pdns icon indicating copy to clipboard operation
pdns copied to clipboard

Published 20 hours ago verified publisher icon PowerDNS

Implement DNSTAP in Recursor

Open giganteous opened this issue 6 years ago • 8 comments

  • Program: Recursor
  • Issue type:Feature request

Short description

Implement DNStap on the "postresolve" side for powerdns recursor.

Usecase

I think there is a valid use case:

Interested parties exist that want a feed. Most of these parties rely on some kind of software to be installed on the resolver. I'd prefer powerdns to do that work, it already sits at the correct spot.

Description

Do what dnsdist describes in its manual in pdns_recursor.

giganteous avatar Mar 20 '18 14:03 giganteous

That would indeed be nice. Ideally I would like to be able to log incoming queries, outgoing answers or both, and to tag which responses I want to log from our Lua hooks. I'm not sure we need to support that for packet cache hits.

rgacogne avatar Mar 20 '18 14:03 rgacogne

+1 here. Being able to ingest recursor traffic is ideal for identifying trends on authoritative servers or performance on instances. We have a protobuf model for this, but DNSTAP would be a nice standardization.

johnhtodd avatar Mar 20 '18 15:03 johnhtodd

To update after reading rgacogne's comments: I think we need to have at least the option to support packetcache hits as output. DNSTAP is used for all sorts of statistics that are not obvious, and without packetcache results showing all queries, the terrible last resort will be going back to pcap, and nobody wants to do that.

johnhtodd avatar Apr 14 '18 20:04 johnhtodd

I still think we should do it, but note that enabling dnstap export for packetcache hits would probably have a huge performance cost, much more than doing packet capture.

rgacogne avatar Apr 14 '18 20:04 rgacogne

Agreed. However, doing sampled or intermittent dnstap collection with all packets captured is easier than building two parallel systems when debugging issues. Perhaps a flag that allows packetcache capture is the right middle ground so it is not always taxing the system for every query if the operator chooses that mode.

johnhtodd avatar Apr 14 '18 21:04 johnhtodd

dnstap support for outgoing queries and incoming replies has been merged to master

omoerbeek avatar Jun 03 '19 11:06 omoerbeek

shouldn't this be resolved by now? PowerDNS Recursor 4.3.0 was released 2 days ago

stasic avatar Mar 05 '20 10:03 stasic

Unless I'm mistaken we only have support for exporting outgoing queries to authoritative servers and incoming responses from authoritative servers over DNSTAP, not incoming queries or outgoing responses. So this issue is only partially solved at the moment.

rgacogne avatar Mar 05 '20 10:03 rgacogne