-
Notifications
You must be signed in to change notification settings - Fork 4
/
index.html
132 lines (67 loc) · 6.92 KB
/
index.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta charset="utf-8" />
<title>dnstap</title>
<!--[if lt IE 9]>
<script src="http://html5shim.googlecode.com/svn/trunk/html5.js"></script>
<![endif]-->
<link rel="stylesheet" href="bootstrap.min.css" type="text/css" />
<link rel="stylesheet" href="local.css" type="text/css" />
</head>
<body>
<div class="navbar navbar-fixed-top">
<div class="navbar-inner">
<div class="container">
<a class="brand" href="">dnstap</a>
<ul class="nav">
<li ><a href="./Source/">Source</a></li>
<li ><a href="./Examples/">Examples</a></li>
<li ><a href="./Tutorials/">Tutorials</a></li>
<li ><a href="./Architecture/">Architecture</a></li>
</ul>
<ul class="nav pull-right">
<li ><a href="./About/">About</a></li>
<li ><a href="./recentchanges/">RecentChanges</a></li>
</ul>
</div>
</div>
</div>
<div class="container">
<div class="content">
<header class="page-header">
<h1>dnstap</h1>
</header>
<h3>Introduction</h3>
<p><code>dnstap</code> is a flexible, structured binary log format for DNS software. It uses <a href="https://developers.google.com/protocol-buffers/">Protocol Buffers</a> to encode events that occur inside DNS software in an implementation-neutral format.</p>
<p>Currently <code>dnstap</code> can only encode wire-format DNS messages. It is planned to support additional types of DNS log information.</p>
<p>Support for <code>dnstap</code> is included in several DNS servers, including:</p>
<ul>
<li><p><a href="https://www.knot-dns.cz/">Knot DNS</a> as of <a href="https://lists.nic.cz/pipermail/knot-dns-users/2014-July/000477.html">version 1.5.0</a></p></li>
<li><p><a href="http://unbound.net/">Unbound</a> as of <a href="http://www.unbound.net/pipermail/unbound-users/2014-November/003620.html">version 1.5.0</a></p></li>
<li><p><a href="https://www.isc.org/downloads/bind/">BIND</a> as of <a href="https://kb.isc.org/article/AA-01342/0/Using-DNSTAP-with-BIND-9.11.html">version 9.11</a></p></li>
<li><p><a href="https://www.knot-resolver.cz/">Knot Resolver</a> as of <a href="https://www.knot-resolver.cz/2017-04-05-knot-resolver-1.2.5.html">version 1.2.5</a></p></li>
<li><p><a href="https://coredns.io">CoreDNS</a> as of <a href="https://github.com/coredns/coredns/releases/tag/v1.5.0">version 1.5.0</a></p></li>
<li><p><a href="https://www.nlnetlabs.nl/projects/nsd/about/">NSD</a> as of <a href="https://github.com/NLnetLabs/nsd/blob/master/doc/RELNOTES#L231">version 4.1.26</a></p></li>
<li><p><a href="https://www.dnsdist.org/">Dnsdist</a> as of <a href="https://dnsdist.org/reference/dnstap.html">version 1.3.0</a></p></li>
<li><p><a href="https://www.powerdns.com/recursor.html">PowerDNS recursor</a> as of <a href="https://docs.powerdns.com/recursor/lua-config/protobuf.html#logging-in-dnstap-format-using-framestreams">version 4.3.0</a></p></li>
</ul>
<p>A standalone command-line tool for receiving and decoding <code>dnstap</code> log messages is also being worked on. Check out <a href="https://gist.github.com/edmonds/5772879">this example output</a> from the <code>dnstap</code> command to get an idea of the kind of information that <code>dnstap</code> can encode.</p>
<p>The current development trees can be found on the <a href="./Source/">Source</a> page.</p>
<h3>Presentations</h3>
<p><strong><a href="https://indico.dns-oarc.net/event/24/session/11/contribution/26">dnstap-whoami: one-legged exfiltration of resolver queries</a></strong>. <a href="slides/dnstap-whoami_oarc2015_montreal.pdf">Slides</a>. Presented in October 2015 at the OARC 2015 Fall Workshop by Robert Edmonds in Montréal.</p>
<p><strong><a href="https://www.verisigninc.com/en_US/innovation/verisign-labs/speakers-series/passive-dns-collection-analysis/index.xhtml">Passive DNS Collection and Analysis: The 'dnstap' (& fstrm) Approach</a></strong>. <a href="slides/dnstap_vldss2014.pdf">Slides</a>. Presented in December 2014 at Verisign Labs by Paul Vixie and Robert Edmonds in Reston, VA.</p>
<p><strong>dnstap: brief intro and update</strong>. <a href="slides/dnstap_nanog61.pdf">Slides</a>. Presented in June 2014 at NANOG 61 by Merike Kaeo in Bellevue, WA.</p>
<p><strong><a href="https://indico.dns-oarc.net/contributionDisplay.py?contribId=15&confId=19">dnstap: introduction and status update</a></strong>. <a href="slides/dnstap_oarc2014_warsaw.pdf">Slides</a>. Presented in May 2014 at the OARC 2014 Spring Workshop by Robert Edmonds in Warsaw.</p>
<p><strong><a href="http://www.first.org/events/colloquia/amsterdam2014/program#pdnstap-high-speed-dns-logging-without-packet-capture">dnstap: high speed DNS logging without packet capture</a></strong>. Presented in April 2014 at FIRST TC by Jeroen Massar in Amsterdam.</p>
<p><strong><a href="http://ecrimeresearch.org/events/eCRSyncup2014/workingagenda">dnstap: high speed DNS logging without packet capture</a></strong>. <a href="slides/dnstap_esync2014.pdf">Slides</a>. Presented in April 2014 at APWG eCrime Researchers Sync-Up IV by Jeroen Massar in Oberammergau, Germany.</p>
<p><strong><a href="https://www.nanog.org/meetings/abstract?id=2290">dnstap: high speed DNS logging without packet capture</a></strong>. <a href="slides/dnstap_nanog60.pdf">Slides</a>. <a href="https://www.youtube.com/watch?v=rJ3vUUi_FG8">Video</a>. <a href="./Tutorials/NANOG60/">Tutorial</a>. Presented in February 2014 at NANOG 60 by Robert Edmonds in Atlanta.</p>
<p><strong><a href="http://www.cert.org/flocon/2014/proceedings-2014.html">Passive DNS Collection and Analysis: The 'dnstap' Approach</a></strong>. <a href="slides/dnstap_flocon2014.pdf">Slides</a>. Presented in January 2014 at FloCon 2014 by Paul Vixie in Charleston, SC.</p>
<p><strong>dnstap: high speed DNS server event replication without packet capture</strong>. <a href="slides/dnstap.html">Slides</a>. Presented in June 2013 by Robert Edmonds.</p>
<h3>Community</h3>
<p>There is a <a href="http://lists.redbarn.org/mailman/listinfo/dnstap">mailing list</a> for everyone interested in discussing <code>dnstap</code>.</p>
<p>Source code, website code, and presentation material is being hosted on <a href="https://github.com/dnstap">GitHub</a>.</p>
</div>
</div>
</body>
</html>