May 10 – 11, 2014
Sofitel Warsaw Victoria
Europe/Warsaw timezone

dnstap: introduction and status update

May 11, 2014, 9:30 AM
Opera (Sofitel Warsaw Victoria)


Sofitel Warsaw Victoria

11 Królewska Street 00-065 Warsaw
Public Workshop


Robert Edmonds (Farsight Security, Inc.)


dnstap is a flexible, structured binary log format for DNS software. This presentation will introduce the core concepts and data model and summarize recent progress in implementing dnstap support in existing DNS software. dnstap's motivating use case is to enable an advanced form of forgery resistant passive DNS replication that can perform bailiwick verification of data received from DNS authority servers without an expensive, stateful post-processing step. This can only be done by exporting internal state from the recursive DNS server as the information that can be obtained from external packet capture is insufficient for this purpose. However, a generic mechanism that supports the passive DNS replication use case ought to be able to support other interesting use cases. For instance, command-line tools like 'dig', 'drill', and 'kdig' produce output in similar but not identical text formats reminiscent of the DNS master file format, while various DNS "looking glass" implementations render DNS data in HTML or JSON. A unified interchange format for representing DNS transactions could substantially improve the interoperability and usability of these tools.

Primary author

Robert Edmonds (Farsight Security, Inc.)

Presentation materials