blob: 591bda515e3669e9551112f3821951671ffa71f3 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
|
.. _mod-dnstap:
``dnstap`` – Dnstap traffic logging
===================================
A module for query and response logging based on the dnstap_ library.
You can capture either all or zone-specific queries and responses; usually
you want to do the former.
Example
-------
The configuration comprises only a :ref:`mod-dnstap_sink` path parameter,
which can be either a file or a UNIX socket::
mod-dnstap:
- id: capture_all
sink: /tmp/capture.tap
template:
- id: default
global-module: mod-dnstap/capture_all
.. NOTE::
To be able to use a Unix socket you need an external program to create it.
Knot DNS connects to it as a client using the libfstrm library. It operates
exactly like syslog.
.. NOTE::
Dnstap log files can also be created or read using :doc:`kdig<man_kdig>`.
.. _dnstap: https://dnstap.info/
Module reference
----------------
For all queries logging, use this module in the *default* template. For
zone-specific logging, use this module in the proper zone configuration.
::
mod-dnstap:
- id: STR
sink: STR
identity: STR
version: STR
log-queries: BOOL
log-responses: BOOL
responses-with-queries: BOOL
.. _mod-dnstap_id:
id
..
A module identifier.
.. _mod-dnstap_sink:
sink
....
A sink path, which can be either a file or a UNIX socket when prefixed with
``unix:``.
*Required*
.. WARNING::
File is overwritten on server startup or reload.
.. _mod-dnstap_identity:
identity
........
A DNS server identity. Set empty value to disable.
*Default:* FQDN hostname
.. _mod-dnstap_version:
version
.......
A DNS server version. Set empty value to disable.
*Default:* server version
.. _mod-dnstap_log-queries:
log-queries
...........
If enabled, query messages will be logged.
*Default:* ``on``
.. _mod-dnstap_log-responses:
log-responses
.............
If enabled, response messages will be logged.
*Default:* ``on``
responses-with-queries
......................
If enabled, dnstap ``AUTH_RESPONSE`` messages will also include the original
query message as well as the response message sent by the server.
*Default:* ``off``
|