NOTE: The code before version 1.x is considered beta quality and is subject to breaking changes.
DNS-collector
acts as a passive high speed ingestor, aggregator and analyzer for your DNS traffic, written in Golang. The DNS traffic can be collected and aggregated from simultaneously sources like DNStap streams, network interface or log files and relays it to multiple other listeners with some transformations on it (traffic filtering, user privacy, ...) and DNS protocol conversions (to plain text, json, and more... ).
Additionally, DNS-collector also support
- Extension Mechanisms for DNS (EDNS) decoding
- IPv4/v6 defragmentation and TCP reassembly
- Nanoseconds in timestamps
Overview:
Collectors:
- Listen for logging traffic with streaming network protocols
- Live capture on a network interface
- Read text or binary files as input
- Read and tail on
Plain text
files - Ingest
PCAP
orDNSTap
files by watching a directory
- Read and tail on
Loggers:
- Local storage of your DNS logs in plain
Text
,Json
,Pcap
orDnstap
formats:Stdout
console with custom directivesFile
with automatic rotation and compression
- Provide metrics and API
Prometheus
metrics and visualize-it with built-in dashboards for GrafanaStatsd
supportREST API
with swagger to search DNS domains
- Send to remote host with generic transport protocol
- Send to various sinks
- Send to security tools
Transformers:
Traffic Reducer
- Detect repetitive queries/replies and log it only once
Extractor
- Add base64 encoded dns payload
Latency Computing
- Compute latency between replies and queries
- Detect and count unanswered queries
Traffic filtering
- Downsampling
- Dropping per Qname, QueryIP or Rcode
User Privacy
- Anonymize QueryIP
- Minimaze Qname
- Hash Query and Response IP with SHA1
Normalize
- Quiet Text
- Qname to lowercase
- Add TLD and TLD+1
Geographical metadata
- Country and City
Suspicious traffic detector
- Malformed and large packet
- Uncommon Qtypes used
- Unallowed chars in Qname
- Excessive number of labels
- Long Qname
Download the latest release
binary and start the DNS-collector with the provided configuration file. The default configuration listens on tcp/6000
for a DNSTap stream and DNS logs are printed on standard output.
./go-dnscollector -config config.yml
If you prefer run it from docker, follow this guide.
The configuration of DNS-collector is done through a file named config.yml
. When the DNS-collector starts, it will look for the config.yml from the current working directory.
See the full configuration guide for more details.
You will find below some examples of configuration to manage your DNS logs.
-
Capture DNS traffic from incoming DNSTap streams
-
Capture DNS traffic from PowerDNS products
-
Observe your DNS traffic from logs
-
Apply some transformations
-
Capture DNS traffic from FRSTRM/dnstap files
-
Capture DNS traffic from PCAP files
-
Capture DNS traffic from Mikrotik device
-
Security: suspicious traffic detector
See the development guide for more information on how to build it yourself.
How to userguides: