This daemon was created to solve the problem of manipulating traffic based on domain names instead of IP addresses. It does this by intercepting DNS replies and exporting the resolved IPs using BGP protocol. The BGP peers can then use this information to influence the traffic flow.
ip netns
- see deploy/*
init scripts for systemd. Useful when running with BGP router on the same host - ususally it can't peer with its own IPs (at least bird
)dnstap-bgp can optionally push the obtained IPs to other dnstap-bgp instances. It also periodically syncs its cache with peers to keep it up-to-date in case of network outages. The interaction is done using simple HTTP queries and JSON.
Get deb or rpm packages from the releases page.
You'll need Go environment set up, then just run make
To build a package you'll need fpm tool installed, then just run make rpm
or make deb
See deploy/dnstap-bgp.conf for an example configuration and description of parameters.
DNSTap protocol works in a client-server manner, where DNS server is the client and dnstap-bgp is a server.
Unbound seem to be able to work with DNSTap only through UNIX sockets.
dnstap:
dnstap-enable: yes
dnstap-socket-path: "/tmp/dnstap.sock"
dnstap-log-client-response-messages: yes
Important In Ubuntu access to the DNSTap socket for Unbound is blocked by default by AppArmor rules. Either disable it for the Unbound binary or fix the rules.
DNSTap is supported since 9.11, but usually is not built-in, at least in Ubuntu packages. BIND also can connect only using UNIX socket.
dnstap {
client response;
};
dnstap-output unix "/tmp/dnstap.sock"