Red Hat Training

A Red Hat training course is available for RHEL 8

Chapter 26. Recording DNS queries by using dnstap in RHEL

As a network administrator, you can record Domain Name System (DNS) details to analyze DNS traffic patterns, monitor DNS server performance, and troubleshoot DNS issues. If you want an advanced way to monitor and log details of incoming name queries, use the dnstap interface that records sent messages from the named service. You can capture and record DNS queries to collect information about websites or IP addresses.


  • Upgrade BIND packages to version bind-9.11.26-2 or later.

If you already have a BIND version installed and running, adding a new version of BIND will overwrite the existing version.


  1. Enable dnstap and the target file by editing the /etc/named.conf file in the options block:

    # …
    dnstap { all; }; # Configure filter
    dnstap-output file "/var/named/data/dnstap.bin";
    # …
    # end of options
  2. To specify which types of DNS traffic you want to log, add dnstap filters to the dnstap block in the /etc/named.conf file. You can use the following filters:

    • auth - Authoritative zone response or answer.
    • client - Internal client query or answer.
    • forwarder - Forwarded query or response from it.
    • resolver - Iterative resolution query or response.
    • update - Dynamic zone update requests.
    • all - Any from the above options.
    • query or response - If you do not specify a query or a response keyword, dnstap records both.


      The dnstap filter contains multiple definitions delimited by a ; in the dnstap {} block with the following syntax: dnstap { ( all | auth | client | forwarder | resolver | update ) [ ( query | response ) ]; …​ };

  3. To apply your changes, restart the named service:

    # systemctl restart named.service
  4. Configure a periodic rollout for active logs

    In the following example, the cron scheduler runs the content of the user-edited script once a day. The roll option with the value 3 specifies that dnstap can create up to three backup log files. The value 3 overrides the version parameter of the dnstap-output variable, and limits the number of backup log files to three. Additionally, the binary log file is moved to another directory and renamed, and it never reaches the .2 suffix, even if three backup log files already exist. You can skip this step if automatic rolling of binary logs based on size limit is sufficient.

    sudoedit /etc/cron.daily/dnstap
    rndc dnstap -roll 3
    mv /var/named/data/dnstap.bin.1 /var/log/named/dnstap/dnstap-$(date -I).bin
    # use dnstap-read to analyze saved logs
    sudo chmod a+x /etc/cron.daily/dnstap
  5. Handle and analyze logs in a human-readable format by using the dnstap-read utility:

    In the following example, the dnstap-read utility prints the output in the YAML file format.

    dnstap-read -y [file-name]