Menu Close
Settings Close

Language and Page Formatting Options

Red Hat Training

A Red Hat training course is available for RHEL 8

Chapter 27. Using dnstap in RHEL

The dnstap utility provides an advanced way to monitor and log details of incoming name queries. It records sent messages from the named service. This section explains how to record DNS queries using dnstap.

27.1. Recording DNS queries using dnstap in RHEL

The network administrators can record the DNS queries to collect the website or IP address information along with the domain health.


  • Upgrade BIND packages to version bind-9.11.26-2 or newer.

If you already have a BIND version installed and running, adding a new version of BIND will overwrite the existing version.


Following are the steps to record DNS queries:

  1. Edit the /etc/named.conf file in the options block to enable dnstap and target file:

    # …
    dnstap { all; }; # Configure filter
    dnstap-output file “/var/named/data/dnstap.bin”;
    # …
    # end of options

    ( all | auth | client | forwarder | resolver | update ) [ ( query | response ) ];

    The dnstap filter contains multiple definitions delimited by a ; in the dnstap {} block.

    Following is the syntax for each rule:

    • auth - Authoritative zone response or answer.
    • client - Internal client query or answer.
    • forwarder - Forwarded query or response from it.
    • resolver - Iterative resolution query or response.
    • update - Dynamic zone update requests.
    • all - Any from the above options.
    • query | response - If no query or response keyword is specified, both would be recorded.

      The following example requests auth responses only, client queries and both queries and responses of dynamic updates:

    dnstap {auth response; client query; update;};
  2. Configure the periodic rollout for the active logs.

    In the following example, the content of the user-edited script run once per day by cron. Number 3 signifies the backup log files limited to that number. Because the file gets removed, it never reaches the .2 suffix.

    sudoedit /etc/cron.daily/dnstap
    rndc dnstap -roll 3
    mv /var/named/data/dnstap.bin.1 \ /var/log/named/dnstap/dnstap-$(date -I).bin
    # use dnstap-read to analyze saved logs
    sudo chmod a+x /etc/cron.daily/dnstap
  3. Use the dnstap-read utility to handle and analyze the logs in a human-readable format.

    In the following example, the detailed dnstap output gets printed in the YAML file format.

    dnstap-read -y [file-name]