dnstap is a flexible, structured binary log format for DNS software. It usesProtocol Buffers to encode events that occur inside DNS software in an implementation-neutral format.
Currentlydnstap can only encode wire-format DNS messages. It is planned to support additional types of DNS log information.
Support fordnstap is included in several DNS servers, including:
Knot DNS as ofversion 1.5.0
Unbound as ofversion 1.5.0
BIND as ofversion 9.11
CoreDNS as ofversion 1.5.0
NSD as ofversion 4.1.26
Dnsdist as ofversion 1.3.0
A standalone command-line tool for receiving and decodingdnstap log messages is also being worked on. Check outthis example output from thednstap command to get an idea of the kind of information thatdnstap can encode.
The current development trees can be found on theSource page.
dnstap-whoami: one-legged exfiltration of resolver queries.Slides. Presented in October 2015 at the OARC 2015 Fall Workshop by Robert Edmonds in Montréal.
Passive DNS Collection and Analysis: The 'dnstap' (& fstrm) Approach.Slides. Presented in December 2014 at Verisign Labs by Paul Vixie and Robert Edmonds in Reston, VA.
dnstap: brief intro and update.Slides. Presented in June 2014 at NANOG 61 by Merike Kaeo in Bellevue, WA.
dnstap: introduction and status update.Slides. Presented in May 2014 at the OARC 2014 Spring Workshop by Robert Edmonds in Warsaw.
dnstap: high speed DNS logging without packet capture. Presented in April 2014 at FIRST TC by Jeroen Massar in Amsterdam.
dnstap: high speed DNS logging without packet capture.Slides. Presented in April 2014 at APWG eCrime Researchers Sync-Up IV by Jeroen Massar in Oberammergau, Germany.
dnstap: high speed DNS logging without packet capture.Slides.Video.Tutorial. Presented in February 2014 at NANOG 60 by Robert Edmonds in Atlanta.
Passive DNS Collection and Analysis: The 'dnstap' Approach.Slides. Presented in January 2014 at FloCon 2014 by Paul Vixie in Charleston, SC.
dnstap: high speed DNS server event replication without packet capture.Slides. Presented in June 2013 by Robert Edmonds.
There is amailing list for everyone interested in discussingdnstap.
Source code, website code, and presentation material is being hosted onGitHub.