnstap client/server socket relationship was modeled on syslog,
where the DNS server is a dnstap client (or syslog client). The idea was
that you could have multiple DNS servers running on a single system all
sending dnstap data to a single collector on the system, or (once TCP or
TLS support was implemented, which hasn't happened yet), you could have
a pool of machines running DNS servers sending dnstap data to a
collector over the network.

> server:
>   directory: /usr/local/etc/unbound
>   chroot: /usr/local/etc/unbound
> 
> First I run two dustup listeners (as I'm not sure if its supposed to be
> inside the chroot or not):
> 
> dnstap -u /var/run/unbound/dnstap.sock -w /root/dnstap.1
> 
> dnstap -u /usr/local/etc/unbound/var/run/unbound/dnstap.sock -w
> /root/dnstap.2

I'm actually not sure about this point without reading the code, but I
think that the dnstap socket needs to be inside the chroot, because the
connection can be broken and re-established during runtime (e.g. if the
collector is restarted).

> Then I start unbound:
> 
> # sh /usr/local/etc/rc.d/unbound start
> 
> Obtaining a trust anchor:.
> 
> Starting unbound.
> 
> [1477374748] unbound[10467:0] debug: creating udp4 socket 0.0.0.0 53
> [1477374748] unbound[10467:0] debug: creating tcp4 socket 0.0.0.0 53
> [1477374748] unbound[10467:0] debug: switching log to syslog
> 
> unbound works fine, but I am not seeing anything written out to my
> /root/dnstap files.

Have you looked in syslog? The dnstap client in Unbound should generate
some log messages, at least.

> I spent a little time playing around with ktrace and dtrace but I haven't
> yet really figured out what is going on or why it is not writing out logs.
> 
> Any pointers for debugging why messages don't seem to be getting sent to
> the domain socket?  Thanks,

You might also ask on the unbound-users mailing list if we can't get
your problem solved here :-)

-- 
Robert Edmonds


More information about the dnstap mailing list