Red Hat Training

A Red Hat training course is available for RHEL 8

Chapter 28. Using dnstap in RHEL 8

The dnstap utility provides an advanced way to monitor and log details of incoming name queries. It records sent messages from the named service. This section explains how to record DNS queries using dnstap.

28.1. Recording DNS queries using dnstap in RHEL 8

The network administrators can record the DNS queries to collect the website or IP address information along with the domain health.

Prerequisites

  • Upgrade BIND packages to version bind-9.11.26-2 or newer.
Warning

If you already have a BIND version installed and running, adding a new version of BIND will overwrite the existing version.

Procedure

Following are the steps to record DNS queries:

  1. Edit the /etc/named.conf file in the options block to enable dnstap and target file:

    options
    {
    # …
    
    dnstap { all; }; # Configure filter
    dnstap-output file “/var/named/data/dnstap.bin”;
    
    # …
    };
    # end of options

    ( all | auth | client | forwarder | resolver | update ) [ ( query | response ) ];

    The dnstap filter contains multiple definitions delimited by a ; in the dnstap {} block.

    Following is the syntax for each rule:

    • auth - Authoritative zone response or answer.
    • client - Internal client query or answer.
    • forwarder - Forwarded query or response from it.
    • resolver - Iterative resolution query or response.
    • update - Dynamic zone update requests.
    • all - Any from the above options.
    • query | response - If no query or response keyword is specified, both would be recorded.

      The following example requests auth responses only, client queries and both queries and responses of dynamic updates:

    Example:
    
    dnstap {auth response; client query; update;};
  2. Configure the periodic rollout for the active logs.

    In the following example, the content of the user-edited script run once per day by cron. Number 3 signifies the backup log files limited to that number. Because the file gets removed, it never reaches the .2 suffix.

    Example:
    
    sudoedit /etc/cron.daily/dnstap
    
    #!/bin/sh
    rndc dnstap -roll 3
    mv /var/named/data/dnstap.bin.1 \ /var/log/named/dnstap/dnstap-$(date -I).bin
    
    # use dnstap-read to analyze saved logs
    sudo chmod a+x /etc/cron.daily/dnstap
  3. Use the dnstap-read utility to handle and analyze the logs in a human-readable format.

    In the following example, the detailed dnstap output gets printed in the YAML file format.

    Example:
    
    dnstap-read -y [file-name]