A traditional route for DNS traffic capture is to record traffic in PCAP format. Recorded files are compressed and used as input for subsequent processing. PCAP files, though, suffer from two disadvantages; they record much transport layer data that is unnecessary, and compression requires significant system resources.
The C-DNS file format (https://datatracker.ietf.org/doc/draft-ietf-dnsop-dns-capture-format/) for storing DNS traffic capture in a resource-efficient way is now moving towards standardisation. In this talk we discuss the background to C-DNS and give an overview of the format. We'll outline how the C-DNS format and its associated open source tools (including https://github.com/dns-stats/compactor) can be used to capture DNS traffic in resource constrained environments and look at an existing deployment for a busy root server.
We will also look at downstream processing of C-DNS files from PCAP re-generation to recent work on importing C-DNS into a ClickHouse database. The data can be used for both ad-hoc low-level queries and visualisation with Grafana to produce DSC-style graphs. We'll highlight the advantages of ClickHouse for this application and talk about scaling of this solution.
|Talk Duration||30 Minutes|