BIND 9.20.12 - dnstap - RPZ - DNS-collector - Elasticsearch

Sat Sep 13 05:50:01 UTC 2025

NODATA is a concept not a record type.  It indicates that the name is correct but there are no records of the requested type. 
-- 
Mark Andrews

> El 12 sept 2025, a las 0:34, Wolfgang Riedel via bind-users <bind-users at lists.isc.org> escribió:
> 
> Hi Folks,
> 
> I just wonder if I am missing something ;-)
> 
> I am currently running a POC for RPC Logging into Elasticsearch and just wonder why I can’t see any "rpz QNAME NODATA” in Elasticsearch?
> 
> I am running BIND 9.20.12 as recursive resolvers -> dnstap -> DNS-collector -> Elasticsearch
> 
> BIND:
> 
> dnstap { all; };
> 
> // dnstap { auth; resolver query; resolver response; };
> 
> 
> /* where to capture to: file or unix (socket) */
> 
> // dnstap-output file "/tmp/named.tap";
> 
> dnstap-output unix "/run/named/dnstap.sock";
> dnstap-identity
> “rr1.xyz.net”;
> 
> 
> 
> channel rpz_file {
> 
> file "/var/log/named/rpz.log" versions
> 10 size 
> 10m;
> 
> severity dynamic;
> 
> print-time yes;
> 
> print-category yes;
> 
> print-severity yes;
> 
> };
> 
> 
> I am seeing a lot of "rpz QNAME NODATA rewrite” messages in /var/log/named/rpz.log and would like to export them via dnstap instead of local log files and them shipping them to elastic search via a log shipper.
> 
> 
> DNSCollector:
> 
> 
> pipelines:
> 
> - name: "input-bind-dnstap"
> 
> # Read DNSTap stream from a UNIX socket
> 
> dnstap:
> 
> sock-path: /run/named/dnstap.sock
> 
> sock-rcvbuf: 0
> 
> routing-policy:
> 
> # Routes DNS messages from the Unix socket to Elasticsearch
> 
> forward: [output-elastic]
> 
> dropped: [output-error-log]
> 
> 
> - name: "output-elastic"
> 
> elasticsearch:
> 
> server: "https://k8s-eck.xyz.net:30200"
> 
> index: "logs-network_traffic.dnscollector-default"
> 
> bulk-size: 1048576 # 1MB
> 
> bulk-channel-size: 10
> 
> # bulk-size refers to the size of the batch of DNS messages sent to your Elasticsearch instance
> 
> # bulk-channel-size defines the number of batches the DNS collector can hold in memory before dropping them
> 
> flush-interval: 10 # in seconds
> 
> # Interval in seconds before to flush the buffer. Set the maximum time interval before the buffer is flushed.
> 
> # If the bulk batches reach this interval before reaching the maximum size, they will be sent to Elasticsearch.
> 
> compression: none
> 
> chan-buffer-size: 0
> 
> basic-auth-enable: true
> basic-auth-login:
> “aaa"
> basic-auth-pwd:
> “bbb"
> 
> Elasticsearch:
> 
> In Elasticsearch I can see all kind of Resource Record types besides NODATA which is what I am looking for ;-)
> 
> So I just wonder if BIND is not exporting NODATA if it’s a result of RPZ or I am missing something else?
> 
> —
> Thank you,
> Wolfgang
> ______________________________________________________________________________________________
> Wolfgang Riedel | Distinguished Engineer | CCIE #13804 | VCP #42559
> 
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20250913/7b577ddc/attachment-0001.htm>