dnstap: introduction and status update Robert Edmonds - - PowerPoint PPT Presentation

dnstap introduction and status update
SMART_READER_LITE
LIVE PREVIEW

dnstap: introduction and status update Robert Edmonds - - PowerPoint PPT Presentation

Feb 03, 2023 141 likes •336 views

dnstap: introduction and status update Robert Edmonds (edmonds@fsi.io) Farsight Security, Inc. URL http://dnstap.info Documentation Presentations Tutorials Mailing list Downloads Code repositories dnstap Slide 2 of

slide-1
SLIDE 1

dnstap: introduction and status update

Robert Edmonds (edmonds@fsi.io) Farsight Security, Inc.

slide-2
SLIDE 2

dnstap Slide 2 of 18

URL

 http://dnstap.info

– Documentation – Presentations – Tutorials – Mailing list – Downloads – Code repositories

slide-3
SLIDE 3

dnstap Slide 3 of 18

Introduction

 It's Protocol Buffers logging for DNS software.  Schema file located here:

https://github.com/dnstap/dnstap.pb/blob/master/dnstap.proto

slide-4
SLIDE 4

dnstap Slide 4 of 18

Protocol Buffers

 Natural fit for DNS data.

– Binary clean. – Efficient encoding. – Extendable.

 Implementations available for many programming

languages.

– C, C++, Java, Python, Go, etc.

slide-5
SLIDE 5

dnstap Slide 5 of 18

Schema

 Top-level Dnstap container message with fields:

– identity: “NSID” analog. – version: “version.bind” analog. – extra: arbitrary annotation. – type: type of the contained message. – One of the following:

  • message: wire-format DNS message + metadata.
  • More possibilities to come.
slide-6
SLIDE 6

dnstap Slide 6 of 18

Schema

 Message type encapsulates DNS wire-format messages.

– type: AUTH_QUERY, AUTH_RESPONSE, RESOLVER_QUERY,

RESOLVER_RESPONSE, ..., TOOL_QUERY, TOOL_RESPONSE

– socket_family: INET, INET6 – socket_protocol: UDP, TCP – query_address, query_port – response_address, response_port – query_time_sec, query_time_nsec – query_message – query_zone – response_time_sec, response_time_nsec – response_message

slide-7
SLIDE 7

dnstap Slide 7 of 18

Framing

 Protobuf packs one payload at a time.  How to pack a stream of many payloads?  Solution: “Frame Streams”.

– Write the payload length (32-bit integer). – Write the actual payload (variable length). – Repeat.

slide-8
SLIDE 8

dnstap Slide 8 of 18

“Frame Streams”

 Lightweight protocol for streaming data frames.

– Stream over a socket. – Or, read/write a file.

 Doesn't need to know how the data frames are

encoded.

 Reference libfstrm implementation in C.  Easy to parse. Python decoder is ~50 lines, no

external dependencies.

slide-9
SLIDE 9

dnstap Slide 9 of 18

Use cases

 These can all be accomplished with the

dnstap/Message schema:

– Interchange format for tools. – Passive DNS replication. – Query logging.

slide-10
SLIDE 10

dnstap Slide 10 of 18

Interchange format

 Many tools send/receive DNS messages.

– dig/delv(e), drill, kdig – looking glasses

 Immediately converted from DNS wire format to some

  • ther format.

– Traditional “dig style” – JSON – ???

slide-11
SLIDE 11

dnstap Slide 11 of 18

Interchange format

 Save a copy of the original DNS messages.

– Display the message trace now or later. – Be able to refer to the original verbatim wire

message, instead of whatever the tool printed to stdout.

 Looking glasses can communicate the exact response

as received, rather than transcoding into, e.g. JSON.

slide-12
SLIDE 12

dnstap Slide 12 of 18

Passive DNS replication

 Usually done by logging of authoritative responses to

resolver initiated queries.

 Actually, instead of capturing the responses, the

packets containing the responses are captured.

– UDP responses may be spoofed. – IP fragments, TCP segments, UDP checksums...

slide-13
SLIDE 13

dnstap Slide 13 of 18

Passive DNS replication

 Because packet capture occurs outside of the DNS

server, a critical piece of information is missing: the bailiwick of the transaction.

– Must be laboriously reconstructed in order to avoid

poisoning: “passive DNS bailiwick algorithm”.

 dnstap alternative: the DNS server can just log the

needed information.

slide-14
SLIDE 14

dnstap Slide 14 of 18

Query logging

 Log the queries the server receives.  Metadata that would be nice to have:

– Recursive case: whether the query hit a cache. – Authoritative case: which zone a query was served

from.

slide-15
SLIDE 15

dnstap Slide 15 of 18

slide-16
SLIDE 16

dnstap Slide 16 of 18

dnstap components

 Flexible, structured log format for DNS software.

– dnstap.pb

 Helper libraries for adding support to DNS software.

– libfstrm, libprotobuf-c

 Patch sets that integrate dnstap support into existing

DNS software.

– Unbound, Knot

 Capture tools for receiving dnstap messages from

dnstap-enabled software.

slide-17
SLIDE 17

dnstap Slide 17 of 18

Status update

 fstrm library under heavy development  protobuf-c 1.0.0 release candidate  Unbound patchset rebased against 1.4.22, almost

complete

 Work on Knot/kdig patchset begun

slide-18
SLIDE 18

dnstap Slide 18 of 18

URL

 http://dnstap.info

– Documentation – Presentations – Tutorials – Mailing list – Downloads – Code repositories