<div dir="ltr">Thanks for your reply. I updated the FreeBSD Port to use fstrm 0.3.0 and sent it to the maintainer <table cellpadding="0" class="gmail-m_1214287080649960940gmail-ajC" style="font-size:12.800000190734863px"><tbody><tr class="gmail-m_1214287080649960940gmail-ajv"><td colspan="2" class="gmail-m_1214287080649960940gmail-gL" style="padding:6px 0px"><span class="gmail-m_1214287080649960940gmail-gI"><span> <a href="mailto:freebsd@dns-lab.com" target="_blank">freebsd@dns-lab.com</a>.<br><br>In addition to the version upgrade, I added a line to let the FreeBSD Ports system understand the way this port runs its test suite, so "make test" from the Ports Collection will build the test binaries and run the test suite shell scripts and output the results.<br><br>Eventually Dtrace helped me understand that I was getting permission denied errors when trying to write to the named pipe. FreeBSD runs unbound as the unbound user, but I was running dnstap as the root user. I've filed bug #1142 with unbound with some thoughts about improving the documentation or code.<br><br></span> <a href="https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=1142">https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=1142</a><span><br><br>I'm now able to extract this data and create meaningful aggregate statistics and visualizations with R, RProtoBuf, and ggplot2.<br><br>I'm a long-time protobuf user but wasn't previously aware of the CBOR RFC. Thanks for the pointer.<br><br> - Murray</span></span></td></tr></tbody></table><br></div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Oct 25, 2016 at 9:26 AM, Robert Edmonds <span dir="ltr"><<a href="mailto:edmonds@mycre.ws" target="_blank">edmonds@mycre.ws</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">Murray Stokely wrote:<br>
> I'm having trouble getting anything out of dnstap with unbound 1.5.10 on<br>
> FreeBSD 11-STABLE with dustup gocode freshly installed.<br>
><br>
> I've run the fstrm 0.2.0 unit tests on this box to verify that<br>
> reading/writing to the unix domain sockets is working properly (has anyone<br>
> evaluated GRPC rather than fstrm now that google has released a transport<br>
> for protocol buffers?)<br>
<br>
</span>Hi, Murray:<br>
<br>
fstrm 0.3.0 was released a while ago which you might want to upgrade<br>
to. There was a bug fix in that release that affected establishing the<br>
Unix socket (<a href="https://github.com/farsightsec/fstrm/issues/17" rel="noreferrer" target="_blank">https://github.com/<wbr>farsightsec/fstrm/issues/17</a>).<br>
<br>
It looks like the FreeBSD ports system still has the older 0.2.0<br>
release.<br>
<br>
gRPC is interesting. I've looked at it a few times but never used it;<br>
like a lot of Google's open source projects, it doesn't have a good C<br>
binding, and with the exception of PowerDNS most DNS servers are<br>
implemented in C, not C++. If you wanted to add gRPC support to the<br>
dnstap ecosystem, it would probably be pretty easy to implement a bridge<br>
that accepts Frame Streams input over a Unix socket and outputs gRPC to<br>
an external endpoint. (This is also how I planned to implement TLS<br>
support. Implementing it as a bridge that speaks the plaintext Frame<br>
Streams protocol on the local host to the dnstap-enabled DNS server<br>
would let us keep the TLS stack out of the DNS server.)<br>
<br>
If I were re-implementing dnstap from scratch today, I would probably<br>
choose to rely on even less Google technology, so I'd probably choose a<br>
standardized format like CBOR over protobuf for the serialization<br>
format. (The dnstap message format uses protobuf 2 and relies on<br>
features in protobuf 2 like optional fields that have been removed from<br>
the protobuf 3 format.)<br>
<span class=""><br>
> The dnstap section of my unbound.conf is:<br>
><br>
> dnstap:<br>
> dnstap-enable: yes<br>
> dnstap-socket-path: "/var/run/unbound/dnstap.sock"<br>
> dnstap-send-identity: yes<br>
> dnstap-send-version: yes<br>
> dnstap-log-resolver-response-<wbr>messages: yes<br>
> dnstap-log-client-query-<wbr>messages: yes<br>
><br>
> I'm running unbound in a chroot, but I can't find the socket either in or<br>
> out of the chroot :<br>
<br>
</span>The dnstap-socket-path in unbound.conf is the path to a Unix socket that<br>
the dnstap client in Unbound will attempt to connect to (and re-connect,<br>
if the connection is broken), *not* a path that Unbound will bind a Unix<br>
socket to. So the dnstap socket won't appear in the filesystem until the<br>
dnstap listener is started.<br>
<br>
The dnstap client/server socket relationship was modeled on syslog,<br>
where the DNS server is a dnstap client (or syslog client). The idea was<br>
that you could have multiple DNS servers running on a single system all<br>
sending dnstap data to a single collector on the system, or (once TCP or<br>
TLS support was implemented, which hasn't happened yet), you could have<br>
a pool of machines running DNS servers sending dnstap data to a<br>
collector over the network.<br>
<span class=""><br>
> server:<br>
> directory: /usr/local/etc/unbound<br>
> chroot: /usr/local/etc/unbound<br>
><br>
> First I run two dustup listeners (as I'm not sure if its supposed to be<br>
> inside the chroot or not):<br>
><br>
> dnstap -u /var/run/unbound/dnstap.sock -w /root/dnstap.1<br>
><br>
> dnstap -u /usr/local/etc/unbound/var/<wbr>run/unbound/dnstap.sock -w<br>
> /root/dnstap.2<br>
<br>
</span>I'm actually not sure about this point without reading the code, but I<br>
think that the dnstap socket needs to be inside the chroot, because the<br>
connection can be broken and re-established during runtime (e.g. if the<br>
collector is restarted).<br>
<span class=""><br>
> Then I start unbound:<br>
><br>
> # sh /usr/local/etc/rc.d/unbound start<br>
><br>
> Obtaining a trust anchor:.<br>
><br>
> Starting unbound.<br>
><br>
> [1477374748] unbound[10467:0] debug: creating udp4 socket 0.0.0.0 53<br>
> [1477374748] unbound[10467:0] debug: creating tcp4 socket 0.0.0.0 53<br>
> [1477374748] unbound[10467:0] debug: switching log to syslog<br>
><br>
> unbound works fine, but I am not seeing anything written out to my<br>
> /root/dnstap files.<br>
<br>
</span>Have you looked in syslog? The dnstap client in Unbound should generate<br>
some log messages, at least.<br>
<span class=""><br>
> I spent a little time playing around with ktrace and dtrace but I haven't<br>
> yet really figured out what is going on or why it is not writing out logs.<br>
><br>
> Any pointers for debugging why messages don't seem to be getting sent to<br>
> the domain socket? Thanks,<br>
<br>
</span>You might also ask on the unbound-users mailing list if we can't get<br>
your problem solved here :-)<br>
<span class="HOEnZb"><font color="#888888"><br>
--<br>
Robert Edmonds<br>
</font></span></blockquote></div><br></div>