[dnstap] dnstap fanout and replay

Matthew Pounsett matt at conundrum.com
Fri Apr 13 21:43:08 UTC 2018


On 13 April 2018 at 13:59, Tony Finch <dot at dotat.at> wrote:

>
> The dnstap implementation in BIND only supports one output stream, so if
> we are going to satisfy these consumers, we would need to split the dnstap
> feed downstream of BIND before feeding the distributaries onwards.
>

Maybe have a look at Jerry's luadns (somewhere on the dns-oarc.net web
site, which isn't responding to me at the moment).  I had a chat with him
after the last OARC meeting about a problem I had been trying to solve in a
past life where we had three or four different things all attached to the
same bpf on our measurement machines.  He seemed to think his tool would be
well suited to taking a single feed of DNS packet info and branching out
into processing it in multiple ways.

I don't recall how pcap-specific his sample code is, and can't go check
right now, but I'm hoping it'd be pretty easily adapted to dnstap messages.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.redbarn.org/pipermail/dnstap/attachments/20180413/30a8142c/attachment.html>


More information about the dnstap mailing list