[dnstap] dnstap fanout and replay
Jerry Lundström
jerry at dns-oarc.net
Tue Apr 24 08:14:24 UTC 2018
On Fri, 2018-04-13 at 17:43 -0400, Matthew Pounsett wrote:
> On 13 April 2018 at 13:59, Tony Finch <dot at dotat.at> wrote:
>
> > The dnstap implementation in BIND only supports one output stream, so if
> > we are going to satisfy these consumers, we would need to split the dnstap
> > feed downstream of BIND before feeding the distributaries onwards.
> >
> Maybe have a look at Jerry's luadns (somewhere on the dns-oarc.net web
> site, which isn't responding to me at the moment). I had a chat with him
> after the last OARC meeting about a problem I had been trying to solve in a
> past life where we had three or four different things all attached to the
> same bpf on our measurement machines. He seemed to think his tool would be
> well suited to taking a single feed of DNS packet info and branching out
> into processing it in multiple ways.
dnsjit is something new I am developing which basically is parts from dsc,
dnscap and drool that is glued together with Lua (kinda like snabb).
https://github.com/DNS-OARC/dnsjit
> I don't recall how pcap-specific his sample code is, and can't go check
> right now, but I'm hoping it'd be pretty easily adapted to dnstap messages.
This is the good thing with breaking up the components, it's very easy to
add new ones so it's not dependent on just one format or library.
I would gladly see dnstap move towards CBOR, it's basically the same thing
as msgpack/protobuf so the transition should be easy.
Cheers,
Jerry
More information about the dnstap
mailing list