Download as PDF, PPTX
![© Men & Mice http://menandmice.com
reading a DNSTAP file with dnstap-read
# dnstap-read /opt/bind9.dtp
15-Dec-2015 18:53:35.467 RQ 2001:503:ba3e::2:30 UDP 40b ./IN/DNSKEY
15-Dec-2015 18:53:35.503 RR 2001:503:ba3e::2:30 UDP 509b ./IN/NS
15-Dec-2015 18:53:35.514 RQ 2001:500:2d::d TCP 40b ./IN/DNSKEY
15-Dec-2015 18:53:35.550 RR 2001:503:ba3e::2:30 TCP 736b ./IN/DNSKEY
15-Dec-2015 18:53:35.468 RQ 2001:503:ba3e::2:30 UDP 40b ./IN/NS
15-Dec-2015 18:53:35.503 RR 2001:503:ba3e::2:30 UDP 28b ./IN/DNSKEY
15-Dec-2015 18:53:35.514 RR 2001:500:2d::d UDP 28b ./IN/DNSKEY
15-Dec-2015 18:53:35.503 RQ 2001:500:2d::d UDP 40b ./IN/DNSKEY
15-Dec-2015 18:53:35.534 RR 2001:500:2d::d TCP 736b ./IN/DNSKEY
15-Dec-2015 18:53:35.503 RQ 2001:503:ba3e::2:30 TCP 40b ./IN/DNSKEY
Demo: dnstap with BIND
9.11(devel)
28
RQ: RESOLVER_QUERY
RR: RESOLVER_RESPONSE
CQ: CLIENT_QUERY
CR: CLIENT_RESPONSE
FQ: FORWARDER_QUERY
FR: FORWARDER_RESPONSE
[…]
date and
time
ip address of
remote
machine
transport protcol
(UDP or TCP)
Size of (DNSTAP)
data
domain, class and
record type](https://image.slidesharecdn.com/dnstap-151217145641/85/DNSTap-Webinar-28-320.jpg)
![© Men & Mice http://menandmice.com
reading a DNSTAP file with dnstap-read including packet data
# dnstap-read -p /opt/bind9.dtp
15-Dec-2015 18:53:52.725 RQ 2001:7fe::53 UDP 67b demand.gamma.aridns.net.au/IN/AAAA
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23009
;; flags: cd; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
; COOKIE: f7208c0ca722db34
;; QUESTION SECTION:
;demand.gamma.aridns.net.au. IN AAAA
15-Dec-2015 18:53:52.758 RR 2001:7fe::53 UDP 510b demand.delta.aridns.net.au/IN/AAAA
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37169
;; flags: qr cd; QUESTION: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;demand.delta.aridns.net.au. IN AAAA
;; AUTHORITY SECTION:
au. 172800 IN NS a.au.
[…]
au. 172800 IN NS u.au.
au. 86400 IN DS 37976 8 1 ACCF50B2687DB697C404163DC1B9A07EE022E794
au. 86400 IN DS 37976 8 2 EA7CDFAB57E4D9CB5F09BE95EC5EBD4F4A113DFA3F120AC9D6065282 D910B8A5
au. 86400 IN DS 41491 8 1 C104274A2F94B01DB84E76B298B69A53B3FB4919
au. 86400 IN DS 41491 8 2 FCAABD135FFD9D1015438FC4AF8ACE4E9D2BEA04748C4DB3975CFD7C ABC30B88
au. 86400 IN RRSIG DS 8 1 86400 20151225170000 20151215160000 62530 . ccUToKhPaKIGE2O1fJgW/HjPAg/
La2aQUNH1EVMgmTGyynx54IkS3NGY V1+xgqHRyYfp3Zr4lv2MLPC1w4ix+yMuAorPbdOxMDgxS3/D0PM8bTO4 Fs2CHSZ++NGML2WtUP2r8EGVYak+pysUgOBK8DvV8RQK+neXb7eoRwF0
Mag=
Demo: dnstap with BIND
9.11(devel)
29](https://image.slidesharecdn.com/dnstap-151217145641/85/DNSTap-Webinar-29-320.jpg)
Uploaded byMen and Mice
DNSTap Webinar
This document discusses DNS server monitoring using DNSTAP, an open protocol to capture and store DNS server events. It begins by noting the performance impact of traditional monitoring methods and limitations of network packet capture. It then provides an overview of how DNSTAP works, implementations in Unbound, Knot DNS, and upcoming BIND 9, dependencies, available tools, and examples of configuring DNSTAP in Unbound, Knot DNS, and BIND 9.
More Related Content
DNSTap Webinar
- 1. © Men &Mice http://menandmice.com DNSTAP a deep(er) look into DNS server operations (featuring Unbound, Knot-DNS and BIND 9) 1
- 2. © Men &Mice http://menandmice.com before we start (1) … please note: BIND 9 security issue CVE: CVE-2015-8000 Document Version: 2.0 Posting date: 15 December 2015 Program Impacted: BIND Versions affected: 9.0.x -> 9.9.8, 9.10.0 -> 9.10.3 Severity: Critical Exploitable: Remotely Description: An error in the parsing of incoming responses allows some records with an incorrect class to be be accepted by BIND instead of being rejected as malformed. This can trigger a REQUIRE assertion failure when those records are subsequently cached. Intentional exploitation of this condition is possible and could be used as a denial-of-service vector against servers performing recursive queries. 2
- 3. © Men &Mice http://menandmice.com before we start (2) … please note: BIND 9 security issue CVE: CVE-2015-8461 Document Version: 2.0 Posting date: 15 December 2015 Program Impacted: BIND Versions affected: 9.9.8 -> 9.9.8-P1, 9.9.8-S1 -> 9.9.8-S2, 9.10.3 -> 9.10.3-P1 Severity: Medium Exploitable: Remotely Description: Beginning with the September 2015 maintenance releases 9.9.8 and 9.10.3, an error was introduced into BIND 9 which can cause a server to exit after encountering an INSIST assertion failure in resolver.c 3
- 4. © Men &Mice http://menandmice.com before we start (3) … please note: Concerning a recent OpenSSL security issue and new BIND build-time checks The OpenSSL project recently announced several security issues including OpenSSL Security Advisory CVE-2015-1794. The official advisory from the OpenSSL project can be found at http://openssl.org/news/secadv/20151203.txt but in brief: versions 1.0.2 through 1.0.2d have a vulnerability that potentially weakens encryption security in BIND. Version 1.0.2e is recommended as the secured version. 4
- 5. © Men &Mice http://menandmice.com DNS server operations monitoring it is difficult to monitor the internal operation of a DNS server •classic monitoring has a huge performance impact (on busy DNS servers) • Example: BIND 9 query-logging via "rndc querylog" • up to 200% performance loss seen • speed of the disk storage is the limiting factor 5
- 6. © Men &Mice http://menandmice.com Network packet capture an alternative solution is to look from the outside via a network traffic capture tool • no performance impact on the DNS server • can only observe from the outside (no internal DNS server events, like cache-events, seen) • difficult to work with UDP fragments and DNS data in TCP streams • Example: Men & Mice DNS Traffic Monitor • Example: DNS statistics collector (DSC) https://www.caida.org/tools/utilities/dsc/ 6
- 7. © Men &Mice http://menandmice.com dnstap dnstap is an open protocol to capture and store DNS server events • events are recorded inside the server • fast and lightweight protocol • non-blocking, designed to have minimal impact on the DNS servers performance 7
- 8. © Men &Mice http://menandmice.com dnstap 8 DNS client DNS resolver DNS authoritative server
- 9. © Men &Mice http://menandmice.com dnstap 9 DNS client DNS resolver DNS authoritative server DNS query DNSTAP Ring-Buffer
- 10. © Men &Mice http://menandmice.com dnstap 10 DNS client DNS resolver DNS authoritative server DNS query DNSTAP Ring-Buffer event
- 11. © Men &Mice http://menandmice.com dnstap 11 DNS client DNS resolver DNS authoritative server DNS query DNSTAP Ring-Buffer event IO Thread write to file
- 12. © Men &Mice http://menandmice.com dnstap 12 DNS client DNS resolver DNS authoritative server DNS query DNSTAP Ring-Buffer IO Thread
- 13. © Men &Mice http://menandmice.com dnstap 13 DNS client DNS resolver DNS authoritative server DNS query DNSTAP Ring-Buffer IO Thread event write to file
- 14. © Men &Mice http://menandmice.com dnstap 14 DNS client DNS resolver DNS authoritative server DNS answer DNSTAP Ring-Buffer IO Thread DNS answer
- 15. © Men &Mice http://menandmice.com dnstap 15 DNS client DNS resolver DNS authoritative server DNS answer DNSTAP Ring-Buffer IO Thread event write to file DNS answer
- 16. © Men &Mice http://menandmice.com dnstap 16 DNS client DNS resolver DNS authoritative server DNSTAP Ring-Buffer IO Thread event(s) write to file DNS queries one event lost
- 17. © Men &Mice http://menandmice.com dnstap implementations dnstap has been developed by Farsight Security (Paul Vixie and Robert Edmonds) homepage is http://dnstap.info • Unbound • Knot 2.x • BIND 9.11 (upcoming) • NSD (planned) • PowerDNS (planned) 17
- 18. © Men &Mice http://menandmice.com using dnstap in your DNS server dnstap is a compile-time option • usually not enabled in distribution package code • requires compilation from source • can me made available in the Men & Mice build packages for Unbound and BIND 9 (please let us know) http://packages.menandmice.com/unbound 18
- 19. © Men &Mice http://menandmice.com dnstap dependencies fstrm (Frame Streams data transport protocol) lightweight protocol to transport frames of data, can be used with any data serialisation format that produces byte sequences https://github.com/farsightsec/fstrm 19
- 20. © Men &Mice http://menandmice.com dnstap dependencies Google Protocol Buffers Protocol buffers are a language-neutral, platform- neutral extensible mechanism for serialising structured data. https://developers.google.com/protocol-buffers/ 20
- 21. © Men &Mice http://menandmice.com dnstap tools tools to read DNSTAP data files •dnstap-golang https://github.com/dnstap/golang-dnstap •dnstap-ldns https://github.com/dnstap/dnstap-ldns •dnstap-read (part of BIND 9.11) http://source.isc.org •Wireshark with dnstap support https://github.com/dnstap/wireshark 21
- 22. © Men &Mice http://menandmice.com Demo: dnstap with unbound simple Unbound configuration server: verbosity: 1 chroot: "" username: "" logfile: "unbound.log" use-syslog: no remote-control: control-enable: yes dnstap: dnstap-enable: yes dnstap-socket-path: "/opt/dnstap.unbound" dnstap-send-identity: yes dnstap-send-version: yes dnstap-log-resolver-response-messages: yes dnstap-log-client-query-messages: yes 22
- 23. © Men &Mice http://menandmice.com Demo: dnstap with unbound catching the DNSTAP stream from the socket and writing to a file # fstrm_capture -t protobuf:dnstap.Dnstap -u /opt/dnstap.unbound -w /opt/dnstap.out -ddddd 23 Protobuf information Unix socket to read file to write heavy debug output
- 24. © Men &Mice http://menandmice.com Demo: dnstap with unbound reading a DNSTAP data file (overview) # /usr/local/bin/dnstap-ldns -r /opt/dnstap.out 2015-12-15 17:04:48.672530 CQ ::1 UDP 43b "menandmice.com." IN A 2015-12-15 17:04:52.704455 CQ ::1 UDP 43b "menandmice.com." IN A 2015-12-15 17:05:25.255258 CQ ::1 UDP 41b "dnssec.works." IN A 2015-12-15 17:05:34.783531 CQ ::1 UDP 41b "dnssec.works." IN A 2015-12-15 17:05:58.998672 CQ ::1 UDP 48b "larger.dnssec.works." IN A 2015-12-15 17:06:05.958735 CQ ::1 UDP 49b "largerr.dnssec.works." IN A 2015-12-15 17:06:15.198618 CQ ::1 UDP 49b "largerr.dnssec.works." IN TXT 2015-12-15 17:06:20.493485 CQ ::1 UDP 48b "larger.dnssec.works." IN TXT 24 file with binary DNSTAP data CQ = Client Query command to read DNSTAP file
- 25. © Men &Mice http://menandmice.com Demo: dnstap with unbound reading a DNSTAP data file (with details) # /usr/local/bin/dnstap-ldns -y —r /opt/dnstap.out type: MESSAGE identity: "csmobile4.home.strotmann.de" version: "unbound 1.5.7" message: type: CLIENT_QUERY query_time: !!timestamp 2015-12-15 17:06:20.493485 socket_family: INET6 socket_protocol: UDP query_address: ::1 query_port: 48107 query_message: | ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 50271 ;; flags: rd ad ; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;larger.dnssec.works. IN TXT ;; ANSWER SECTION: ;; AUTHORITY SECTION: ;; ADDITIONAL SECTION: ;; EDNS: version 0; flags: do ; udp: 4096 25 file with binary DNSTAP data details output as YAML
- 26. © Men &Mice http://menandmice.com simple Knot 2.x configuration server: listen: 0.0.0.0@53 listen: ::@53 log: - target: syslog any: info mod-dnstap: - id: capture_all sink: /opt/dnstap.knot template: - id: default storage: "/opt/knot-dnstap/var/lib/knot" global-module: mod-dnstap/capture_all zone: - domain: example.com file: "/opt/knot-dnstap/etc/knot/example.com.zone" Demo: dnstap with knot-dns 26
- 27. © Men &Mice http://menandmice.com simple BIND 9.11 resolver configuration options { directory "/opt/bind9-dnstap"; dnstap { all; }; // client, auth, resolver, forwarder | query, response dnstap-output file "/opt/bind9.tap"; dnstap-identity hostname; dnstap-version "9.11.devel"; dnssec-validation auto; }; Demo: dnstap with BIND 9.11(devel) 27
- 28. © Men &Mice http://menandmice.com reading a DNSTAP file with dnstap-read # dnstap-read /opt/bind9.dtp 15-Dec-2015 18:53:35.467 RQ 2001:503:ba3e::2:30 UDP 40b ./IN/DNSKEY 15-Dec-2015 18:53:35.503 RR 2001:503:ba3e::2:30 UDP 509b ./IN/NS 15-Dec-2015 18:53:35.514 RQ 2001:500:2d::d TCP 40b ./IN/DNSKEY 15-Dec-2015 18:53:35.550 RR 2001:503:ba3e::2:30 TCP 736b ./IN/DNSKEY 15-Dec-2015 18:53:35.468 RQ 2001:503:ba3e::2:30 UDP 40b ./IN/NS 15-Dec-2015 18:53:35.503 RR 2001:503:ba3e::2:30 UDP 28b ./IN/DNSKEY 15-Dec-2015 18:53:35.514 RR 2001:500:2d::d UDP 28b ./IN/DNSKEY 15-Dec-2015 18:53:35.503 RQ 2001:500:2d::d UDP 40b ./IN/DNSKEY 15-Dec-2015 18:53:35.534 RR 2001:500:2d::d TCP 736b ./IN/DNSKEY 15-Dec-2015 18:53:35.503 RQ 2001:503:ba3e::2:30 TCP 40b ./IN/DNSKEY Demo: dnstap with BIND 9.11(devel) 28 RQ: RESOLVER_QUERY RR: RESOLVER_RESPONSE CQ: CLIENT_QUERY CR: CLIENT_RESPONSE FQ: FORWARDER_QUERY FR: FORWARDER_RESPONSE […] date and time ip address of remote machine transport protcol (UDP or TCP) Size of (DNSTAP) data domain, class and record type
- 29. © Men &Mice http://menandmice.com reading a DNSTAP file with dnstap-read including packet data # dnstap-read -p /opt/bind9.dtp 15-Dec-2015 18:53:52.725 RQ 2001:7fe::53 UDP 67b demand.gamma.aridns.net.au/IN/AAAA ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23009 ;; flags: cd; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 512 ; COOKIE: f7208c0ca722db34 ;; QUESTION SECTION: ;demand.gamma.aridns.net.au. IN AAAA 15-Dec-2015 18:53:52.758 RR 2001:7fe::53 UDP 510b demand.delta.aridns.net.au/IN/AAAA ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37169 ;; flags: qr cd; QUESTION: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;demand.delta.aridns.net.au. IN AAAA ;; AUTHORITY SECTION: au. 172800 IN NS a.au. […] au. 172800 IN NS u.au. au. 86400 IN DS 37976 8 1 ACCF50B2687DB697C404163DC1B9A07EE022E794 au. 86400 IN DS 37976 8 2 EA7CDFAB57E4D9CB5F09BE95EC5EBD4F4A113DFA3F120AC9D6065282 D910B8A5 au. 86400 IN DS 41491 8 1 C104274A2F94B01DB84E76B298B69A53B3FB4919 au. 86400 IN DS 41491 8 2 FCAABD135FFD9D1015438FC4AF8ACE4E9D2BEA04748C4DB3975CFD7C ABC30B88 au. 86400 IN RRSIG DS 8 1 86400 20151225170000 20151215160000 62530 . ccUToKhPaKIGE2O1fJgW/HjPAg/ La2aQUNH1EVMgmTGyynx54IkS3NGY V1+xgqHRyYfp3Zr4lv2MLPC1w4ix+yMuAorPbdOxMDgxS3/D0PM8bTO4 Fs2CHSZ++NGML2WtUP2r8EGVYak+pysUgOBK8DvV8RQK+neXb7eoRwF0 Mag= Demo: dnstap with BIND 9.11(devel) 29
- 30. © Men &Mice http://menandmice.com dnstap summary a new, open standard for DNS server operation monitoring • designed for large, busy DNS server • minimal performance loss • wide adoption among open source DNS server implementations 30
- 31. © Men &Mice http://menandmice.com don't miss our next webinars •January 2016 – the DNS server in Windows 2016 Server – a big leap forward (views, response rate limiting, ACLs and more) •February 2016 - an Update on DNSSEC and DANE: new implementations, adoption in the market, new Internet Standards Signup @ https://www.menandmice.com/resources/educational-resources/webinars/ 31
- 32. © Men &Mice http://menandmice.com Q/A 32 ? 2016 Schedule, Slides, Links, Recording and errata will be published @ https://www.menandmice.com/resources/educational-resources/webinars/