BIND Compile and Setup with DNSTap [v9.1x]

CyberPunk Tutorial
BIND Compile and Setup with DNSTap [v9.1x]

Introduction

BIND or named is the most widely used Domain Name System (DNS) software on the internet. It can act both as an authoritative name server for one or more domains, or as a recursive resolver for DNS system generally.

Bind install

Download Bind from ISC website, and check requirements . Before we turn to BIND prepare the environment for DNSTap.

BIND DNSTap Protobuf

$ git clone https://github.com/google/protobuf
$ autoreconf -i
$ ./configure
$ make; 
$ make install

You might encounter: 

error: possibly undefined macro: AC_PROG_LIBTOOL

Install:

$ apt install pkg-config libtool

If you proceed to protobuf-c you might also encounter:

No package 'protobuf' found

Consider adjusting the PKG_CONFIG_PATH environment variable if you
installed software in a non-standard prefix.
Alternatively, you may set the environment variables protobuf_CFLAGS
and protobuf_LIBS to avoid the need to call pkg-config.

Adjust/set PKG_CONFIG_PATH:

$ export PKG_CONFIG_PATH=/usr/local/lib/pkgconfig

BIND DNSTap Protobuf-c

$ git clone https://github.com/protobuf-c/protobuf-c
$ autoreconf -i
$ ./configure
$ make; make install

Following error can occur: 

error while loading shared libraries: libprotoc.so.18: cannot open shared object file: No such file or directory.

Solution:

$ export LD_LIBRARY_PATH=/usr/local/lib

Next, you might end up with:

t/generated-code2/cxx-generate-packed-data.cc:1002:43: error: ‘reflection’ was not declared in this scope

   google::protobuf::UnknownFieldSet *fs = reflection->MutableUnknownFields(&mess);

                                           ^

make: *** [t/generated-code2/t_generated_code2_cxx_generate_packed_data-cxx-generate-packed-data.o] Error 1

Go to that file, and correct line 1000 (Source):

– const google::protobuf::Message::Reflection *reflection = mess.GetReflection();
+ const google::protobuf::Reflection *reflection = mess.GetReflection();

BIND DNSTap FStrm

$ git clone https://github.com/farsightsec/fstrm
$ autoreconf -i
$ configure
$ make; make install

You might encounter:

No package 'libevent' found

Just install the following:

CentOS [RedHat]: 

$ yum install libevent-devel

Ubuntu [Debian]: 

$ apt install libevent-dev

$ bind/configure –enable-dnstap

Again you might end up with: 

proto-c program was not found

Proto-c on Ubuntu:

$ apt-get install protobuf-c-compiler

Proto-c on CentOS:

$ yum install protobuf-c-compiler
$ ls /usr/local/bin/
 fstrm_capture 
 fstrm_dump 
 fstrm_replay 
 pdnstool 
 protoc 
 protoc-c 
 protoc-gen-c

Next hole, will probably be: 

libfstrm.so.0 no such file or directory

Solution:

$ export LD_LIBRARY_PATH=/usr/local/lib:/usr/lib

BIND Compile DNS Server

We would recommend to inspect Bind 9.14 release notes (PDF version). Unapack BIND and run:

./configure --prefix=/usr            \
             --sysconfdir=/etc       \
             --localstatedir=/var    \
             --mandir=/usr/share/man \
             --enable-threads        \
             --with-libtool          \
             --enable-dnstap         \
             --disable-static

--prefix=/usr: Install architecture-independent files in PREFIX
--sysconfdir=/etc: Read-only single-machinge data
--mandir=/usr/share/man: Man documentation
--sysconfdir=/etc: This parameter forces BIND to look for configuration files in /etc instead of /usr/etc.
--enable-threads: enables multi-threading capability ( a standard option since Bind 9.6, probably not needed).
--with-openssl: DNSSEC services will be built (requires libssl)
--with-libtool: forces the building of dynamic libraries and links the installed binaries to these libraries.
--with-libidn2: This parameter enables the IDNA2008 (Internationalized Domain Names in Applications) support.
--enable-fetchlimit: Use this option if you want to be able to limit the rate of recursive client queries. This may be useful on servers which receive a large number of queries.
--disable-linux-capsBIND can also be built without capability support by using this option, at the cost of some loss of security.
--with-dlz-{mysql,bdb,filesystem,ldap,odbc,stub}: Use one (or more) of those options to add Dynamically Loadable Zones support.
--enable-dnstap: Include dnstap support
--disable-static: This switch prevents installation of static versions of the libraries.

Compile:

$ make
$ make install

BIND Configuration

We’ll run BIND in a chroot jail as an unprivileged user (named). More secure way of running it. Create the unprivileged user/group named:

$ groupadd -g 20 named &&
useradd -c "BIND Owner" -g named -s /bin/false -u 20 named &&
install -d -m770 -o named -g named /etc/named

Create files/folder:

$ mkdir -p /etc/named &&
 cd       /etc/named &&
 mkdir -p dev etc/namedb/{slave,pz} usr/lib/engines var/run/named &&
 mknod /etc/named/dev/null c 1 3 &&
 mknod /etc/named/dev/urandom c 1 9 &&
 chmod 666 /etc/named/dev/{null,urandom} &&
 cp /etc/localtime etc &&
 touch /etc/named/managed-keys.bind

Configure RNDC

Generate one by running:

$ rndc-confgen

# Start of rndc.conf
key "rndc-key" {
         algorithm hmac-sha256;
         secret "fzWCO70UuFDxDAy1nB/TBQ+ckyX3/x26pnZls6cHN5E=";
};
options {
         default-key "rndc-key";
         default-server 127.0.0.1;
         default-port 953;
};
# End of rndc.conf
# Use with the following in named.conf, adjusting the allow list as needed:
# key "rndc-key" {
# algorithm hmac-sha256;
# secret "fzWCO70UuFDxDAy1nB/TBQ+ckyX3/x26pnZls6cHN5E=";
# };
#
# controls {
# inet 127.0.0.1 port 953
# allow { 127.0.0.1; } keys { "rndc-key"; };
# };
# End of named.conf

Copy the entire output to /etc/rndc.conf, and copy the key section to /etc/rndc.key (mind the relative paths). Next, include it in the BIND’s named.conf:

include "/etc/rndc.key";
controls {
         inet 127.0.0.1 allow { localhost; } keys { "rndc-key"; };
};

Before (re)starting BIND , check the configuration:

$ named-checkconf /etc/named.conf

or specify relative path (-t) and config file:

$ named-checkconf -t /etc/named/ -c /etc/named.conf

Test RNDC:

$ rndc status

WARNING: key file (/etc/rndc.key) exists, but using default configuration file (/etc/rndc.conf)
 version: BIND 9.14.0 (Stable Release) 
 running on cyberpunk.rs: Linux x86_64 4.4.0-121-generic #145-Ubuntu SMP Fri Apr 13 13:47:23 UTC 2018
 boot time: Tue, 16 Apr 2019 15:55:14 GMT
 last configured: Tue, 16 Apr 2019 15:55:14 GMT
 configuration file: /etc/named.conf (/etc/named/etc/named.conf)
 CPUs found: 2
 worker threads: 2
 UDP listeners per interface: 2
 number of zones: 3 (0 automatic)
 debug level: 0
 xfers running: 0
 xfers deferred: 0
 soa queries in progress: 0
 query logging is ON
 recursive clients: 0/900/1000
 tcp clients: 0/150
 server is up and running

Generate named.conf , basic options (authoritative-only) :

$ cat >> /etc/named/etc/named.conf << "EOF"
 options {
     directory "/etc/namedb";
     pid-file "/var/run/named.pid";
     statistics-file "/var/run/named.stats"; 
     dnssec-enable yes;
     dnssec-validation yes;
     allow-recursion { localhost ; }; 
     allow-query { any; }; 
     listen-on { <IPv4>; }; 
     //listen-on-v6 { <IPv6>; }; 

     forwarders{
         8.8.8.8;
         8.8.4.4;
     }

     allow-transfer {none; }; 
     auth-nxdomain no;    # conform to RFC1035 

};
 zone "." {
     type hint;
     file "root.hints";
 };

 zone "0.0.127.in-addr.arpa" {
     type master;
     file "pz/127.0.0";
 };

 zone "cyberpunk.rs" {
     type master;
     file "pz/cyberpunk.rs";
 };

// Bind 9 now logs by default through syslog (except debug).
// These are the default logging rules.

logging {
   category default { default_syslog; default_debug; };
   category unmatched { null; };
   channel default_syslog {
       syslog daemon;        // send to syslog
       severity info;        // only priority info and higher
   };
   channel default_debug {
       file "named.run";     // write to named.run in
                             // the working directory
                             // Note: stderr is used instead
                             // of "named.run"
                             // if the server is started
                             // with the '-f' option.
       severity dynamic;     // log at the server's
                             // current debug level
   };
   channel default_stderr {
       stderr;               // writes to stderr
       severity info;        // only priority info and higher
   };
   channel null {
       null;                 // toss anything sent to
                             // this channel
   };
 };
 EOF

Short info on the options:

directory: Where to look for files. All files named subsequently will be relative to this
pid-file: Where is Proccess Identifier written
statistics-file: appending statistics to when instructed to do so using rndc stats (Default: named.stats)
allow-recursion: List of source addresses that will be allowed to perform recursive queries (Default: localhost/localnets). {ips, any, none}
allow-query: Hosts allowed to issue queries to the server (Default: all hosts are allowed to make queries)
listen-on: Defines port and IPv4 address on which to listen for incoming queries. (Default: port 53 on all interfaces)
listen-on-v6: Same as previous one, just for IPv6
forward: Order in which forwarding is to be performed.
forwarders: One or more hosts to which queries will be forwarded.
allow-transfer: Address(es), that is/are allowed to transfer the zone information from this server. (Default: any host)
memstatistics-file: File to which server writes memory usage statistics on exit (default: named.memstats)
recursing-file: The filed named used when the remote command rndc recursing is issued
secroots-file: Defines the file name that will be used when rndc secroots is issued (default: named.secroots)
auth-nxdomain no: Controls whether the server will answer authoritatively on returning NXDOMAIN (domain does not exist) answers. Default: don’t answare authoritatively.

As for the Logging, check BIND Logging. Example:

 channel default_log {
      file "/var/named/log/default" versions 3 size 20m;
      print-time yes;
      print-category yes;
      print-severity yes;
      severity info;
 };

Don’t forget, path is realative to “directory” path.

Channels:

  • channel auth_servers_log
  • channel dnssec_log
  • zone_transfers_log
  • ddns_log
  • client_security_log
  • rate_limiting_log
  • rpz_log
  • dnstap_log
  • queries_log
  • query-errors_log (severity dynamic)
  • default_syslog (syslog daemon)
  • default_debug

Category statement defines the type of log messages to be sent to a particular channel. More than one category statement may be included.

Syntax: category category_name { channel_name ; [ channel_name ; … ] }; 
E.g. category default { default_syslog; default_debug; default_log; };

Categories:

  • config
  • dispatch
  • network
  • general
  • zoneload (>= 9.12)
  • resolver
  • cname
  • delegation-only
  • lame-servers
  • edns-disabled
  • dnssec
  • notify
  • xfer-in
  • xfer-out
  • update
  • update-security
  • client
  • security
  • rate-limit (RRL, Response Rate Limiting)
  • spill
  • database
  • rpz (Response Policy Zone)
  • dnstap
  • trust-anchor-telemetry
  • queries
  • query-errors

Create zone file(s) for localhost (and for your domain):

$ cat > /etc/named/etc/namedb/pz/127.0.0 << "EOF"
 $TTL 3D
 @      IN      SOA     ns.local.domain. hostmaster.local.domain. (
                         1       ; Serial
                         8H      ; Refresh
                         2H      ; Retry
                         4W      ; Expire
                         1D)     ; Minimum TTL
                 NS      ns.local.domain.
 1               PTR     localhost.
 EOF

Create root.hints :

$ cat > /etc/named/etc/namedb/root.hints << "EOF"
 .                       6D  IN      NS      A.ROOT-SERVERS.NET.
 .                       6D  IN      NS      B.ROOT-SERVERS.NET.
 .                       6D  IN      NS      C.ROOT-SERVERS.NET.
 .                       6D  IN      NS      D.ROOT-SERVERS.NET.
 .                       6D  IN      NS      E.ROOT-SERVERS.NET.
 .                       6D  IN      NS      F.ROOT-SERVERS.NET.
 .                       6D  IN      NS      G.ROOT-SERVERS.NET.
 .                       6D  IN      NS      H.ROOT-SERVERS.NET.
 .                       6D  IN      NS      I.ROOT-SERVERS.NET.
 .                       6D  IN      NS      J.ROOT-SERVERS.NET.
 .                       6D  IN      NS      K.ROOT-SERVERS.NET.
 .                       6D  IN      NS      L.ROOT-SERVERS.NET.
 .                       6D  IN      NS      M.ROOT-SERVERS.NET.
 A.ROOT-SERVERS.NET.     6D  IN      A       198.41.0.4
 A.ROOT-SERVERS.NET.     6D  IN      AAAA    2001:503:ba3e::2:30
 B.ROOT-SERVERS.NET.     6D  IN      A       192.228.79.201
 B.ROOT-SERVERS.NET.     6D  IN      AAAA    2001:500:200::b
 C.ROOT-SERVERS.NET.     6D  IN      A       192.33.4.12
 C.ROOT-SERVERS.NET.     6D  IN      AAAA    2001:500:2::c
 D.ROOT-SERVERS.NET.     6D  IN      A       199.7.91.13
 D.ROOT-SERVERS.NET.     6D  IN      AAAA    2001:500:2d::d
 E.ROOT-SERVERS.NET.     6D  IN      A       192.203.230.10
 E.ROOT-SERVERS.NET.     6D  IN      AAAA    2001:500:a8::e
 F.ROOT-SERVERS.NET.     6D  IN      A       192.5.5.241
 F.ROOT-SERVERS.NET.     6D  IN      AAAA    2001:500:2f::f
 G.ROOT-SERVERS.NET.     6D  IN      A       192.112.36.4
 G.ROOT-SERVERS.NET.     6D  IN      AAAA    2001:500:12::d0d
 H.ROOT-SERVERS.NET.     6D  IN      A       198.97.190.53
 H.ROOT-SERVERS.NET.     6D  IN      AAAA    2001:500:1::53
 I.ROOT-SERVERS.NET.     6D  IN      A       192.36.148.17
 I.ROOT-SERVERS.NET.     6D  IN      AAAA    2001:7fe::53
 J.ROOT-SERVERS.NET.     6D  IN      A       192.58.128.30
 J.ROOT-SERVERS.NET.     6D  IN      AAAA    2001:503:c27::2:30
 K.ROOT-SERVERS.NET.     6D  IN      A       193.0.14.129
 K.ROOT-SERVERS.NET.     6D  IN      AAAA    2001:7fd::1
 L.ROOT-SERVERS.NET.     6D  IN      A       199.7.83.42
 L.ROOT-SERVERS.NET.     6D  IN      AAAA    2001:500:9f::42
 M.ROOT-SERVERS.NET.     6D  IN      A       202.12.27.33
 M.ROOT-SERVERS.NET.     6D  IN      AAAA    2001:dc3::35
 EOF
Note: There shouldn’t be any leading spaces in this file, and it must be updated periodically. Current copy can be obtained on Internic.net .
$ dig +bufsize=1200 +norec NS . @a.root-servers.net >  
/etc/named/etc/namedb/root.hints

Adjust resolv.conf :

$ cp /etc/resolv.conf /etc/resolv.conf.bak &&
 cat > /etc/resolv.conf << "EOF" search cyberpunk.rs
 nameserver 127.0.0.1
 EOF

Finally, adjust permissions:

$ chown -R named:named /etc/named

Create systemd unit (/etc/systemd/system/multi-user.target.wants/named.service):

[Unit]
Description=BIND
After=Network.target

[Service]
ExecStart=/usr/sbin/named -4 -f -u named -t /etc/named -c /etc/named.conf
ExecReload=/usr/sbin/rndc reload
ExecStop=/usr/sbin/rndc stop

[Install]
WantedBy=multi-user.target

There might be a need to reload systemd unit files:

$ systemctl daemon-reload

or

$ systemctl daemon-reexec

blfs-systemd-units-20180105.tar.bz2

Check the version:

$ named -v
BIND 9.14.0 (Stable Release)

Start the service:

$ systemctl start named

or if by any chance systemd doesn’t work, try manually:

$ /usr/sbin/named -4 -f -u named -t /etc/named -c /etc/named.conf

Check the logs for errors (/var/log/syslog). You’ll probably encounter:

unable to open '/etc/bind.keys'

It’s due to “directory” path. Copy bind.keys from /etc/bind.keys to /etc/named/etc/bind.keys.

Validate DNSSEC

Test:

  • Domains that are DNSSEC signed are validated correct (AD flag)
  • Domain with broken DNSSEC are not validated (SERVFAIL)
  • non-DNSSEC domains are resolved normally

DNSSEC Signed Check

DNSSEC singed DNS domain with the DO-Flag set (DNSSEC OK) should return an answer including the AD-Flag (Authenticated answer) set in the header:

$ dig n0where.net +dnssec +multi

 ; <<>> DiG 9.14.0 <<>> n0where.net +dnssec +multi
 ;; global options: +cmd
 ;; Got answer:
 ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3592
 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
 ;; OPT PSEUDOSECTION:
 ; EDNS: version: 0, flags: do; udp: 4096
 ;; QUESTION SECTION:
 ;n0where.net.  IN A
 ;; ANSWER SECTION:
 n0where.net.  86400 IN A 52.71.199.31
 n0where.net.  86400 IN RRSIG A 7 2 86400 (
             20190510150001 20190410150001 54527 n0where.net.
             O3KdQwM++UeawjZ5LRidj+AHSJRNtK6/z9gutjAdJSNV
             ZNUYeq7wikKsBJ4sTrgB1app50+H44kuM9nBBZ8Mv1P2
             3T4vP/lpQBiQ/BlLGHkm+RjKe8k7HsNB8jKXIiAcouZN
             nZgiaLhGbKTHxBXLy3td7gSvWShVj/mH72eH3vKGDYx6
             AE5wvdOIuhYclc4srzuYRTNQFY/Umuot2zkdUcFDM3BV
             sRAq5kuhomEz0XLaDGgaKNMZTmoXb/C4zmpugfa/zF6O
             GSNpdxPE+CAZeQOKdDNeCo8xW4Oi/YUlcn0swv1T7jsA
             U89eCdfmMZ/XuKXK0eH7U7nuhL7Kfycrtw== )
 ;; Query time: 25 msec
 ;; SERVER: 213.186.33.99#53(213.186.33.99)
 ;; WHEN: Wed Apr 17 01:14:07 UTC 2019
 ;; MSG SIZE  rcvd: 355

Broken DNSSEC Check

Resolving a domain that has DNSSEC issues should only return a SERVFAIL without DNS Data:

$ dig dnssec-failed.org
 ; <<>> DiG 9.14.0 <<>> dnssec-failed.org
 ;; global options: +cmd
 ;; Got answer:
 ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 31650
 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
 ;; OPT PSEUDOSECTION:
 ; EDNS: version: 0, flags:; udp: 4096
 ;; QUESTION SECTION:
 ;dnssec-failed.org.  IN A
 ;; Query time: 187 msec
 ;; SERVER: 213.186.33.99#53(213.186.33.99)
 ;; WHEN: Wed Apr 17 01:20:14 UTC 2019
 ;; MSG SIZE  rcvd: 46

non-DNSSEC Domains check

This should return a normal DNS answer:

 $ dig www.google.com +dnssec
 ; <<>> DiG 9.14.0 <<>> www.google.com +dnssec
 ;; global options: +cmd
 ;; Got answer:
 ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58103
 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
 ;; OPT PSEUDOSECTION:
 ; EDNS: version: 0, flags: do; udp: 4096
 ;; QUESTION SECTION:
 ;www.google.com.   IN A
 ;; ANSWER SECTION:
 www.google.com.  300 IN A 172.217.5.228
 ;; Query time: 27 msec
 ;; SERVER: 213.186.33.99#53(213.186.33.99)
 ;; WHEN: Wed Apr 17 01:22:05 UTC 2019
 ;; MSG SIZE  rcvd: 59
Note: If you are building an AUTHORITATIVE DNS server, do NOT enable recursion (at least not publicly). If you are building a RECURSIVE (caching) DNS server, you need to enable recursion. Now the important part, if your recursive DNS server has a public IP address, you MUST enable access control to limit queries to your legitimate users. Failing to do so will possibly cause your server to become part of large scale DNS amplification attacks. Implementing BCP38 within your network would greatly reduce such attack surface.

Additional info

arpaname : translates IP addresses to the corresponding ARPA names.
bind9-config : is hardlinked to isc-config.sh.
ddns-confgen : generates a key for use by nsupdate and named.
delv : is a new debugging tool that is a successor to dig.
vigr : Edit passwd/group/shadow file
dig : interrogates DNS servers.
dnssec-dsfromkey : outputs the Delegation Signer (DS) resource record (RR).
dnssec-importkey : reads a public DNSKEY record and generates a pair of .key/.private files.
dnssec-keyfromlabel : gets keys with the given label from a crypto hardware and builds key files for DNSSEC.
dnssec-keygen : is a key generator for secure DNS.
dnssec-revoke : sets the REVOKED bit on a DNSSEC key.
dnssec-settime : sets the key timing metadata for a DNSSEC key.
dnssec-signzone : generates signed versions of zone files.
dnssec-verify : verifies that a zone is fully signed for each algorithm found in the DNSKEY RRset for the zone, and that the NSEC / NSEC3 chains are complete.
genrandom : generates a file containing random data.
host : is a utility for DNS lookups.
isc-config.sh : prints information related to the installed version of ISC BIND.
isc-hmac-fixup : fixes HMAC keys generated by older versions of BIND.
lwresd : is a caching-only name server for local process use.
named : is the name server daemon.
named-checkconf : checks the syntax of named.conf files.
named-checkzone : checks zone file validity.
named-compilezone : is similar to named-checkzone, but it always dumps the zone contents to a specified file in a specified format.
named-journalprint : prints the zone journal in human-readable form.
named-rrchecker : reads an individual DNS resource record from standard input and checks if it is syntactically correct.
nsec3hash : generates an NSEC3 hash based on a set of NSEC3 parameters.
nslookup : is a program used to query Internet domain nameservers.
nsupdate : is used to submit DNS update requests.
rndc : controls the operation of BIND.
rndc-confgen : generates rndc.conf files.

Dig flags:

QR : specifies whether this message is a query (0), or a response (1)
OPCODE : A four bit field, only valid values: 0,1,2
AA : Authoritative Answer
TC : TrunCation (truncated due to length greater than that permitted on the transmission channel)
RD : Recursion Desired
RA : Recursion Available
Z : Reserved for future use. Must be zero

$ dig +trace www.cyberpunk.rs

DNS BIND Rate-Limit

Response Rate Limit (RRL) is an optional feature, turned off by default. To enable RRL, a rate-limit clause must be added to named.conf.

rate-limit {
slip 2; // Every other response truncated
window 15; // Seconds to bucket
responses-per-second 5;// # of good responses per prefix-length/sec
referrals-per-second 5; // referral responses
nodata-per-second 5; // nodata responses
nxdomains-per-second 5; // nxdomain responses
errors-per-second 5; // error responses
all-per-second 20; // When we drop all
log-only no; // Debugging mode
qps-scale 250; // x / query rate * per-second
// = new drop limit
exempt-clients {127.0.0.1; 192.153.154.0/24;};

rate-limit {
slip 2; // Every other response truncated
window 15; // Seconds to bucket
responses-per-second 5; // # of good responses per prefix-length/sec
referrals-per-second 5; // referral responses
nodata-per-second 5; // nodata responses
nxdomains-per-second 5; // nxdomain responses
errors-per-second 5; // error responses
all-per-second 20; // When we drop all

DNSTap

Before you start BIND, start capture:

$ fstrm_capture -t protobuf:dnstap.Dnstap -u /var/run/dnstap.sock -w fstrm.tap

You’ll also have to add few things to named.conf:

dnstap {auth; resolver query;};
dnstap-output unix "/var/run/bind/dnstap.sock"

to redirect the output directly to a file:

dnstap {auth; resolver query;};
dnstap-output file "/var/tmp/example.dnstap"

or a mix:

dnstap {auth; resolver query;};

dnstap-output unix "/var/run/bind/dnstap.sock"

dnstap-identity hostname

dnstap-version 9.9.8-S5

Run BIND, and then try to resolve a domain with it:

$ dig @<SERVER_IP> <DOMAIN>

Just read the captured content with dnstap-read:

$ dnstap-read -p fstrm.tap

Tools to read DNSTAP data files:

  • dnstap-golang
  • dnstap-ldns
  • dnstap-read
  • Wireshark with dnstap support

Additional info

Libraries have been installed in: /usr/local/lib

If you want to link against installed libraries in a given directory, LIBDIR, you must either use libtool, and specify the full pathname of the library, or use the `-LLIBDIR’ flag during linking and do at least one of the following:

  • add LIBDIR to the `LD_LIBRARY_PATH‘ environment variable
    during execution
  • add LIBDIR to the `LD_RUN_PATH‘ environment variable
    during linking
  • use the `-Wl,-rpath -Wl,LIBDIR‘ linker flag
  • have your system administrator add LIBDIR to `/etc/ld.so.conf
export LD_RUN_PATH=/usr/local/lib 
export LD_LIBRARY_PATH=/usr/local/lib/

See any operating system documentation about shared libraries for more information, such as the ld(1) and ld.so(8) manual pages.

Once those libraries are installed on your build machine, build and install the BIND binary using the standard build process that is documented in the BIND 9 ARM. Note that the farsightsec/fstrm package will include the fstrm_capture program mentioned below.

Once the dnstap-enabled BIND is built, you need to adjust your configuration so that the running BIND process will actually use dnstap.

In the options statement in the BIND configuration file, include a dnstap option that specifies the message types that you would like to log. The choices are:

  • client
  • auth
  • resolver
  • forwarder

Each type can take an additional argument that indicates whether to log query messages or response messages. If not specified, both queries and responses are logged. The rest of the dnstap-related options can go next. Only the dnstap-output option is required.

With those options specified, BIND will upon start/restart make a connection to the unix-domain socket named /var/run/bind/dnstap.sock (must exists before that). The socket is created by running the dnstap listener program, which is named fstrm_capture. Properly installed, it will create a required unix-domain socket /var/run/bind/dnstap.sock. Any data that comes through will be saved to a file named example.dnstap (file capture).

Starting the fstrm_capture program before starting BIND will ensure that the socket exists by the time BIND needs to find it and connect to it.

BIND utility dnstap-read

Every BIND distribution that contains dnstap support includes the dnstap-read utility, which decodes dnstap files and outputs the result in a human-readable format.

Conclusion

Damn, this was a long one. Hope we’ve managed to cover everything you’ll need to set this thing up.

BINDDNSlinux