search

mosajjal / dnsmonster

Passive DNS Capture and Monitoring Toolkit
https://dnsmonster.dev
GNU General Public License v3.0
316 stars 53 forks source link

Save dnstap `identity` as server name #66

Closed mzealey closed 1 year ago

mzealey commented 1 year ago

If we have multiple servers sending data over dnstap to dnsmonster it would be good to have an option to use the dnstap identity field as the server name which gets recorded in the logs.

mosajjal commented 1 year ago

from memory, identity should be a field in DNS JSON results here. not all dnstap providers ensure identity being present as a field so what I suggest is running multiple instances of dnsmonster with different --serverName parameters and hooking up the dnstaps to them. That way there's an easy way to distinguish between them.

arjunnkn commented 1 year ago

Hi @mosajjal yes i agree that using --serverName will be an easy to use option at present state of the code . but its really not efficient to run multiple monster instances .

it will be far more better if we support dnstap-identity parameter as an optional substitution value for --serverName

mosajjal commented 1 year ago

as per https://github.com/mosajjal/dnsmonster/blob/b2e2f79f2519095dca5ad450ea27d74cd1db12c2/internal/capture/dnstap.go#L94, the identity field should get populated per incoming packet.

arjunnkn commented 1 year ago

i have now logged dnstap-identity value in ServerName column of DNS_LOG table .

But i want to know what do you mean by not all dnstap providers ensure identity being present as a field ?

As far as i studied till now dnstap support for Nameservers is a standard implementation and it implicitly have identity field so its upto Nameserver now upto what extent they support the dnstap parameters

i hvae tested

working fine

mosajjal commented 1 year ago

I know that CoreDNS has some issues with it. Unbound has the config option dnstap-send-identity which can be set to false as well. Pretty sure all the implementations treat identity as an optional field

arjunnkn commented 1 year ago

I know that CoreDNS has some issues with it.

i have tested this too today no issue which its dnstap implementation

`Unbound has the config option dnstap-send-identity which can be set to false as well.

yes if one dont want to record this value in table its his will not to set it

but my point is ICANN and ORAC solutions are using dnstap to get data out from their managed Authoritative instances

it is far better to have dnstap to get data out to a central dnsmonster location from a cluster of DNS instances and seperate populating DNS_LOG with identity fields to track instance of dnstap sending logs

i have implemented this with clickhouse output and dnstap inout in dnsmonster its working very well `