dnstap introduction and status update
play

dnstap: introduction and status update Robert Edmonds - PowerPoint PPT Presentation

Feb 03, 2023 •141 likes •336 views

dnstap: introduction and status update Robert Edmonds (edmonds@fsi.io) Farsight Security, Inc. URL http://dnstap.info Documentation Presentations Tutorials Mailing list Downloads Code repositories dnstap Slide 2 of

  1. dnstap: introduction and status update Robert Edmonds (edmonds@fsi.io) Farsight Security, Inc.

  2. URL  http://dnstap.info – Documentation – Presentations – Tutorials – Mailing list – Downloads – Code repositories dnstap Slide 2 of 18

  3. Introduction  It's Protocol Buffers logging for DNS software.  Schema file located here: https://github.com/dnstap/dnstap.pb/blob/master/dnstap.proto – dnstap Slide 3 of 18

  4. Protocol Buffers  Natural fit for DNS data. – Binary clean. – Efficient encoding. – Extendable.  Implementations available for many programming languages. – C, C++, Java, Python, Go, etc. dnstap Slide 4 of 18

  5. Schema  Top-level Dnstap container message with fields: – identity : “NSID” analog. – version : “version.bind” analog. – extra : arbitrary annotation. – type : type of the contained message. – One of the following: ● message : wire-format DNS message + metadata. ● More possibilities to come. dnstap Slide 5 of 18

  6. Schema  Message type encapsulates DNS wire-format messages. – type : AUTH_QUERY, AUTH_RESPONSE, RESOLVER_QUERY, RESOLVER_RESPONSE, ..., TOOL_QUERY, TOOL_RESPONSE – socket_family : INET, INET6 – socket_protocol : UDP, TCP – query_address, query_port – response_address, response_port – query_time_sec, query_time_nsec – query_message – query_zone – response_time_sec, response_time_nsec – response_message dnstap Slide 6 of 18

  7. Framing  Protobuf packs one payload at a time.  How to pack a stream of many payloads?  Solution: “Frame Streams”. – Write the payload length (32-bit integer). – Write the actual payload (variable length). – Repeat. dnstap Slide 7 of 18

  8. “Frame Streams”  Lightweight protocol for streaming data frames. – Stream over a socket. – Or, read/write a file.  Doesn't need to know how the data frames are encoded.  Reference libfstrm implementation in C.  Easy to parse. Python decoder is ~50 lines, no external dependencies. dnstap Slide 8 of 18

  9. Use cases  These can all be accomplished with the dnstap/Message schema: – Interchange format for tools. – Passive DNS replication. – Query logging. dnstap Slide 9 of 18

  10. Interchange format  Many tools send/receive DNS messages. – dig/delv(e), drill, kdig – looking glasses  Immediately converted from DNS wire format to some other format. – Traditional “dig style” – JSON – ??? dnstap Slide 10 of 18

  11. Interchange format  Save a copy of the original DNS messages. – Display the message trace now or later. – Be able to refer to the original verbatim wire message, instead of whatever the tool printed to stdout.  Looking glasses can communicate the exact response as received, rather than transcoding into, e.g. JSON. dnstap Slide 11 of 18

  12. Passive DNS replication  Usually done by logging of authoritative responses to resolver initiated queries.  Actually, instead of capturing the responses , the packets containing the responses are captured. – UDP responses may be spoofed. – IP fragments, TCP segments, UDP checksums... dnstap Slide 12 of 18

  13. Passive DNS replication  Because packet capture occurs outside of the DNS server, a critical piece of information is missing: the bailiwick of the transaction. – Must be laboriously reconstructed in order to avoid poisoning: “passive DNS bailiwick algorithm”.  dnstap alternative: the DNS server can just log the needed information. dnstap Slide 13 of 18

  14. Query logging  Log the queries the server receives.  Metadata that would be nice to have: – Recursive case: whether the query hit a cache. – Authoritative case: which zone a query was served from. dnstap Slide 14 of 18

  15. dnstap Slide 15 of 18

  16. dnstap components  Flexible, structured log format for DNS software. – dnstap.pb  Helper libraries for adding support to DNS software. – libfstrm, libprotobuf-c  Patch sets that integrate dnstap support into existing DNS software. – Unbound, Knot  Capture tools for receiving dnstap messages from dnstap-enabled software. dnstap Slide 16 of 18

  17. Status update  fstrm library under heavy development  protobuf-c 1.0.0 release candidate  Unbound patchset rebased against 1.4.22, almost complete  Work on Knot/kdig patchset begun dnstap Slide 17 of 18

  18. URL  http://dnstap.info – Documentation – Presentations – Tutorials – Mailing list – Downloads – Code repositories dnstap Slide 18 of 18

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

dnstap (brief intro and update) Merike Kaeo

dnstap (brief intro and update) Merike Kaeo

dnstap (brief intro and update) Merike Kaeo merike@interne6den6ty.com NANOG61 - DNS Track dnstap What is it? High speed DNS logging without

420 views • 12 slides
dnstap : high speed DNS logging without packet capture Robert Edmonds (edmonds@fsi.io) Farsight

dnstap : high speed DNS logging without packet capture Robert Edmonds (edmonds@fsi.io) Farsight

dnstap : high speed DNS logging without packet capture Robert Edmonds (edmonds@fsi.io) Farsight Security, Inc. URL http://dnstap.info Documentation Presentations Tutorials Mailing list Downloads Code repositories

695 views • 42 slides
Program 13:00h welcome and introduction (Toon Goedem) 13:30h Status update hardware and

Program 13:00h welcome and introduction (Toon Goedem) 13:30h Status update hardware and

8/12/2016 Program 13:00h welcome and introduction (Toon Goedem) 13:30h Status update hardware and calibration (Bjorn Van IWT-Tetra project Tilt / Toon Goedem) 14:00h Status update abnormal behaviour detection (Kristof Van

378 views • 16 slides
Programme Update Status Update, Six Month Report & Change Request Status Update Lake

Programme Update Status Update, Six Month Report & Change Request Status Update Lake

Programme Update Status Update, Six Month Report & Change Request Status Update Lake Rotorua Low Nitrogen Land Use Fund Round 2 Recommendations. Incentives Scheme 20T Achieved, 25T in pipeline. Strategic Review for new

149 views • 12 slides
The 'dnstap' Approach Dr. Paul Vixie, CEO Farsight Security, Inc. 2014-01-16 Charleston, SC

The 'dnstap' Approach Dr. Paul Vixie, CEO Farsight Security, Inc. 2014-01-16 Charleston, SC

Passive DNS Collection and Analysis The 'dnstap' Approach Dr. Paul Vixie, CEO Farsight Security, Inc. 2014-01-16 Charleston, SC Importance of Measuring DNS High volume low latency datagram protocol sie-xyzzy1 547,128,709,757 bytes,

323 views • 17 slides
Passive DNS Collection and Analysis The 'dnstap' (& fstrm) Approach Farsight Security, Inc.

Passive DNS Collection and Analysis The 'dnstap' (& fstrm) Approach Farsight Security, Inc.

Passive DNS Collection and Analysis The 'dnstap' (& fstrm) Approach Farsight Security, Inc. December 2014 Importance of Measuring DNS High volume low latency datagram protocol Channel 202; 40 sources; 1,657,398,226,932 bytes/day;

196 views • 19 slides
ERLP Status January 2007 Lee Jones ASTeC ERLP Progress Update: Content Introduction

ERLP Status January 2007 Lee Jones ASTeC ERLP Progress Update: Content Introduction

ERLP Status January 2007 Lee Jones ASTeC ERLP Progress Update: Content Introduction Construction status Injector commissioning Accelerating modules & Cryogenics Beam transport system Ongoing work Future

911 views • 61 slides
19 th November 2018 Agenda 1. Introduction and Status Review 2. Operational Update 3. 6

19 th November 2018 Agenda 1. Introduction and Status Review 2. Operational Update 3. 6

EBCC Presentation 19 th November 2018 Agenda 1. Introduction and Status Review 2. Operational Update 3. 6 Month Operational Review 4. Focus for 2018/19 5. Security Review 6. Modification Update 7. Project Update 8. Any Other

301 views • 27 slides
MVD Strip ASIC (PASTA) Status Update of the PA NDA St rip A SIC Andr Goerres Mitglied der

MVD Strip ASIC (PASTA) Status Update of the PA NDA St rip A SIC Andr Goerres Mitglied der

MVD Strip ASIC (PASTA) Status Update of the PA NDA St rip A SIC Andr Goerres Mitglied der Helmholtz-Gemeinschaft 10 September 2013 46. PANDA Meeting, Ruhr-University-Bochum 1 Content Introduction to TOFPET/PASTA Status of analogue

606 views • 27 slides
dnstap-whoami Robert Edmonds (edmonds@fsi.io) Farsight Security, Inc. Intro DNS nameservers

dnstap-whoami Robert Edmonds (edmonds@fsi.io) Farsight Security, Inc. Intro DNS nameservers

dnstap-whoami Robert Edmonds (edmonds@fsi.io) Farsight Security, Inc. Intro DNS nameservers that return custom responses Diagnostics Experimentation Result passed through to the original client Examples: DNS whoami

265 views • 25 slides
WG1: STATUS UPDATE & WORK PLAN STIJN JANSSEN & CRISTINA GUERREIRO CONTENT Status Update

WG1: STATUS UPDATE & WORK PLAN STIJN JANSSEN & CRISTINA GUERREIRO CONTENT Status Update

WG1: STATUS UPDATE & WORK PLAN STIJN JANSSEN & CRISTINA GUERREIRO CONTENT Status Update Updated Modelling Quality Objective & Guidance Document MQO for forecasting Composite Mapping Exceedance Modelling & Fit for

760 views • 42 slides
Business Intelligence at Penn State June 2011 Agenda Introduction and Status Update. Who

Business Intelligence at Penn State June 2011 Agenda Introduction and Status Update. Who

Business Intelligence at Penn State June 2011 Agenda Introduction and Status Update. Who is Using iTwo and how they are using it. Conclusion Previous Page Next Page Introduction and Status Update Previous Page Next Page Business

540 views • 32 slides
dnstap : high speed DNS logging without packet capture Jeroen Massar Farsight Security, Inc.

dnstap : high speed DNS logging without packet capture Jeroen Massar Farsight Security, Inc.

dnstap : high speed DNS logging without packet capture Jeroen Massar Farsight Security, Inc. Unifying the Global Response to Cybercrime Credits & More Info Design & Implementation: Robert Edmonds <edmonds@fsi.io> Website:

786 views • 40 slides
CED Status Update Theo Larrieu Outline Software Status Recent Developments Future

CED Status Update Theo Larrieu Outline Software Status Recent Developments Future

CED Status Update Theo Larrieu Outline Software Status Recent Developments Future Developments Contents Status Adding, Updating, Removing data CED / Songsheets relationship Status - HLAPPS All new and many (most?)

513 views • 14 slides
October 2009 Financial Status Update Financial Status Update 1 General Fund Revenue Period

October 2009 Financial Status Update Financial Status Update 1 General Fund Revenue Period

October 2009 Financial Status Update Financial Status Update 1 General Fund Revenue Period Ending September 30, 2009 Category Budget Actual Taxes $105,601,600 $ 6,614,192 License & Permits $ 1,467,031 $ 566,344

314 views • 12 slides
Tuakiri update: eduGAIN & service status Vlad Mencl Wallace Chase 1 Tuakiri update:

Tuakiri update: eduGAIN & service status Vlad Mencl Wallace Chase 1 Tuakiri update:

August 19th, 2020, REANNZ Lunchtime session Tuakiri update: eduGAIN & service status Vlad Mencl Wallace Chase 1 Tuakiri update: eduGAIN and service status, August 19th, 2020 Outline Tuakiri: brief introduction Update:

641 views • 23 slides
(Unifying?) rheology of soft glasses and jammed solids Ludovic Berthier Laboratoire Charles

(Unifying?) rheology of soft glasses and jammed solids Ludovic Berthier Laboratoire Charles

(Unifying?) rheology of soft glasses and jammed solids Ludovic Berthier Laboratoire Charles Coulomb Universit e de Montpellier 2 & CNRS Unifying concepts in materials, JAKS 2012 Bangalore, February 7, 2012 title p.1 Coworkers

435 views • 26 slides
Adversarially Robust Optimization with Gaussian Processes Ilija Bogunovic, Jonathan Scarlett,

Adversarially Robust Optimization with Gaussian Processes Ilija Bogunovic, Jonathan Scarlett,

Adversarially Robust Optimization with Gaussian Processes Ilija Bogunovic, Jonathan Scarlett, Stefanie Jegelka, Volkan Cevher Conference on Neural Information Processing Systems (Dec 2018) Gaussian Process Optimization Optimum Non-robust

393 views • 12 slides
Linguistic sca fg olds for policy learning Jacob Andreas Berkeley Microsoft Semantic Machines

Linguistic sca fg olds for policy learning Jacob Andreas Berkeley Microsoft Semantic Machines

Linguistic sca fg olds for policy learning Jacob Andreas Berkeley Microsoft Semantic Machines MIT Linguistic sca fg olds for policy learning (what can language do for RL?) Jacob Andreas Berkeley Microsoft Semantic Machines MIT An

780 views • 65 slides
Spin glasses, concepts and analysis of susceptibility P.C.W. Holdsworth Ecole Normale Suprieure

Spin glasses, concepts and analysis of susceptibility P.C.W. Holdsworth Ecole Normale Suprieure

Spin glasses, concepts and analysis of susceptibility P.C.W. Holdsworth Ecole Normale Suprieure de Lyon 1. A (brief) review of spin glasses 2. Slow dynamics, aging phenomena 3. An illustration from a simple model My sources - Binder and Young

787 views • 53 slides
Designing deep architectures for Visual Question Answering Matthieu Cord Sorbonne University

Designing deep architectures for Visual Question Answering Matthieu Cord Sorbonne University

Designing deep architectures for Visual Question Answering Matthieu Cord Sorbonne University valeo.ai research lab. Paris Thanks to H. Ben-younes, R. Cadne Visual Question Answering Question Answering: + What does Claudia do? Visual

831 views • 68 slides
Where are my glasses? I know the following statements are true. 1. If I was reading the newspaper

Where are my glasses? I know the following statements are true. 1. If I was reading the newspaper

Proposition logic and argument CISC2100, Fall 2019 X.Zhang 1 Where are my glasses? I know the following statements are true. 1. If I was reading the newspaper in the kitchen, then my glasses are on the kitchen table. 2. If my glasses are on the

652 views • 27 slides
DTTF/NB479: Dszquphsbqiz Day 29 Announcements: Questions? This week: Digital signatures, DSA

DTTF/NB479: Dszquphsbqiz Day 29 Announcements: Questions? This week: Digital signatures, DSA

DTTF/NB479: Dszquphsbqiz Day 29 Announcements: Questions? This week: Digital signatures, DSA Flipping coins over the phone Why are digital signatures important? Compare with paper signatures Danger: Eve would like to use your

423 views • 7 slides
Markov Models and Hidden Markov Models Robert Platt Northeastern University Some images and

Markov Models and Hidden Markov Models Robert Platt Northeastern University Some images and

Markov Models and Hidden Markov Models Robert Platt Northeastern University Some images and slides are used from: 1. CS188 UC Berkeley 2. RN, AIMA Markov Models We have already seen that an MDP provides a useful framework for modeling

1k views • 69 slides

More recommend