[dnstap] Windows DNS ETW to dnstap interoperability
Stephen Vickers
stephen.vickers at telemity.com
Wed May 27 13:12:40 UTC 2026
Initially, DnsStream forwarded DNS data as ISC BIND style querylog style messages over Syslog (with a similar response format created - https://telemity.com/dnsstream/docs/administration/event-and-output-formats.html#client-response-event) or new-line delimited JSON. The aim is high-fidelity data and operational safety - no detection, no analytics, etc., just accessing and moving the data without demanding huge amounts of CPU, memory or any disk IO.
The next component in the suite of tools is going to process dnstap data over TCP/TLS (at least that's the plan) which is why I added dnstap - it was remarkably easy to add dnstap over fstrm. This allows for receiving data to all the DNS servers which support dnstap, and for Windows DNS, DnsStream covers that off.
I've experienced the BIND UNIX file only dnstap issue myself, used socat to get it to a TCP destination. 🙂 I am looking to implement Linux support with UNIX file based dnstap in a very near release for this exact reason, not sure if you would be interested in taking a look at this when it's available?
So, the main consumer of this dnstap implementation was the next tool, which I don't want to talk about here, yet (things change and it may never materialize 🙂), and the side-effect of this allows data from Windows DNS servers to feed directly into an existing dnstap based system.
Many thanks
Steve
________________________________
From: Fred Morris <m3047 at m3047.net>
Sent: Monday, May 25, 2026 21:01
To: Stephen Vickers <stephen.vickers at telemity.com>
Cc: dnstap at lists.redbarn.org <dnstap at lists.redbarn.org>
Subject: Re: [dnstap] Windows DNS ETW to dnstap interoperability
I'd love to know more! "I don't do windows", and what I personally use is
BIND, and it only writes to a file or a unix socket. That's a problem for
containerization, especially microkernels which only run one image. I've
wished since the beginning that it supported TCP. I don't view this as a
replacement, what I'm interested in is who / what are the consumers for
this (already built to consume fstrm over TLS)? I am familiar with SIE.
;-)
I don't know why you put fstrm in front of it. I seem to extract what I
need and then send that as multicast datagrams (JSONified in what I give
away publicly).
Feel free to contact me offlist (I'll give you a Trualias) or to hunt me
down on LinkedIn.
--
Fred Morris, internet plumber
On Mon, 25 May 2026, Stephen Vickers via dnstap wrote:
>
> Hi all,
> I’ve been working on a Windows DNS telemetry collector called DnsStream which captures DNS telemetry directly from the native
> Windows DNS server ETW provider and now emits standards-compatible dnstap over TCP/TLS using fstrm.
> [...]
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.redbarn.org/pipermail/dnstap/attachments/20260527/eb5abb79/attachment.htm>
More information about the dnstap
mailing list