[dnstap] dnstap use case assistance
Robert Edmonds
edmonds at mycre.ws
Sat May 13 04:19:20 UTC 2017
Kyle Fiducia wrote:
> But the logs I am seeing coming out of DNS tap reference the
> responding authoritative server. So it mentions "evil-host.tld" but
> gives the authoritative nameserver IP address that responded with the
> A record, not the contents of the A record, so 1.2.3.4 is not present
> in my logs.
Hi, Kyle:
The data you're looking for is going to be included in the DNS answer
section of the DNS response message payload. And there might be more
than one A record for "evil-host.tld" in the response, of course.
What tool are you using to decode your dnstap logs? The three dedicated
tools that I'm aware of (the standalone dnstap-ldns and golang-dnstap
tools, and the dnstap-read tool included with BIND) default to using a
compact one line per message representation that resembles what you
described above, but they also have a more verbose format that can be
enabled with the '-y' parameter which includes a full decode of the DNS
response sections.
BTW, at one point I was working on adding support for decoding Frame
Streams files with dnstap-encoded payloads to Wireshark. I started it
but didn't finish it; the hardest part looked like it was going to be
integrating a protobuf decoder and code generator into the build system
(and making it work on the platforms supported by Wireshark), rather
than actually implementing the dnstap dissector.
--
Robert Edmonds
More information about the dnstap
mailing list