Verisign Labs
Tech Talks

Tech Talks are presentations from invited guests about issues related to Internet technology.

Passive DNS Collection and Analysis – The "dnstap" Approach

Event Description

DNS is a high volume low latency datagram protocol at the heart of the Internet -- it enables almost all other traffic flows. DNS traffic which might have resulted from or directed that traffic. Netflow by itself can answer the question, "what happened?" but it cannot by itself answer the equally important question, "why?"

Collecting DNS query and response data has always been challenging due to the impedance mismatch between DNS as an asynchronous datagram service and available synchronous persistent storage systems. Success in DNS telemetry has historically come from the PCAP/BPF approach, where the collection agent reassembles packets seen 'on the wire' into DNS transaction records, with complete asynchrony from the DNS server itself. It is literally and always preferable to drop transactions from the telemetry path than to impact the operation a production DNS server in any way.

BPF/PCAP is not a panacea, though, since the complexity of state-keeping means that most passive DNS collectors are blind to TCP transactions, and all are blind to data elements which don't appear on the wire, such as cache purge or cache expiration events, or to "view" identifiers or current delegation point. The Farsight Security team has therefore designed a new open source and open protocol system called "dnstap" with a transmission/reception paradigm that preserves the necessary lossiness of DNS transaction collection while avoiding the state-keeping of BPF/PCAP based systems.

This talk will cover passive DNS including collection, sharing, post-processing, database construction, and access, using the Farsight Security system as a model. "dnstap" will be introduced in that context, including a status report and road-map.

About Paul Vixie

Dr. Paul Vixie is the CEO of Farsight Security. He previously served as President, Chairman and Founder of Internet Systems Consortium (ISC), as President of MAPS, PAIX and MIBH, as CTO of Abovenet/MFN, and on the boards of several for-profit and non-profit companies. He has served on the ARIN Board of Trustees since 2005, where he served as Chairman in 2008 and 2009, and is a founding member of ICANN Root Server System Advisory Committee (RSSAC) and ICANN Security and Stability Advisory Committee (SSAC). He operated the ISC's F-Root name server for many years, and is a member of Cogent's C-Root team. He is a sysadmin for Op Sec Trust.

Vixie has been contributing to Internet protocols and UNIX systems as a protocol designer and software architect since 1980. He wrote Cron (for BSD and Linux), and is considered the primary author and technical architect of BIND 4.9 and BIND 8, and he hired many of the people who wrote BIND 9. He has authored or co-authored a dozen or so RFCs, mostly on DNS and related topics, and of Sendmail: Theory and Practice (Digital Press, 1994). His technical contributions include DNS Response Rate Limiting (RRL), DNS Response Policy Zones (RPZ), and Network Telemetry Capture (NCAP). He earned his Ph.D. from Keio University for work related to DNS and DNSSEC.

About Robert Edmonds

Robert Edmonds is a software developer at Farsight Security. He is responsible for maintaining several core components of Farsight's Security Information Exchange (SIE) and DNSDB products, including the 'nmsg' network message encapsulation library, the 'mtbl' immutable sorted string table library, and the 'wdns' low-level DNS library. His current projects include the development of 'dnstap', a framework for exporting event data from DNS software, and the ongoing maintenance of 'protobuf-c', a C implementation of the "Protocol Buffers" data serialization format.

View all of our past Verisign Labs Tech Talks presentations.