BIND 9.20.12 - dnstap - RPZ - DNS-collector - Elasticsearch

Wolfgang Riedel Wolfgang.Riedel at f1-consult.com
Thu Sep 11 16:34:24 UTC 2025 

Hi Folks,

I just wonder if I am missing something ;-)

I am currently running a POC for RPC Logging into Elasticsearch and just wonder why I can’t see any "rpz QNAME NODATA” in Elasticsearch?

I am running BIND 9.20.12 as recursive resolvers -> dnstap -> DNS-collector -> Elasticsearch

BIND:
dnstap { all; };
// dnstap { auth; resolver query; resolver response; };

/* where to capture to: file or unix (socket) */
// dnstap-output file "/tmp/named.tap";
dnstap-output unix "/run/named/dnstap.sock";
dnstap-identity “rr1.xyz.net”;

channel rpz_file {
file "/var/log/named/rpz.log" versions 10 size 10m;
severity dynamic;
print-time yes;
print-category yes;
print-severity yes;
};

I am seeing a lot of "rpz QNAME NODATA rewrite” messages in /var/log/named/rpz.log and would like to export them via dnstap instead of local log files and them shipping them to elastic search via a log shipper.


DNSCollector:

pipelines:
- name: "input-bind-dnstap"
# Read DNSTap stream from a UNIX socket
dnstap:
sock-path: /run/named/dnstap.sock
sock-rcvbuf: 0
routing-policy:
# Routes DNS messages from the Unix socket to Elasticsearch
forward: [output-elastic]
dropped: [output-error-log]

- name: "output-elastic"
elasticsearch:
server: "https://k8s-eck.xyz.net:30200"
index: "logs-network_traffic.dnscollector-default"
bulk-size: 1048576 # 1MB
bulk-channel-size: 10
# bulk-size refers to the size of the batch of DNS messages sent to your Elasticsearch instance
# bulk-channel-size defines the number of batches the DNS collector can hold in memory before dropping them
flush-interval: 10 # in seconds
# Interval in seconds before to flush the buffer. Set the maximum time interval before the buffer is flushed.
# If the bulk batches reach this interval before reaching the maximum size, they will be sent to Elasticsearch.
compression: none
chan-buffer-size: 0
basic-auth-enable: true
basic-auth-login: “aaa"
basic-auth-pwd: “bbb"

Elasticsearch:

In Elasticsearch I can see all kind of Resource Record types besides NODATA which is what I am looking for ;-)

So I just wonder if BIND is not exporting NODATA if it’s a result of RPZ or I am missing something else?

—
Thank you,
Wolfgang
______________________________________________________________________________________________
Wolfgang Riedel | Distinguished Engineer | CCIE #13804 | VCP #42559

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20250911/643cc2f0/attachment-0001.htm>

More information about the bind-users mailing list