Feature Request: Generating `dnstap` logs

[zbalkan]

Summary

Many DNS servers use text logging while it can be noisy and it does not include DNS responses in the logs. There are two ways to log both requests and responses: tcpdump parsing or dnstap usage. Instead of having all the pcaps, sFlow, or NetFlow data being redirected, it is easier to use dnstap for DNS specific logs and metrics.

About dnstap

dnstap uses a wire-protocol for high-performance. Adding a dnstap receiver on the Wazuh agent would allow high level log reading for DNS servers listed:

• Knot DNS as of version 1.5.0
• Unbound as of version 1.5.0
• BIND as of version 9.11
• Knot Resolver as of version 1.2.5
• CoreDNS as of version 1.5.0
• NSD as of version 4.1.26
• Dnsdist as of version 1.3.0
• PowerDNS recursor as of version 4.3.0

A schema for a dnstap enabled DNS server

Proposal

Implementing dnstap for Technitium DNS server for bot observability and security monitoring.

Requirements

• Protobuf serialization/deserialization using the proto file: https://github.com/dnstap/dnstap.pb
• Using underlying transport protocol called Frame Streams. It is possible to have a loo at this primitive implementation of them in C#: https://github.com/zbalkan/Fstrm.NET
• A local dnstap logging capability based on appending on a binary file.
• A remote log forwarding capability based on TCP so that collectors like go-dnscollector, Graylog, DNS Statistics Collector can collect metrics or log, or the logs can be converted to other formats and saved into databases for long term storage.

[ShreyasZare]

Thanks for the details feature request. The dnstap feature has been on my to-do list from some time. Will plan it once a few other features that are already planned are implemented.