BIND 9.20.12 - dnstap - RPZ - DNS-collector - Elasticsearch

Wolfgang Riedel Wolfgang.Riedel at f1-consult.com
Sun Sep 14 19:00:24 UTC 2025 

Hi Mark,

Yes, that’s what I see in the default log but when looking into rpz.log I see the query and RPZ rewrites

rpz: info: client @0x7f033dd7f000 MyHiddenMaster#56341 (ads.pubmatic.com): rpz QNAME NODATA rewrite ads.pubmatic.com/HTTPS/IN via ads.pubmatic.com.rpz.f1-online.net<http://online.net>

Likewise NXDOMAIN is mentioned here for RPZ and dnstap
<https://protodoc.io/isc-projects/bind9/dnstap>
dnstap - isc-projects/bind9 - protodoc.io<https://protodoc.io/isc-projects/bind9/dnstap>
protodoc.io<https://protodoc.io/isc-projects/bind9/dnstap>
        [X] <https://protodoc.io/isc-projects/bind9/dnstap>


So I wonder if I am doing something wrong or missing something from a configuration point of view to get the RPZ infos I see in the logs somehow exported via dnstap ?

Thank you,
Wolfgang

On 13. Sep 2025, at 07:50, Mark Andrews <marka at isc.org> wrote:

NODATA is a concept not a record type.  It indicates that the name is correct but there are no records of the requested type.
--
Mark Andrews

El 12 sept 2025, a las 0:34, Wolfgang Riedel via bind-users <bind-users at lists.isc.org> escribió:


Hi Folks,

I just wonder if I am missing something ;-)

I am currently running a POC for RPC Logging into Elasticsearch and just wonder why I can’t see any "rpz QNAME NODATA” in Elasticsearch?

I am running BIND 9.20.12 as recursive resolvers -> dnstap -> DNS-collector -> Elasticsearch

BIND:
dnstap { all; };
// dnstap { auth; resolver query; resolver response; };

/* where to capture to: file or unix (socket) */
// dnstap-output file "/tmp/named.tap";
dnstap-output unix "/run/named/dnstap.sock";
dnstap-identity “rr1.xyz.net”;

channel rpz_file {
file "/var/log/named/rpz.log" versions 10 size 10m;
severity dynamic;
print-time yes;
print-category yes;
print-severity yes;
};

I am seeing a lot of "rpz QNAME NODATA rewrite” messages in /var/log/named/rpz.log and would like to export them via dnstap instead of local log files and them shipping them to elastic search via a log shipper.


DNSCollector:

pipelines:
- name: "input-bind-dnstap"
# Read DNSTap stream from a UNIX socket
dnstap:
sock-path: /run/named/dnstap.sock
sock-rcvbuf: 0
routing-policy:
# Routes DNS messages from the Unix socket to Elasticsearch
forward: [output-elastic]
dropped: [output-error-log]

- name: "output-elastic"
elasticsearch:
server: "https://k8s-eck.xyz.net:30200"
index: "logs-network_traffic.dnscollector-default"
bulk-size: 1048576 # 1MB
bulk-channel-size: 10
# bulk-size refers to the size of the batch of DNS messages sent to your Elasticsearch instance
# bulk-channel-size defines the number of batches the DNS collector can hold in memory before dropping them
flush-interval: 10 # in seconds
# Interval in seconds before to flush the buffer. Set the maximum time interval before the buffer is flushed.
# If the bulk batches reach this interval before reaching the maximum size, they will be sent to Elasticsearch.
compression: none
chan-buffer-size: 0
basic-auth-enable: true
basic-auth-login: “aaa"
basic-auth-pwd: “bbb"

Elasticsearch:

In Elasticsearch I can see all kind of Resource Record types besides NODATA which is what I am looking for ;-)

So I just wonder if BIND is not exporting NODATA if it’s a result of RPZ or I am missing something else?

—
Thank you,
Wolfgang
______________________________________________________________________________________________
Wolfgang Riedel | Distinguished Engineer | CCIE #13804 | VCP #42559

--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20250914/608c4a53/attachment-0001.htm>

More information about the bind-users mailing list