icb-
commented
5 years ago Is Filebeat the right place for this? I thought Filebeat was only for plain-text(-ish) formats, not pure binary formats like dnstap. Should it be its own separate Beat?
Large portions of the code could be lifted from the DNS protocol parser in Packetbeat. That seems to all be private functions. Should it be refactored into a supporting library that can be used by both Packetbeat and a "Dnstapbeat"? Keeping the format as similar as possible to the output of Packetbeat seems worthwhile.
lvg01
botelastic[bot]
dnstap is binary log format that DNS servers support that records DNS requests and responses. This would allow Beats to receive DNS data directly from the DNS server rather than trying to get the information from packet capture. dnstap is supported by Bind, CoreDNS, Unbound, and more.
With new protocols like DNS-over-TLS (DoT) and DNS-over-HTTP (DoH) being deployed
dnstapcan be a necessary monitoring point for traffic that NSMs would otherwise not have visibility to.An example deployment for an organization might be to have an internal DNS server providing UDP/TCP/DoT/DoH and blocking any DNS traffic (53/udp, 53/tcp, 853/tcp) direct to the internet. With dnstap being enabled, the server it would then let us monitor both the forwarded traffic from the server as well as all the traffic to/from clients.
I'm imagining a dnstap input type for Filebeat.