1.8. Recording DNS queries by using dnstap

Procedure

1. Enable dnstap and the target file by editing the /etc/named.conf file in the options block:

   options
   {
   # ...
   dnstap { all; }; # Configure filter
   dnstap-output file "/var/named/data/dnstap.bin" versions 2;
   # ...
   };
   # end of options

2. To specify which types of DNS traffic you want to log, add dnstap filters to the dnstap block in the /etc/named.conf file. You can use the following filters:

   • auth - Authoritative zone response or answer.
   • client - Internal client query or answer.
   • forwarder - Forwarded query or response from it.
   • resolver - Iterative resolution query or response.
   • update - Dynamic zone update requests.
   • all - Any from the above options.
   • query or response - If you do not specify a query or a response keyword, dnstap records both.
   注意

   The dnstap filter contains multiple definitions delimited by a ; in the dnstap {} block with the following syntax: dnstap { ( all | auth | client | forwarder | resolver | update ) [ ( query | response ) ]; …​ };

3. To customize the behavior of the dnstap utility on the recorded packets, modify the dnstap-output option by providing additional parameters, as follows:

   • size (unlimited | <size>) - Enable automatic rolling over of the dnstap file when its size reaches the specified limit.
   • versions (unlimited | <integer>) - Specify the number of automatically rolled files to keep.

   • suffix (increment | timestamp ) - Choose the naming convention for rolled out files. By default, the increment starts with .0. Alternatively, you can use the UNIX timestamp by setting the timestamp value.

     The following example requests auth responses only, client queries, and both queries and responses of dynamic updates:

     Example:
     
     dnstap {auth response; client query; update;};

4. To apply your changes, restart the named service:

   # systemctl restart named.service

5. Configure a periodic rollout for active logs

   In the following example, the cron scheduler runs the content of the user-edited script once a day. The roll option with the value 3 specifies that dnstap can create up to three backup log files. The value 3 overrides the version parameter of the dnstap-output variable, and limits the number of backup log files to three. Additionally, the binary log file is moved to another directory and renamed, and it never reaches the .2 suffix, even if three backup log files already exist. You can skip this step if automatic rolling of binary logs based on size limit is sufficient.

   Example:
   
   sudoedit /etc/cron.daily/dnstap
   
   #!/bin/sh
   rndc dnstap -roll 3
   mv /var/named/data/dnstap.bin.1 /var/log/named/dnstap/dnstap-$(date -I).bin
   
   # use dnstap-read to analyze saved logs
   sudo chmod a+x /etc/cron.daily/dnstap

6. Handle and analyze logs in a human-readable format by using the dnstap-read utility:

   In the following example, the dnstap-read utility prints the output in the YAML file format.

   Example:
   
   dnstap-read  -p /var/named/data/dnstap.bin