Oct 13 – 14, 2018
Okura Hotel
Europe/Amsterdam timezone

Using the C-DNS file format in traffic capture

Oct 14, 2018, 9:00 AM
Heian I/II (Okura Hotel)

Heian I/II

Okura Hotel

Ferdinand Bolstraat 333 1072 LH Amsterdam NL
Standard Presentation Public Workshop Joint OARC & CENTR-Tech Public Workshop


Dr Jim Hague (Sinodun)


A traditional route for DNS traffic capture is to record traffic in PCAP format. Recorded files are compressed and used as input for subsequent processing. PCAP files, though, suffer from two disadvantages; they record much transport layer data that is unnecessary, and compression requires significant system resources.

The C-DNS file format (https://datatracker.ietf.org/doc/draft-ietf-dnsop-dns-capture-format/) for storing DNS traffic capture in a resource-efficient way is now moving towards standardisation. In this talk we discuss the background to C-DNS and give an overview of the format. We'll outline how the C-DNS format and its associated open source tools (including https://github.com/dns-stats/compactor) can be used to capture DNS traffic in resource constrained environments and look at an existing deployment for a busy root server.

We will also look at downstream processing of C-DNS files from PCAP re-generation to recent work on importing C-DNS into a ClickHouse database. The data can be used for both ad-hoc low-level queries and visualisation with Grafana to produce DSC-style graphs. We'll highlight the advantages of ClickHouse for this application and talk about scaling of this solution.

Talk Duration 30 Minutes

Primary authors

Dr Sara Dickinson (Sinodun) Dr Jim Hague (Sinodun)

Presentation materials