-
Notifications
You must be signed in to change notification settings - Fork 0
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Separate Dnstap and DNS agents #11
Comments
For generalization purposes added two additional fields:
|
Smoketest code is on the Multicast supportIPv4 multicast is nominally supported by the code. I welcome feedback, I make no promises as to if or how issues will be resolved.
|
I've got this in production now, feeding both the ShoDoHFlo Redis agent ( Feel free to go ahead and try out the |
So far so good. I'll let it soak until Monday February 19 before merging into |
This has been merged to |
The present implementation lacks flexibility and only supports 1:1 telemetry capture.
The current dns_agent combines two functionalities:
The Dnstap protocol as architected is not network-aware; the BIND implementation is capable only writing to either the unix socket or to (rotating) files.
It is desirable to support many-to-one, one-to-many, and many-to-many capture modalities for redundancy and failover, as well as for additional uses. For instance, work is underway to alter Rear View RPZ to that it can optionally ingest telemetry data via UDP datagrams transmitted in the format envisioned here.
The anticipated future architecture is:
This issue exists to inform the community of the anticipated change and to solicit feedback.
UDP as the transmission modality
UDP datagrams are anticipated as the transmission modality, with each datagram encapsulating one observable event.
An observable event is defined as a (potential)
CNAME
chain ending in a single IP address; if the underlying Dnstap event resolves the (single)CNAME
chain to multiple addresses, then one observable event is generated for each address.UDP is chosen because it supports not only one-to-one and many-to-one, but also one-to-many and many-to-many (multicast addresses). Additionally, UDP is connectionless and so recovery / tolerance for network or receiver outages is much simpler to build as well as understand.
UDP has an absolute 64K byte limit on datagram size; on the other hand the efficient datagram size is determined by path MTU and can be considerably smaller (the typical ethernet MTU is 1500 bytes). Datagrams larger than the path MTU are dealt with via fragmentation, which increases the possibility of data loss and requires packet reassembly at the receiving end.
Note that the maximum size of a DNS query or response tracks the UDP absolute limit on datagram size.
Content of the telemetry data
Dnstap telemetry can capture different versions of a DNS query or response (stub resolver to caching resolver or caching resolver to authoritative, request or response) as well as additional metadata. Since a single DNS message itself can theoretically reach the absolute limit on datagram size, curation of data is required in order to reliably use UDP as a transport.
The datagram content is envisioned as a JSON dictionary with three keys:
CNAME
chain; both IPv4 and IPv6 are supportedCNAME
chainGiven the DNS data:
a sample (and prettified) datagram payload might look like this:
The text was updated successfully, but these errors were encountered: