Python Dnstap receiver
Project description
Dnstap receiver
This Python module acts as a DNS tap receiver and streams as JSON, YAML or text payload to remote tcp address or directly to stdout.
Table of contents
- Installation
- Show help usage
- Start dnstap receiver
- Output formats
- Tested DNS servers
- Tested Logs Collectors
- Systemd service file configuration
- About
Installation
Deploy the dnstap receiver in your DNS server with the pip command.
pip install dnstap_receiver
Show help usage
dnstap_receiver --help
usage: dnstap_receiver.py [-h] -u U [-v] [-y] [-j] [-d D]
optional arguments:
-h, --help show this help message and exit
-u U read dnstap payloads using framestreams from unix socket
-v verbose mode
-y write YAML-formatted output
-j write JSON-formatted output
-d D send dnstap message to remote tcp/ip address
Start dnstap receiver
The 'dnstap_receiver' binary takes in input a unix socket In this case the output will be print directly to stdout with short text format.
dnstap_receiver -u /var/run/dnstap.sock
If you want to send the dnstap message as json to a remote tcp collector, type the following command:
dnstap_receiver -u /var/run/dnstap.sock -j -d 10.0.0.2:8192
Output formats
Severals outputs format are supported:
- short text output
- JSON
- YAML
Short text
2020-09-12 14:15:00.551 CLIENT_QUERY NOERROR 192.168.1.114 46528 IP4 TCP 43b www.google.com. A
2020-09-12 14:15:00.551 CLIENT_RESPONSE NOERROR 192.168.1.114 46528 IP4 TCP 101b www.google.com. A
JSON-formatted
CLIENT_QUERY / FORWARDER_QUERY / RESOLVER_QUERY
{
"message": "CLIENT_QUERY",
"s_family": "IPv4",
"s_proto": "TCP",
"q_addr": "127.0.0.1",
"q_port": 43935,
"dt_query": "2020-09-12 10:41:36.591",
"q_name": "www.google.com.",
"q_type": "A"
}
CLIENT_RESPONSE / FORWARDER_RESPONSE / RESOLVER_RESPONSE
{
"r_code": "NOERROR",
"port": 52782,
"q_name":"rpc.gandi.net.",
"s_family":"IPv4",
"r_bytes": 47,
"dt_reply": "2020-05-24 03:30:01.411",
"q_addr": "10.0.0.235",
"host": "10.0.0.97",
"message": "CLIENT_RESPONSE",
"q_type": "A",
"s_proto": "UDP",
"dt_query": "2020-05-24 03:30:01.376",
"q_port": 40311,
"q_time": 0.035
}
YAML-formatted
CLIENT_QUERY / FORWARDER_QUERY / RESOLVER_QUERY
code: NOERROR
length: 49
message: RESOLVER_QUERY
protocol: IP4
query-name: dns4.comlaude-dns.eu.
query-type: AAAA
source-ip: '-'
source-port: '-'
timestamp: '2020-09-12 14:13:53.948'
transport: UDP
CLIENT_RESPONSE / FORWARDER_RESPONSE / RESOLVER_RESPONSE
code: NOERROR
length: 198
message: RESOLVER_RESPONSE
protocol: IP4
query-name: dns3.comlaude-dns.co.uk.
query-type: AAAA
source-ip: '-'
source-port: '-'
timestamp: '2020-09-12 14:13:54.000'
transport: UDP
Tested DNS servers
This dnstap receiver has been tested with success with the following dns servers:
- PowerDNS - dnsdist
- NLnet Labs - unbound
dnsdist
The following file /etc/dnsdist/dnsdist.conf must be updated like below:
fsul = newFrameStreamUnixLogger("/var/run/dnstap.sock")
addAction(AllRule(), DnstapLogAction(fsul))
addResponseAction(AllRule(), DnstapLogResponseAction(fsul))
unbound
Unbound must be build with dnstap support ./configure --enable-dnstap.
The following file /etc/unbound/unbound.conf must be updated too:
dnstap:
dnstap-enable: yes
dnstap-socket-path: "dnstap.sock"
dnstap-send-identity: yes
dnstap-send-version: yes
dnstap-log-resolver-query-messages: yes
dnstap-log-resolver-response-messages: yes
dnstap-log-client-query-messages: yes
dnstap-log-client-response-messages: yes
dnstap-log-forwarder-query-messages: yes
dnstap-log-forwarder-response-messages: yes
Tested Logs Collectors
Logstash
vim /etc/logstash/conf.d/00-dnstap.conf
input {
tcp {
port => 8192
codec => json
}
}
filter {
date {
match => [ "dt_query" , "yyyy-MM-dd HH:mm:ss.SSS" ]
target => "@timestamp"
}
}
output {
elasticsearch {
hosts => ["http://localhost:9200"]
index => "dnstap-lb"
}
}
Systemd service file configuration
System service file for CentOS:
vim /etc/systemd/system/dnstap_receiver.service
[Unit]
Description=Python DNS tap Service
After=network.target
[Service]
ExecStart=/usr/local/bin/dnstap_receiver -u /etc/dnsdist/dnstap.sock -j 10.0.0.2:8192
Restart=on-abort
Type=simple
User=root
[Install]
WantedBy=multi-user.target
systemctl daemon-reload
systemctl start dnstap_receiver
systemctl status dnstap_receiver
systemctl enable dnstap_receiver
About
| Author | Denis Machard d.machard@gmail.com |
| License | MIT |
| PyPI | https://pypi.org/project/dnstap_receiver/ |
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file dnstap_receiver-0.3.0.tar.gz.
File metadata
- Download URL: dnstap_receiver-0.3.0.tar.gz
- Upload date:
- Size: 8.9 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/3.2.0 pkginfo/1.5.0.1 requests/2.24.0 setuptools/50.3.0 requests-toolbelt/0.9.1 tqdm/4.49.0 CPython/3.7.9
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
752cfdec45393e03463684bb411cdcdab54b20faa35cd2a84b5ad6475a9706dc
|
|
| MD5 |
ab8ee333ffcb5c02ec1829caf179df0e
|
|
| BLAKE2b-256 |
c1a65259dd343d979bc2ebbed8d445b14de5eca01e519fea54722e75ef6f81c7
|
File details
Details for the file dnstap_receiver-0.3.0-py3-none-any.whl.
File metadata
- Download URL: dnstap_receiver-0.3.0-py3-none-any.whl
- Upload date:
- Size: 9.3 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/3.2.0 pkginfo/1.5.0.1 requests/2.24.0 setuptools/50.3.0 requests-toolbelt/0.9.1 tqdm/4.49.0 CPython/3.7.9
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
983699f02f6890f4cab814c77a040be136aabf0a01e2cafbfa3b13c8a8c8b34a
|
|
| MD5 |
d7ea8eac36a7e8e17f18424d524a2a41
|
|
| BLAKE2b-256 |
256be7c23054cd76102568340d2d682a728f13e804292e7b92a121c7daf68b24
|
