Introduction
BIND or named is the most widely used Domain Name System (DNS) software on the internet. It can act both as an authoritative name server for one or more domains, or as a recursive resolver for DNS system generally.
Bind install
Download Bind from ISC website, and check requirements . Before we turn to BIND prepare the environment for DNSTap.
BIND DNSTap Protobuf
$ git clone https://github.com/google/protobuf
$ autoreconf -i
$ ./configure
$ make;
$ make install
You might encounter:
error: possibly undefined macro: AC_PROG_LIBTOOL
Install:
$ apt install pkg-config libtool
If you proceed to protobuf-c
you might also encounter:
No package 'protobuf' found
Consider adjusting the PKG_CONFIG_PATH environment variable if you
installed software in a non-standard prefix.
Alternatively, you may set the environment variables protobuf_CFLAGS
and protobuf_LIBS to avoid the need to call pkg-config.
Adjust/set PKG_CONFIG_PATH:
$ export PKG_CONFIG_PATH=/usr/local/lib/pkgconfig
BIND DNSTap Protobuf-c
$ git clone https://github.com/protobuf-c/protobuf-c
$ autoreconf -i
$ ./configure
$ make; make install
Following error can occur:
error while loading shared libraries: libprotoc.so.18: cannot open shared object file: No such file or directory.
Solution:
$ export LD_LIBRARY_PATH=/usr/local/lib
Next, you might end up with:
t/generated-code2/cxx-generate-packed-data.cc:1002:43: error: ‘reflection’ was not declared in this scope
google::protobuf::UnknownFieldSet *fs = reflection->MutableUnknownFields(&mess);
^
make: *** [t/generated-code2/t_generated_code2_cxx_generate_packed_data-cxx-generate-packed-data.o] Error 1
Go to that file, and correct line 1000 (Source):
– const google::protobuf::Message::Reflection *reflection = mess.GetReflection(); |
+ const google::protobuf::Reflection *reflection = mess.GetReflection(); |
BIND DNSTap FStrm
$ git clone https://github.com/farsightsec/fstrm
$ autoreconf -i
$ configure
$ make; make install
You might encounter:
No package 'libevent' found
Just install the following:
CentOS [RedHat]:
$ yum install libevent-devel
Ubuntu [Debian]:
$ apt install libevent-dev
$ bind/configure –enable-dnstap
Again you might end up with:
proto-c program was not found
Proto-c on Ubuntu:
$ apt-get install protobuf-c-compiler
Proto-c on CentOS:
$ yum install protobuf-c-compiler
$ ls /usr/local/bin/
fstrm_capture
fstrm_dump
fstrm_replay
pdnstool
protoc
protoc-c
protoc-gen-c
Next hole, will probably be:
libfstrm.so.0 no such file or directory
Solution:
$ export LD_LIBRARY_PATH=/usr/local/lib:/usr/lib
BIND Compile DNS Server
We would recommend to inspect Bind 9.14 release notes (PDF version). Unapack BIND and run:
./configure --prefix=/usr \
--sysconfdir=/etc \
--localstatedir=/var \
--mandir=/usr/share/man \
--enable-threads \
--with-libtool \
--enable-dnstap \
--disable-static
--prefix=/usr
: Install architecture-independent files in PREFIX--sysconfdir=/etc
: Read-only single-machinge data--mandir=/usr/share/man
: Man documentation--sysconfdir=/etc
: This parameter forces BIND to look for configuration files in /etc
instead of /usr/etc
. --enable-threads
: enables multi-threading capability ( a standard option since Bind 9.6, probably not needed). --with-openssl
: DNSSEC services will be built (requires libssl) --with-libtool
: forces the building of dynamic libraries and links the installed binaries to these libraries.--with-libidn2
: This parameter enables the IDNA2008 (Internationalized Domain Names in Applications) support. --enable-fetchlimit
: Use this option if you want to be able to limit the rate of recursive client queries. This may be useful on servers which receive a large number of queries. --disable-linux-caps
BIND can also be built without capability support by using this option, at the cost of some loss of security. --with-dlz-{mysql,bdb,filesystem,ldap,odbc,stub}
: Use one (or more) of those options to add Dynamically Loadable Zones support. --enable-dnstap
: Include dnstap support --disable-static
: This switch prevents installation of static versions of the libraries.
Compile:
$ make
$ make install
BIND Configuration
We’ll run BIND in a chroot jail as an unprivileged user (named). More secure way of running it. Create the unprivileged user/group named:
$ groupadd -g 20 named &&
useradd -c "BIND Owner" -g named -s /bin/false -u 20 named &&
install -d -m770 -o named -g named /etc/named
Create files/folder:
$ mkdir -p /etc/named &&
cd /etc/named &&
mkdir -p dev etc/namedb/{slave,pz} usr/lib/engines var/run/named &&
mknod /etc/named/dev/null c 1 3 &&
mknod /etc/named/dev/urandom c 1 9 &&
chmod 666 /etc/named/dev/{null,urandom} &&
cp /etc/localtime etc &&
touch /etc/named/managed-keys.bind
Configure RNDC
Generate one by running:
$ rndc-confgen
# Start of rndc.conf
key "rndc-key" {
algorithm hmac-sha256;
secret "fzWCO70UuFDxDAy1nB/TBQ+ckyX3/x26pnZls6cHN5E=";
};
options {
default-key "rndc-key";
default-server 127.0.0.1;
default-port 953;
};
# End of rndc.conf
# Use with the following in named.conf, adjusting the allow list as needed:
# key "rndc-key" {
# algorithm hmac-sha256;
# secret "fzWCO70UuFDxDAy1nB/TBQ+ckyX3/x26pnZls6cHN5E=";
# };
#
# controls {
# inet 127.0.0.1 port 953
# allow { 127.0.0.1; } keys { "rndc-key"; };
# };
# End of named.conf
Copy the entire output to /etc/rndc.conf
, and copy the key section to /etc/rndc.key
(mind the relative paths). Next, include it in the BIND’s named.conf
:
include "/etc/rndc.key";
controls {
inet 127.0.0.1 allow { localhost; } keys { "rndc-key"; };
};
Before (re)starting BIND , check the configuration:
$ named-checkconf /etc/named.conf
or specify relative path (-t) and config file:
$ named-checkconf -t /etc/named/ -c /etc/named.conf
Test RNDC:
$ rndc status
WARNING: key file (/etc/rndc.key) exists, but using default configuration file (/etc/rndc.conf)
version: BIND 9.14.0 (Stable Release)
running on cyberpunk.rs: Linux x86_64 4.4.0-121-generic #145-Ubuntu SMP Fri Apr 13 13:47:23 UTC 2018
boot time: Tue, 16 Apr 2019 15:55:14 GMT
last configured: Tue, 16 Apr 2019 15:55:14 GMT
configuration file: /etc/named.conf (/etc/named/etc/named.conf)
CPUs found: 2
worker threads: 2
UDP listeners per interface: 2
number of zones: 3 (0 automatic)
debug level: 0
xfers running: 0
xfers deferred: 0
soa queries in progress: 0
query logging is ON
recursive clients: 0/900/1000
tcp clients: 0/150
server is up and running
Generate named.conf
, basic options (authoritative-only) :
$ cat >> /etc/named/etc/named.conf << "EOF"
options {
directory "/etc/namedb";
pid-file "/var/run/named.pid";
statistics-file "/var/run/named.stats";
dnssec-enable yes;
dnssec-validation yes;
allow-recursion { localhost ; };
allow-query { any; };
listen-on { <IPv4>; };
//listen-on-v6 { <IPv6>; };
forwarders{
8.8.8.8;
8.8.4.4;
}
allow-transfer {none; };
auth-nxdomain no; # conform to RFC1035
};
zone "." {
type hint;
file "root.hints";
};
zone "0.0.127.in-addr.arpa" {
type master;
file "pz/127.0.0";
};
zone "cyberpunk.rs" {
type master;
file "pz/cyberpunk.rs";
};
// Bind 9 now logs by default through syslog (except debug).
// These are the default logging rules.
logging {
category default { default_syslog; default_debug; };
category unmatched { null; };
channel default_syslog {
syslog daemon; // send to syslog
severity info; // only priority info and higher
};
channel default_debug {
file "named.run"; // write to named.run in
// the working directory
// Note: stderr is used instead
// of "named.run"
// if the server is started
// with the '-f' option.
severity dynamic; // log at the server's
// current debug level
};
channel default_stderr {
stderr; // writes to stderr
severity info; // only priority info and higher
};
channel null {
null; // toss anything sent to
// this channel
};
};
EOF
Short info on the options:
directory
: Where to look for files. All files named subsequently will be relative to this pid-file
: Where is Proccess Identifier writtenstatistics-file
: appending statistics to when instructed to do so using rndc stats (Default: named.stats) allow-recursion
: List of source addresses that will be allowed to perform recursive queries (Default: localhost/localnets). {ips, any, none} allow-query
: Hosts allowed to issue queries to the server (Default: all hosts are allowed to make queries) listen-on
: Defines port and IPv4 address on which to listen for incoming queries. (Default: port 53 on all interfaces) listen-on-v6
: Same as previous one, just for IPv6 forward
: Order in which forwarding is to be performed. forwarders
: One or more hosts to which queries will be forwarded. allow-transfer
: Address(es), that is/are allowed to transfer the zone information from this server. (Default: any host) memstatistics-file
: File to which server writes memory usage statistics on exit (default: named.memstats) recursing-file
: The filed named used when the remote command rndc recursing is issued secroots-file
: Defines the file name that will be used when rndc secroots is issued (default: named.secroots) auth-nxdomain no
: Controls whether the server will answer authoritatively on returning NXDOMAIN (domain does not exist) answers. Default: don’t answare authoritatively.
As for the Logging, check BIND Logging. Example:
channel default_log { file "/var/named/log/default" versions 3 size 20m; print-time yes; print-category yes; print-severity yes; severity info; };
Don’t forget, path is realative to “directory” path.
Channels:
- channel auth_servers_log
- channel dnssec_log
- zone_transfers_log
- ddns_log
- client_security_log
- rate_limiting_log
- rpz_log
- dnstap_log
- queries_log
- query-errors_log (severity dynamic)
- default_syslog (syslog daemon)
- default_debug
Category statement defines the type of log messages to be sent to a particular channel. More than one category statement may be included.
E.g. category default { default_syslog; default_debug; default_log; };
Categories:
- config
- dispatch
- network
- general
- zoneload (>= 9.12)
- resolver
- cname
- delegation-only
- lame-servers
- edns-disabled
- dnssec
- notify
- xfer-in
- xfer-out
- update
- update-security
- client
- security
- rate-limit (RRL, Response Rate Limiting)
- spill
- database
- rpz (Response Policy Zone)
- dnstap
- trust-anchor-telemetry
- queries
- query-errors
Create zone file(s) for localhost (and for your domain):
$ cat > /etc/named/etc/namedb/pz/127.0.0 << "EOF"
$TTL 3D
@ IN SOA ns.local.domain. hostmaster.local.domain. (
1 ; Serial
8H ; Refresh
2H ; Retry
4W ; Expire
1D) ; Minimum TTL
NS ns.local.domain.
1 PTR localhost.
EOF
Create root.hints
:
$ cat > /etc/named/etc/namedb/root.hints << "EOF"
. 6D IN NS A.ROOT-SERVERS.NET.
. 6D IN NS B.ROOT-SERVERS.NET.
. 6D IN NS C.ROOT-SERVERS.NET.
. 6D IN NS D.ROOT-SERVERS.NET.
. 6D IN NS E.ROOT-SERVERS.NET.
. 6D IN NS F.ROOT-SERVERS.NET.
. 6D IN NS G.ROOT-SERVERS.NET.
. 6D IN NS H.ROOT-SERVERS.NET.
. 6D IN NS I.ROOT-SERVERS.NET.
. 6D IN NS J.ROOT-SERVERS.NET.
. 6D IN NS K.ROOT-SERVERS.NET.
. 6D IN NS L.ROOT-SERVERS.NET.
. 6D IN NS M.ROOT-SERVERS.NET.
A.ROOT-SERVERS.NET. 6D IN A 198.41.0.4
A.ROOT-SERVERS.NET. 6D IN AAAA 2001:503:ba3e::2:30
B.ROOT-SERVERS.NET. 6D IN A 192.228.79.201
B.ROOT-SERVERS.NET. 6D IN AAAA 2001:500:200::b
C.ROOT-SERVERS.NET. 6D IN A 192.33.4.12
C.ROOT-SERVERS.NET. 6D IN AAAA 2001:500:2::c
D.ROOT-SERVERS.NET. 6D IN A 199.7.91.13
D.ROOT-SERVERS.NET. 6D IN AAAA 2001:500:2d::d
E.ROOT-SERVERS.NET. 6D IN A 192.203.230.10
E.ROOT-SERVERS.NET. 6D IN AAAA 2001:500:a8::e
F.ROOT-SERVERS.NET. 6D IN A 192.5.5.241
F.ROOT-SERVERS.NET. 6D IN AAAA 2001:500:2f::f
G.ROOT-SERVERS.NET. 6D IN A 192.112.36.4
G.ROOT-SERVERS.NET. 6D IN AAAA 2001:500:12::d0d
H.ROOT-SERVERS.NET. 6D IN A 198.97.190.53
H.ROOT-SERVERS.NET. 6D IN AAAA 2001:500:1::53
I.ROOT-SERVERS.NET. 6D IN A 192.36.148.17
I.ROOT-SERVERS.NET. 6D IN AAAA 2001:7fe::53
J.ROOT-SERVERS.NET. 6D IN A 192.58.128.30
J.ROOT-SERVERS.NET. 6D IN AAAA 2001:503:c27::2:30
K.ROOT-SERVERS.NET. 6D IN A 193.0.14.129
K.ROOT-SERVERS.NET. 6D IN AAAA 2001:7fd::1
L.ROOT-SERVERS.NET. 6D IN A 199.7.83.42
L.ROOT-SERVERS.NET. 6D IN AAAA 2001:500:9f::42
M.ROOT-SERVERS.NET. 6D IN A 202.12.27.33
M.ROOT-SERVERS.NET. 6D IN AAAA 2001:dc3::35
EOF
$ dig +bufsize=1200 +norec NS . @a.root-servers.net >
/etc/named/etc/namedb/root.hints
Adjust resolv.conf
:
$ cp /etc/resolv.conf /etc/resolv.conf.bak &&
cat > /etc/resolv.conf << "EOF" search cyberpunk.rs
nameserver 127.0.0.1
EOF
Finally, adjust permissions:
$ chown -R named:named /etc/named
Create systemd unit (/etc/systemd/system/multi-user.target.wants/named.service
):
[Unit]
Description=BIND
After=Network.target
[Service]
ExecStart=/usr/sbin/named -4 -f -u named -t /etc/named -c /etc/named.conf
ExecReload=/usr/sbin/rndc reload
ExecStop=/usr/sbin/rndc stop
[Install]
WantedBy=multi-user.target
There might be a need to reload systemd unit files:
$ systemctl daemon-reload
or
$ systemctl daemon-reexec
blfs-systemd-units-20180105.tar.bz2
Check the version:
$ named -v
BIND 9.14.0 (Stable Release)
Start the service:
$ systemctl start named
or if by any chance systemd doesn’t work, try manually:
$ /usr/sbin/named -4 -f -u named -t /etc/named -c /etc/named.conf
Check the logs for errors (/var/log/syslog). You’ll probably encounter:
unable to open '/etc/bind.keys'
It’s due to “directory” path. Copy bind.keys
from /etc/bind.keys
to /etc/named/etc/bind.keys
.
Validate DNSSEC
Test:
- Domains that are DNSSEC signed are validated correct (AD flag)
- Domain with broken DNSSEC are not validated (SERVFAIL)
- non-DNSSEC domains are resolved normally
DNSSEC Signed Check
DNSSEC singed DNS domain with the DO-Flag set (DNSSEC OK) should return an answer including the AD-Flag (Authenticated answer) set in the header:
$ dig n0where.net +dnssec +multi
; <<>> DiG 9.14.0 <<>> n0where.net +dnssec +multi
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3592
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;n0where.net. IN A
;; ANSWER SECTION:
n0where.net. 86400 IN A 52.71.199.31
n0where.net. 86400 IN RRSIG A 7 2 86400 (
20190510150001 20190410150001 54527 n0where.net.
O3KdQwM++UeawjZ5LRidj+AHSJRNtK6/z9gutjAdJSNV
ZNUYeq7wikKsBJ4sTrgB1app50+H44kuM9nBBZ8Mv1P2
3T4vP/lpQBiQ/BlLGHkm+RjKe8k7HsNB8jKXIiAcouZN
nZgiaLhGbKTHxBXLy3td7gSvWShVj/mH72eH3vKGDYx6
AE5wvdOIuhYclc4srzuYRTNQFY/Umuot2zkdUcFDM3BV
sRAq5kuhomEz0XLaDGgaKNMZTmoXb/C4zmpugfa/zF6O
GSNpdxPE+CAZeQOKdDNeCo8xW4Oi/YUlcn0swv1T7jsA
U89eCdfmMZ/XuKXK0eH7U7nuhL7Kfycrtw== )
;; Query time: 25 msec
;; SERVER: 213.186.33.99#53(213.186.33.99)
;; WHEN: Wed Apr 17 01:14:07 UTC 2019
;; MSG SIZE rcvd: 355
Broken DNSSEC Check
Resolving a domain that has DNSSEC issues should only return a SERVFAIL without DNS Data:
$ dig dnssec-failed.org
; <<>> DiG 9.14.0 <<>> dnssec-failed.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 31650
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;dnssec-failed.org. IN A
;; Query time: 187 msec
;; SERVER: 213.186.33.99#53(213.186.33.99)
;; WHEN: Wed Apr 17 01:20:14 UTC 2019
;; MSG SIZE rcvd: 46
non-DNSSEC Domains check
This should return a normal DNS answer:
$ dig www.google.com +dnssec
; <<>> DiG 9.14.0 <<>> www.google.com +dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58103
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;www.google.com. IN A
;; ANSWER SECTION:
www.google.com. 300 IN A 172.217.5.228
;; Query time: 27 msec
;; SERVER: 213.186.33.99#53(213.186.33.99)
;; WHEN: Wed Apr 17 01:22:05 UTC 2019
;; MSG SIZE rcvd: 59
Additional info
arpaname
: translates IP addresses to the corresponding ARPA names.bind9-config
: is hardlinked to isc-config.sh.ddns-confgen
: generates a key for use by nsupdate and named.delv
: is a new debugging tool that is a successor to dig.vigr
: Edit passwd/group/shadow filedig
: interrogates DNS servers.dnssec-dsfromkey
: outputs the Delegation Signer (DS) resource record (RR).dnssec-importkey
: reads a public DNSKEY record and generates a pair of .key/.private files.dnssec-keyfromlabel
: gets keys with the given label from a crypto hardware and builds key files for DNSSEC.dnssec-keygen
: is a key generator for secure DNS.dnssec-revoke
: sets the REVOKED bit on a DNSSEC key.dnssec-settime
: sets the key timing metadata for a DNSSEC key.dnssec-signzone
: generates signed versions of zone files.dnssec-verify
: verifies that a zone is fully signed for each algorithm found in the DNSKEY RRset for the zone, and that the NSEC / NSEC3 chains are complete.genrandom
: generates a file containing random data.host
: is a utility for DNS lookups.isc-config.sh
: prints information related to the installed version of ISC BIND.isc-hmac-fixup
: fixes HMAC keys generated by older versions of BIND.lwresd
: is a caching-only name server for local process use.named
: is the name server daemon.named-checkconf
: checks the syntax of named.conf files.named-checkzone
: checks zone file validity.named-compilezone
: is similar to named-checkzone, but it always dumps the zone contents to a specified file in a specified format.
named-journalprint : prints the zone journal in human-readable form.named-rrchecker
: reads an individual DNS resource record from standard input and checks if it is syntactically correct.nsec3hash
: generates an NSEC3 hash based on a set of NSEC3 parameters.nslookup
: is a program used to query Internet domain nameservers.nsupdate
: is used to submit DNS update requests.rndc
: controls the operation of BIND.rndc-confgen
: generates rndc.conf files.
Dig flags:
QR
: specifies whether this message is a query (0), or a response (1)OPCODE
: A four bit field, only valid values: 0,1,2AA
: Authoritative AnswerTC
: TrunCation (truncated due to length greater than that permitted on the transmission channel)RD
: Recursion DesiredRA
: Recursion AvailableZ
: Reserved for future use. Must be zero
$ dig +trace www.cyberpunk.rs
DNS BIND Rate-Limit
Response Rate Limit (RRL) is an optional feature, turned off by default. To enable RRL, a rate-limit clause must be added to named.conf
.
rate-limit {
slip 2; // Every other response truncated
window 15; // Seconds to bucket
responses-per-second 5;// # of good responses per prefix-length/sec
referrals-per-second 5; // referral responses
nodata-per-second 5; // nodata responses
nxdomains-per-second 5; // nxdomain responses
errors-per-second 5; // error responses
all-per-second 20; // When we drop all
log-only no; // Debugging mode
qps-scale 250; // x / query rate * per-second
// = new drop limit
exempt-clients {127.0.0.1; 192.153.154.0/24;};
rate-limit {
slip 2; // Every other response truncated
window 15; // Seconds to bucket
responses-per-second 5; // # of good responses per prefix-length/sec
referrals-per-second 5; // referral responses
nodata-per-second 5; // nodata responses
nxdomains-per-second 5; // nxdomain responses
errors-per-second 5; // error responses
all-per-second 20; // When we drop all
DNSTap
Before you start BIND, start capture:
$ fstrm_capture -t protobuf:dnstap.Dnstap -u /var/run/dnstap.sock -w fstrm.tap
You’ll also have to add few things to named.conf
:
dnstap {auth; resolver query;};
dnstap-output unix "/var/run/bind/dnstap.sock"
to redirect the output directly to a file:
dnstap {auth; resolver query;};
dnstap-output file "/var/tmp/example.dnstap"
or a mix:
dnstap {auth; resolver query;};
dnstap-output unix "/var/run/bind/dnstap.sock"
dnstap-identity hostname
dnstap-version 9.9.8-S5
Run BIND, and then try to resolve a domain with it:
$ dig @<SERVER_IP> <DOMAIN>
Just read the captured content with dnstap-read:
$ dnstap-read -p fstrm.tap
Tools to read DNSTAP data files:
- dnstap-golang
- dnstap-ldns
- dnstap-read
- Wireshark with dnstap support
Additional info
Libraries have been installed in: /usr/local/lib
If you want to link against installed libraries in a given directory, LIBDIR, you must either use libtool, and specify the full pathname of the library, or use the `-LLIBDIR’ flag during linking and do at least one of the following:
- add LIBDIR to the `
LD_LIBRARY_PATH
‘ environment variable
during execution - add LIBDIR to the `
LD_RUN_PATH
‘ environment variable
during linking - use the `
-Wl,-rpath -Wl,LIBDIR
‘ linker flag - have your system administrator add
LIBDIR
to `/etc/ld.so.conf
‘
export LD_RUN_PATH=/usr/local/lib
export LD_LIBRARY_PATH=/usr/local/lib/
See any operating system documentation about shared libraries for more information, such as the ld(1) and ld.so(8) manual pages.
Once those libraries are installed on your build machine, build and install the BIND binary using the standard build process that is documented in the BIND 9 ARM. Note that the farsightsec/fstrm
package will include the fstrm_capture
program mentioned below.
Once the dnstap-enabled
BIND is built, you need to adjust your configuration so that the running BIND process will actually use dnstap.
In the options statement in the BIND configuration file, include a dnstap option that specifies the message types that you would like to log. The choices are:
- client
- auth
- resolver
- forwarder
Each type can take an additional argument that indicates whether to log query messages or response messages. If not specified, both queries and responses are logged. The rest of the dnstap-related options can go next. Only the dnstap-output option is required.
With those options specified, BIND will upon start/restart make a connection to the unix-domain socket named /var/run/bind/dnstap.sock
(must exists before that). The socket is created by running the dnstap listener program, which is named fstrm_capture
. Properly installed, it will create a required unix-domain socket /var/run/bind/dnstap.sock
. Any data that comes through will be saved to a file named example.dnstap (file capture).
Starting the fstrm_capture
program before starting BIND will ensure that the socket exists by the time BIND needs to find it and connect to it.
BIND utility dnstap-read
Every BIND distribution that contains dnstap support includes the dnstap-read
utility, which decodes dnstap files and outputs the result in a human-readable format.
Conclusion
Damn, this was a long one. Hope we’ve managed to cover everything you’ll need to set this thing up.