dnstap / golang-dnstap Goto Github PK
View Code? Open in Web Editor NEWflexible, structured event replication format for DNS servers (command-line tool and Golang package)
License: Apache License 2.0
flexible, structured event replication format for DNS servers (command-line tool and Golang package)
License: Apache License 2.0
dnstap: flexible, structured event replication format for DNS servers --------------------------------------------------------------------- dnstap implements an encoding format for DNS server events. It uses a lightweight framing on top of event payloads encoded using Protocol Buffers and is transport neutral. dnstap can represent internal state inside a DNS server that is difficult to obtain using techniques based on traditional packet capture or unstructured textual format logging. This repository contains a command-line tool named "dnstap" developed in the Go programming language. It can be installed with the following command: go get -u github.com/dnstap/golang-dnstap/dnstap
When trying to install the golang-dnstap utility I receive the following error
package code.google.com/p/goprotobuf/proto: unable to detect version control system for code.google.com/ path
Any help with this would be greatly appreciated.
I've noticed that some dnstap responses from unbound are unable to be parsed. dig
also complains in this case, so I'm unsure if the problem is in the DNS response itself, Unbound handling it, or this dnstap library.
This is the query/response:
โฏ dig +short AAAA vstbrasil.com.
;; Warning: Message parser reports malformed message packet.
This is the output of dnstap:
16:45:28.364170 CQ 127.0.0.1 UDP 42b "vstbrasil.com." IN AAAA
16:45:28.968713 CR 127.0.0.1 UDP 58b X
The error occurs on msg.Unpack: "overflow unpacking aaaa"
Hello,
tags/v0.1.0 is not a good way to name your release, just v0.1.0 is OK
if the remote is unreachable that socket writer is trying to connect to as per : https://github.com/dnstap/golang-dnstap/blob/master/SocketWriter.go#L202 it just continues, leaving the buffer full
2022/08/17 21:12:14 127.0.0.1:6000: open failed: dial tcp 127.0.0.1:6000: connect: connection refused < = failed write
E0817 21:12:17.800245 476695 logger.go:259] Failed to enqueue dnstap message type:CLIENT_QUERY socket_family:INET6 socket_protocol:UDP query_address:"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01" response_address:"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01" query_port:50564 response_port:8053 query_time_sec:1660767137 query_time_nsec:799106776 query_message:"\xd2U\x81\x05\x00\x01\x00\x00\x00\x00\x00\x01\x06github\x03com\x00\x00\x1c\x00\x01\x00\x00)\x10\x00\x00\x00\x00\x00\x00\x0c\x00\n\x00\x08y.5\x0f\x93~\xdb\xef" for sending, buffer is full
::1::11660767137AAAAgi <= failed subsequent enque attempt
I'm trying to create an OpenWrt package for dnstap-golang and I think that it would be useful to create go.mod, go.sum for the project so packaging and dependency management would be more straightforward.
something like this https://github.com/ja-pa/packages/blob/e0cacf39c57bfdd756f0df28dd442ad2d49367a3/net/dnstap/patches/go-mod.patch
Hi there,
I am trying to package this repository to MacPorts (a package manager for macOS). Apparently, the tarballs from the domain google.golang.org/protobuf
are not deterministic, so MacPorts doesn't support specifying dependencies with it. Can you replace google.golang.org/protobuf v1.23.0
with github.com/protocolbuffers/protobuf-go v1.23.0
?
It would be extra awesome if you could cut a release after that, so that I have a release tag to pin.
... and Merry Christmas! ๐
Hello!
I'm going to use your tool for production purposes and I'm looking for some fixed version for building packages.
Code feels pretty stable and it's working well for me. What's your thinking about making release tag/branch? I think 1.0.0 is looking pretty nice :)
Since the last release in November 2018, there have been a number of breaking changes in this project for those of us that pull it in as a library used in our own code.
Could a new release tag be created to make it cleaner to pin to this version when using the new default versioned module dependency support in golang 1.13?
Currently this is not very usable as a library since FrameStreamSockInput
s ReadInto
runs forever, leaking the goroutine. Consider a Close on the input interface (I may submit a PR if I end up using this as a library).
Also, in general this code logs errors silently among other practices that are poor for library use. If adapting the code for use as a library is not a goal, please at least add caveats via comments to warn other potential users.
I'm using dnstap in a reasonable busy setup (avg. 16K, max. 19K queries/second) and my processing / storage setup (Graylog+Elasticsearch) can barely cope.
Since we are using this for statistical analysis only, we would love to have a feature with which we can say from the command line "send on only 1 in x queries".
Somthing like:
-L 1:1000
I hope you can consider implementing this feature.
Thanks for your efforts and keep up the good work.
Hi there,
So I've been using DNSTAP on Debian stretch for 2 years now and have been pretty happy with it - but i saw that json output was added in version v0.2.x so i decided i would upgrade.
Unfortunately i do see a lot of lost events when using this new version of DNSTAP - and I've done some extensive testing to figure out whats going on:
Resperf(8999 queries over 60 seconds) ---> CoreDNS(DNSTAP) --- TCP ---> DNSTAPv1: 8999 CQ events received.
Resperf(8999 queries over 60 seconds) ---> CoreDNS(DNSTAP) --- TCP ---> DNSTAPv2: 3223 CQ events received.
Resperf(8999 queries over 60 seconds) ---> CoreDNS(DNSTAP) --- SOCKET ---> DNSTAPv1: 8999 CQ events received.
Resperf(8999 queries over 60 seconds) ---> CoreDNS(DNSTAP) --- SOCKET ---> DNSTAPv2: 3324 CQ events received.
If i put the rate to about 10 queries pr. second DNSTAPv2 does seem to be able to keep up.
I find it hard to believe this hasn't been caught before - but nevertheless its what im facing right now.
I'm willing to spend time debugging and troubleshooting anytime you like.
dnstpa works fine for output on the screen but -w always leave me with empty files.
I tried to SIGHUP the program, to stop it with Control-C, send thousands of requests to get a buffer flush, and in all cases, the output file is created but it is empty.
Currently the -T option allow me to ship only the dnstap paylads into tcp/ip address.
I want to be able to send the text logs to a remote TCP service.
Currently what I am doing is piping the text output to a second command which forward the incoming lines to the remote server.
0145fd8 is the last working commit, at least on my machine ๐.
In fact the tool stops, or at least dosen't wait for the output loop Goroutine to finish the job.
I tried to fix the latest code, but I don't understand the new features that motivated the following commits, so why not revert to 0145fd8?
Thanks.
Hi there,
I would love to be able to keep track of the performance of queries and responses going through my CoreDNS instances, and as you know i have the DNSTAP Plugin configured to point to binaries of this goland-dnstap project.
However - I think we might have missed a key part of the implementation of response messages here.
Reading through this article about response logging with DNSTAP from 2017: https://jpmens.net/2017/09/11/dns-query-response-logging-with-dnstap
It seems like we are suppose to have a query_time in our response_messages along with the response_time - so that we can diff those two and get the query/response performance.
The example from Jan-Piet Mens article:
message:
type: TOOL_RESPONSE
query_time: !!timestamp 1970-01-01 04:22:23.659631
response_time: !!timestamp 1970-01-01 04:22:23.725209
socket_family: INET
socket_protocol: UDP
query_address: 0.0.0.0
response_address: 192.168.1.81
query_port: 54370
response_port: 53
response_message: |
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 53652
;; flags: qr rd ra ; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 0
Been trying to poke the binary to give similar query_time on the response_messages but so far without luck - so i think the implementation of the response_message might have missed this?
Best regards
This task is to write a manual for the dnstap executable.
Hello,
I have been using this library to parse dnstap files via NewDecoder()
and Decode()
. I noticed Decode()
is documented like so:
Decode silently discards data frames larger than the Decoder's configured maxSize.
Is there a reason it was designed like that? It seems to me silently ignoring things means I can not trust that I decoded all of the dnstap entries in a file. Should I check for this some other way?
Hi
I have encountered an issue with high memory usage by the lib. It seems to be caused by the buffer that is being allocated using the max payload size https://github.com/farsightsec/golang-framestream/blob/master/framestream.go#L24
What is the ideal max payload size as the default is using up lots of mem.
(pprof) top
Showing nodes accounting for 1.16MB, 100% of 1.16MB total
flat flat% sum% cum cum%
1.16MB 100% 100% 1.16MB 100% git.home.topdog-software.com/baruwa-infra/nambari/vendor/github.com/farsightsec/golang-framestream.NewDecoder
0 0% 100% 1.16MB 100% git.home.topdog-software.com/baruwa-infra/nambari/vendor/github.com/dnstap/golang-dnstap.(*FrameStreamSockInput).ReadInto
0 0% 100% 1.16MB 100% git.home.topdog-software.com/baruwa-infra/nambari/vendor/github.com/dnstap/golang-dnstap.NewFrameStreamInput
0 0% 100% 1.16MB 100% main.main
0 0% 100% 1.16MB 100% runtime.main
(pprof) list git.home.topdog-software.com/baruwa-infra/nambari/vendor/github.com/farsightsec/golang-framestream.NewDecoder
Total: 1.16MB
ROUTINE ======================== git.home.topdog-software.com/baruwa-infra/nambari/vendor/github.com/farsightsec/golang-framestream.NewDecoder in /Users/andrew/Documents/devel/go/path/src/git.home.topdog-software.com/baruwa-infra/nambari/vendor/github.com/farsightsec/golang-framestream/Decoder.go
1.16MB 1.16MB (flat, cum) 100% of Total
. . 42: }
. . 43: if opt.MaxPayloadSize == 0 {
. . 44: opt.MaxPayloadSize = DEFAULT_MAX_PAYLOAD_SIZE
. . 45: }
. . 46: dec = &Decoder{
1.16MB 1.16MB 47: buf: make([]byte, opt.MaxPayloadSize),
. . 48: opt: *opt,
. . 49: reader: bufio.NewReader(r),
. . 50: writer: nil,
. . 51: }
. . 52:
Input file:
19528 -rw-rw-r-- 1 dns dns 19995623 Jan 8 19:43 dnstap.20160108-194222.fs
This runs just fine:
[root@k tmp]# time /opt/unbound/sbin/dnstap -r dnstap.20160108-194222.fs -y -w koe.yaml
dnstap: opened input file dnstap.20160108-194222.fs
real 0m6.900s
user 0m6.614s
sys 0m1.071s
But this not, with the same input file:
[root@k tmp]# time /opt/unbound/sbin/dnstap -r dnstap.20160108-194222.fs -q -w koe.txt
dnstap: opened input file dnstap.20160108-194222.fs
panic: runtime error: index out of range
goroutine 6 [running]:
github.com/dnstap/golang-dnstap.textConvertMessage(0xc8203890a0, 0xc8202a4770)
/home/sjm/gocode/src/github.com/dnstap/golang-dnstap/QuietTextFormat.go:147 +0x5b2
github.com/dnstap/golang-dnstap.TextFormat(0xc82009e000, 0x0, 0x0, 0x0, 0xc82009e000)
/home/sjm/gocode/src/github.com/dnstap/golang-dnstap/QuietTextFormat.go:159 +0x67
github.com/dnstap/golang-dnstap.(*TextOutput).RunOutputLoop(0xc82000e480)
/home/sjm/gocode/src/github.com/dnstap/golang-dnstap/TextOutput.go:67 +0x286
created by main.main
/home/sjm/gocode/src/github.com/dnstap/golang-dnstap/dnstap/main.go:97 +0x409
goroutine 1 [chan receive]:
github.com/dnstap/golang-dnstap.(*FrameStreamInput).Wait(0xc820010bc0)
/home/sjm/gocode/src/github.com/dnstap/golang-dnstap/FrameStreamInput.go:69 +0x39
main.main()
/home/sjm/gocode/src/github.com/dnstap/golang-dnstap/dnstap/main.go:129 +0x813
goroutine 17 [syscall, locked to thread]:
runtime.goexit()
/home/sjm/go/src/runtime/asm_amd64.s:1721 +0x1
goroutine 5 [syscall]:
os/signal.loop()
/home/sjm/go/src/os/signal/signal_unix.go:22 +0x18
created by os/signal.init.1
/home/sjm/go/src/os/signal/signal_unix.go:28 +0x37
goroutine 7 [select, locked to thread]:
runtime.gopark(0x7c4e70, 0xc820024f28, 0x747988, 0x6, 0x42d518, 0x2)
/home/sjm/go/src/runtime/proc.go:185 +0x163
runtime.selectgoImpl(0xc820024f28, 0x0, 0x18)
/home/sjm/go/src/runtime/select.go:392 +0xa64
runtime.selectgo(0xc820024f28)
/home/sjm/go/src/runtime/select.go:212 +0x12
runtime.ensureSigM.func1()
/home/sjm/go/src/runtime/signal1_unix.go:227 +0x353
runtime.goexit()
/home/sjm/go/src/runtime/asm_amd64.s:1721 +0x1
goroutine 8 [chan receive]:
main.main.func1(0xc82000a540, 0x7f4d4c82f568, 0xc82000e480)
/home/sjm/gocode/src/github.com/dnstap/golang-dnstap/dnstap/main.go:103 +0x4d
created by main.main
/home/sjm/gocode/src/github.com/dnstap/golang-dnstap/dnstap/main.go:107 +0x4f5
goroutine 9 [runnable]:
syscall.Syscall(0x0, 0x4, 0xc82009d000, 0x1000, 0x1000, 0x1000, 0x0)
/home/sjm/go/src/syscall/asm_linux_amd64.s:18 +0x5
syscall.read(0x4, 0xc82009d000, 0x1000, 0x1000, 0x4, 0x0, 0x0)
/home/sjm/go/src/syscall/zsyscall_linux_amd64.go:783 +0x5f
syscall.Read(0x4, 0xc82009d000, 0x1000, 0x1000, 0x1000, 0x0, 0x0)
/home/sjm/go/src/syscall/syscall_unix.go:160 +0x4d
os.(_File).read(0xc820026038, 0xc82009d000, 0x1000, 0x1000, 0x1000, 0x0, 0x0)
/home/sjm/go/src/os/file_unix.go:211 +0x53
os.(_File).Read(0xc820026038, 0xc82009d000, 0x1000, 0x1000, 0x1000, 0x0, 0x0)
/home/sjm/go/src/os/file.go:95 +0x8a
bufio.(_Reader).fill(0xc82000a6c0)
/home/sjm/go/src/bufio/bufio.go:97 +0x1e9
bufio.(_Reader).Read(0xc82000a6c0, 0xc8200a2018, 0xc8, 0xfffe8, 0x18, 0x0, 0x0)
/home/sjm/go/src/bufio/bufio.go:207 +0x260
io.ReadAtLeast(0x7f4d4c82f698, 0xc82000a6c0, 0xc8200a2000, 0xe0, 0x100000, 0xe0, 0x18, 0x0, 0x0)
/home/sjm/go/src/io/io.go:298 +0xe6
io.ReadFull(0x7f4d4c82f698, 0xc82000a6c0, 0xc8200a2000, 0xe0, 0x100000, 0x0, 0x0, 0x0)
/home/sjm/go/src/io/io.go:316 +0x62
github.com/farsightsec/golang-framestream.(_Decoder).readFrame(0xc820084120, 0xe0, 0x0, 0x0)
/home/sjm/gocode/src/github.com/farsightsec/golang-framestream/Decoder.go:177 +0xcb
github.com/farsightsec/golang-framestream.(_Decoder).Decode(0xc820084120, 0x0, 0x0, 0x0, 0x0, 0x0)
/home/sjm/gocode/src/github.com/farsightsec/golang-framestream/Decoder.go:210 +0x1d7
github.com/dnstap/golang-dnstap.(*FrameStreamInput).ReadInto(0xc820010bc0, 0xc82000a480)
/home/sjm/gocode/src/github.com/dnstap/golang-dnstap/FrameStreamInput.go:54 +0x40
created by main.main
/home/sjm/gocode/src/github.com/dnstap/golang-dnstap/dnstap/main.go:126 +0x7ff
real 0m0.403s
user 0m0.301s
sys 0m0.131s
[root@k tmp]# ls -las koe.*
628 -rw-r----- 1 root dns 643050 Jan 8 19:49 koe.txt
79580 -rw-r----- 1 root dns 81486794 Jan 8 19:48 koe.yaml
Not sure if this belongs here or somewhere else, so let me know if my question / problem needs to be redirected.
When running dnstap I noticed the binary log only populates when new entries are requested from the named server. Is this expected?
Trouble shooting:
I was thinking the log would populate for every request no matter how frequent or similar they are. Was there a reason this was disabled? Too much overhead?
Is there a way to enable this feature?
i find that dnstap cannot support date, only show hours and minutes, so i find a easy(maybe simple&stupid way) to log coredns,
here is the solution:
/usr/bin/coredns -conf /etc/storage/csc/coredns/Corefile 2>&1 | stdbuf -oL awk '{ print strftime("[%Y-%m-%d %H:%M:%S]"), $0 }' | stdbuf -oL tee -a log7.log
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.