Many DNS servers use text logging while it can be noisy and it does not include DNS responses in the logs. There are two ways to log both requests and responses: tcpdump parsing or dnstap usage. Instead of having all the pcaps, sFlow, or NetFlow data being redirected, it is easier to use dnstap for DNS specific logs and metrics.
About dnstap
dnstap uses a wire-protocol for high-performance. Adding a dnstap receiver on the Wazuh agent would allow high level log reading for DNS servers listed:
Knot DNS as of version 1.5.0
Unbound as of version 1.5.0
BIND as of version 9.11
Knot Resolver as of version 1.2.5
CoreDNS as of version 1.5.0
NSD as of version 4.1.26
Dnsdist as of version 1.3.0
PowerDNS recursor as of version 4.3.0
A schema for a dnstap enabled DNS server
Proposal
Implementing dnstap for Technitium DNS server for bot observability and security monitoring.
Using underlying transport protocol called Frame Streams. It is possible to have a loo at this primitive implementation of them in C#: https://github.com/zbalkan/Fstrm.NET
A local dnstap logging capability based on appending on a binary file.
Thanks for the details feature request. The dnstap feature has been on my to-do list from some time. Will plan it once a few other features that are already planned are implemented.
Summary
Many DNS servers use text logging while it can be noisy and it does not include DNS responses in the logs. There are two ways to log both requests and responses:
tcpdump
parsing ordnstap
usage. Instead of having all thepcap
s, sFlow, or NetFlow data being redirected, it is easier to usednstap
for DNS specific logs and metrics.About
dnstap
dnstap
uses a wire-protocol for high-performance. Adding a dnstap receiver on the Wazuh agent would allow high level log reading for DNS servers listed:A schema for a
dnstap
enabled DNS serverProposal
Implementing
dnstap
for Technitium DNS server for bot observability and security monitoring.Requirements
dnstap
logging capability based on appending on a binary file.