dnstap introduction and status update
play

dnstap: introduction and status update Robert Edmonds - PowerPoint PPT Presentation

Feb 03, 2023 •141 likes •336 views

dnstap: introduction and status update Robert Edmonds (edmonds@fsi.io) Farsight Security, Inc. URL http://dnstap.info Documentation Presentations Tutorials Mailing list Downloads Code repositories dnstap Slide 2 of

  1. dnstap: introduction and status update Robert Edmonds (edmonds@fsi.io) Farsight Security, Inc.

  2. URL  http://dnstap.info – Documentation – Presentations – Tutorials – Mailing list – Downloads – Code repositories dnstap Slide 2 of 18

  3. Introduction  It's Protocol Buffers logging for DNS software.  Schema file located here: https://github.com/dnstap/dnstap.pb/blob/master/dnstap.proto – dnstap Slide 3 of 18

  4. Protocol Buffers  Natural fit for DNS data. – Binary clean. – Efficient encoding. – Extendable.  Implementations available for many programming languages. – C, C++, Java, Python, Go, etc. dnstap Slide 4 of 18

  5. Schema  Top-level Dnstap container message with fields: – identity : “NSID” analog. – version : “version.bind” analog. – extra : arbitrary annotation. – type : type of the contained message. – One of the following: ● message : wire-format DNS message + metadata. ● More possibilities to come. dnstap Slide 5 of 18

  6. Schema  Message type encapsulates DNS wire-format messages. – type : AUTH_QUERY, AUTH_RESPONSE, RESOLVER_QUERY, RESOLVER_RESPONSE, ..., TOOL_QUERY, TOOL_RESPONSE – socket_family : INET, INET6 – socket_protocol : UDP, TCP – query_address, query_port – response_address, response_port – query_time_sec, query_time_nsec – query_message – query_zone – response_time_sec, response_time_nsec – response_message dnstap Slide 6 of 18

  7. Framing  Protobuf packs one payload at a time.  How to pack a stream of many payloads?  Solution: “Frame Streams”. – Write the payload length (32-bit integer). – Write the actual payload (variable length). – Repeat. dnstap Slide 7 of 18

  8. “Frame Streams”  Lightweight protocol for streaming data frames. – Stream over a socket. – Or, read/write a file.  Doesn't need to know how the data frames are encoded.  Reference libfstrm implementation in C.  Easy to parse. Python decoder is ~50 lines, no external dependencies. dnstap Slide 8 of 18

  9. Use cases  These can all be accomplished with the dnstap/Message schema: – Interchange format for tools. – Passive DNS replication. – Query logging. dnstap Slide 9 of 18

  10. Interchange format  Many tools send/receive DNS messages. – dig/delv(e), drill, kdig – looking glasses  Immediately converted from DNS wire format to some other format. – Traditional “dig style” – JSON – ??? dnstap Slide 10 of 18

  11. Interchange format  Save a copy of the original DNS messages. – Display the message trace now or later. – Be able to refer to the original verbatim wire message, instead of whatever the tool printed to stdout.  Looking glasses can communicate the exact response as received, rather than transcoding into, e.g. JSON. dnstap Slide 11 of 18

  12. Passive DNS replication  Usually done by logging of authoritative responses to resolver initiated queries.  Actually, instead of capturing the responses , the packets containing the responses are captured. – UDP responses may be spoofed. – IP fragments, TCP segments, UDP checksums... dnstap Slide 12 of 18

  13. Passive DNS replication  Because packet capture occurs outside of the DNS server, a critical piece of information is missing: the bailiwick of the transaction. – Must be laboriously reconstructed in order to avoid poisoning: “passive DNS bailiwick algorithm”.  dnstap alternative: the DNS server can just log the needed information. dnstap Slide 13 of 18

  14. Query logging  Log the queries the server receives.  Metadata that would be nice to have: – Recursive case: whether the query hit a cache. – Authoritative case: which zone a query was served from. dnstap Slide 14 of 18

  15. dnstap Slide 15 of 18

  16. dnstap components  Flexible, structured log format for DNS software. – dnstap.pb  Helper libraries for adding support to DNS software. – libfstrm, libprotobuf-c  Patch sets that integrate dnstap support into existing DNS software. – Unbound, Knot  Capture tools for receiving dnstap messages from dnstap-enabled software. dnstap Slide 16 of 18

  17. Status update  fstrm library under heavy development  protobuf-c 1.0.0 release candidate  Unbound patchset rebased against 1.4.22, almost complete  Work on Knot/kdig patchset begun dnstap Slide 17 of 18

  18. URL  http://dnstap.info – Documentation – Presentations – Tutorials – Mailing list – Downloads – Code repositories dnstap Slide 18 of 18

Recommend

dnstap (brief intro and update) Merike Kaeo

dnstap (brief intro and update) Merike Kaeo

dnstap (brief intro and update) Merike Kaeo merike@interne6den6ty.com NANOG61 - DNS Track dnstap What is it? High speed DNS logging without

420 views • 12 slides
dnstap : high speed DNS logging without packet capture Robert Edmonds (edmonds@fsi.io) Farsight

dnstap : high speed DNS logging without packet capture Robert Edmonds (edmonds@fsi.io) Farsight

dnstap : high speed DNS logging without packet capture Robert Edmonds (edmonds@fsi.io) Farsight Security, Inc. URL http://dnstap.info Documentation Presentations Tutorials Mailing list Downloads Code repositories

695 views • 42 slides
Program 13:00h welcome and introduction (Toon Goedem) 13:30h Status update hardware and

Program 13:00h welcome and introduction (Toon Goedem) 13:30h Status update hardware and

8/12/2016 Program 13:00h welcome and introduction (Toon Goedem) 13:30h Status update hardware and calibration (Bjorn Van IWT-Tetra project Tilt / Toon Goedem) 14:00h Status update abnormal behaviour detection (Kristof Van

378 views • 16 slides
Programme Update Status Update, Six Month Report & Change Request Status Update Lake

Programme Update Status Update, Six Month Report & Change Request Status Update Lake

Programme Update Status Update, Six Month Report & Change Request Status Update Lake Rotorua Low Nitrogen Land Use Fund Round 2 Recommendations. Incentives Scheme 20T Achieved, 25T in pipeline. Strategic Review for new

149 views • 12 slides
The 'dnstap' Approach Dr. Paul Vixie, CEO Farsight Security, Inc. 2014-01-16 Charleston, SC

The 'dnstap' Approach Dr. Paul Vixie, CEO Farsight Security, Inc. 2014-01-16 Charleston, SC

Passive DNS Collection and Analysis The 'dnstap' Approach Dr. Paul Vixie, CEO Farsight Security, Inc. 2014-01-16 Charleston, SC Importance of Measuring DNS High volume low latency datagram protocol sie-xyzzy1 547,128,709,757 bytes,

323 views • 17 slides
Passive DNS Collection and Analysis The 'dnstap' (& fstrm) Approach Farsight Security, Inc.

Passive DNS Collection and Analysis The 'dnstap' (& fstrm) Approach Farsight Security, Inc.

Passive DNS Collection and Analysis The 'dnstap' (& fstrm) Approach Farsight Security, Inc. December 2014 Importance of Measuring DNS High volume low latency datagram protocol Channel 202; 40 sources; 1,657,398,226,932 bytes/day;

196 views • 19 slides
ERLP Status January 2007 Lee Jones ASTeC ERLP Progress Update: Content Introduction

ERLP Status January 2007 Lee Jones ASTeC ERLP Progress Update: Content Introduction

ERLP Status January 2007 Lee Jones ASTeC ERLP Progress Update: Content Introduction Construction status Injector commissioning Accelerating modules & Cryogenics Beam transport system Ongoing work Future

911 views • 61 slides
19 th November 2018 Agenda 1. Introduction and Status Review 2. Operational Update 3. 6

19 th November 2018 Agenda 1. Introduction and Status Review 2. Operational Update 3. 6

EBCC Presentation 19 th November 2018 Agenda 1. Introduction and Status Review 2. Operational Update 3. 6 Month Operational Review 4. Focus for 2018/19 5. Security Review 6. Modification Update 7. Project Update 8. Any Other

301 views • 27 slides
MVD Strip ASIC (PASTA) Status Update of the PA NDA St rip A SIC Andr Goerres Mitglied der

MVD Strip ASIC (PASTA) Status Update of the PA NDA St rip A SIC Andr Goerres Mitglied der

MVD Strip ASIC (PASTA) Status Update of the PA NDA St rip A SIC Andr Goerres Mitglied der Helmholtz-Gemeinschaft 10 September 2013 46. PANDA Meeting, Ruhr-University-Bochum 1 Content Introduction to TOFPET/PASTA Status of analogue

606 views • 27 slides
dnstap-whoami Robert Edmonds (edmonds@fsi.io) Farsight Security, Inc. Intro DNS nameservers

dnstap-whoami Robert Edmonds (edmonds@fsi.io) Farsight Security, Inc. Intro DNS nameservers

dnstap-whoami Robert Edmonds (edmonds@fsi.io) Farsight Security, Inc. Intro DNS nameservers that return custom responses Diagnostics Experimentation Result passed through to the original client Examples: DNS whoami

265 views • 25 slides
WG1: STATUS UPDATE & WORK PLAN STIJN JANSSEN & CRISTINA GUERREIRO CONTENT Status Update

WG1: STATUS UPDATE & WORK PLAN STIJN JANSSEN & CRISTINA GUERREIRO CONTENT Status Update

WG1: STATUS UPDATE & WORK PLAN STIJN JANSSEN & CRISTINA GUERREIRO CONTENT Status Update Updated Modelling Quality Objective & Guidance Document MQO for forecasting Composite Mapping Exceedance Modelling & Fit for

760 views • 42 slides
Business Intelligence at Penn State June 2011 Agenda Introduction and Status Update. Who

Business Intelligence at Penn State June 2011 Agenda Introduction and Status Update. Who

Business Intelligence at Penn State June 2011 Agenda Introduction and Status Update. Who is Using iTwo and how they are using it. Conclusion Previous Page Next Page Introduction and Status Update Previous Page Next Page Business

540 views • 32 slides
dnstap : high speed DNS logging without packet capture Jeroen Massar Farsight Security, Inc.

dnstap : high speed DNS logging without packet capture Jeroen Massar Farsight Security, Inc.

dnstap : high speed DNS logging without packet capture Jeroen Massar Farsight Security, Inc. Unifying the Global Response to Cybercrime Credits & More Info Design & Implementation: Robert Edmonds <edmonds@fsi.io> Website:

786 views • 40 slides
CED Status Update Theo Larrieu Outline Software Status Recent Developments Future

CED Status Update Theo Larrieu Outline Software Status Recent Developments Future

CED Status Update Theo Larrieu Outline Software Status Recent Developments Future Developments Contents Status Adding, Updating, Removing data CED / Songsheets relationship Status - HLAPPS All new and many (most?)

513 views • 14 slides
October 2009 Financial Status Update Financial Status Update 1 General Fund Revenue Period

October 2009 Financial Status Update Financial Status Update 1 General Fund Revenue Period

October 2009 Financial Status Update Financial Status Update 1 General Fund Revenue Period Ending September 30, 2009 Category Budget Actual Taxes $105,601,600 $ 6,614,192 License & Permits $ 1,467,031 $ 566,344

314 views • 12 slides
Tuakiri update: eduGAIN & service status Vlad Mencl Wallace Chase 1 Tuakiri update:

Tuakiri update: eduGAIN & service status Vlad Mencl Wallace Chase 1 Tuakiri update:

August 19th, 2020, REANNZ Lunchtime session Tuakiri update: eduGAIN & service status Vlad Mencl Wallace Chase 1 Tuakiri update: eduGAIN and service status, August 19th, 2020 Outline Tuakiri: brief introduction Update:

641 views • 23 slides
Model Status Update July 01, 2015 Agenda Purpose Model Development Update Model

Model Status Update July 01, 2015 Agenda Purpose Model Development Update Model

Model Status Update July 01, 2015 Agenda Purpose Model Development Update Model Calibration Status Next Steps Schedule Public Input Purpose Inform stakeholders on status of model development Provide more detailed

325 views • 30 slides
Governing Board Meeting October 18, 2012 1 Agenda Introduction OBTS Status

Governing Board Meeting October 18, 2012 1 Agenda Introduction OBTS Status

State of Connecticut Criminal Justice Information System Governing Board Meeting October 18, 2012 1 Agenda Introduction OBTS Status CIDRIS Status CISS Update Program Management Business Technology IV

428 views • 27 slides
1 Milestones Status Update Milestones Status Update #1 Completion of the basic visualization

1 Milestones Status Update Milestones Status Update #1 Completion of the basic visualization

Update Powerset Viewer: A Datamining Application Jordan Lee 1 2 Update Update Completed Tools and Features Completed Tools and Features And relevant GUI widgets And relevant GUI widgets Implemented animation between zoom

197 views • 4 slides
Muon Accelerator Program Monthly Status Review December 14, 2012 Outline Introduction

Muon Accelerator Program Monthly Status Review December 14, 2012 Outline Introduction

Muon Accelerator Program Monthly Status Review December 14, 2012 Outline Introduction MAP Management Update L2 Manager Updates AOB December 14, 2012 MAP Monthly Status Report 2 Introduction Goals for our monthly status

398 views • 23 slides
systemd in Debian - a status update Michael Biebl July 5, 2016 introduction polish and QA

systemd in Debian - a status update Michael Biebl July 5, 2016 introduction polish and QA

systemd in Debian - a status update Michael Biebl July 5, 2016 introduction polish and QA trimming the base OS getting rid of legacy cruft polish and QA stable updates 4 stable point releases in jessie bug fixes and

550 views • 13 slides
Descartes - Introduction and Status Update Prof. Samuel Kounev, Uni Wrzburg Chair of Software

Descartes - Introduction and Status Update Prof. Samuel Kounev, Uni Wrzburg Chair of Software

Descartes - Introduction and Status Update Prof. Samuel Kounev, Uni Wrzburg Chair of Software Engineering University of Wrzburg http://se.informatik.uni-wuerzburg.de/ http://descartes.tools 1 pmw.fortiss.org Munich, November 5th, 2015

304 views • 16 slides
SWRC FALL WORKSHOP MMSW Update for SWRC September 23/25, 2014 Presentation Overview

SWRC FALL WORKSHOP MMSW Update for SWRC September 23/25, 2014 Presentation Overview

SWRC FALL WORKSHOP MMSW Update for SWRC September 23/25, 2014 Presentation Overview Introduction Program Status Update Advisory Committee Status Update Questions and Discussions 2 Who is MMSW? MMSW is a not-for-profit

475 views • 25 slides
Project Update RTWG June 25, 2015 Chuck Jennings, PMO Current Project Status Status

Project Update RTWG June 25, 2015 Chuck Jennings, PMO Current Project Status Status

Z2 Crediting Project Update RTWG June 25, 2015 Chuck Jennings, PMO Current Project Status Status Project Phase: Design Status: Green Changes to requirements/scope: NA In process work: Functional Design sessions

537 views • 11 slides

More recommend