dnstap is a flexible, structured binary log format for DNS software¹. It uses Protocol Buffers to encode events that occur inside DNS software in an implementation-neutral format.

dnstap can encode any DNS message exchanged by the server, along with information about the remote computer (IP address, port) and time. It includes client queries and responses, but also proxied requests or other information requested from other name servers.

This example shows output from the dnstap command-line tool to get an idea of the kind of information that dnstap can provide:

type: MESSAGE
message:
  type: CLIENT_RESPONSE
  socket_family: INET
  socket_protocol: UDP
  query_address: 127.0.0.1
  query_port: 47969
  response_message: |
    ;; opcode: QUERY, status: NOERROR, id: 47163
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

    ;; QUESTION SECTION:
    ;example.org.       IN       A

    ;; ANSWER SECTION:
    example.org.        86339   IN      A       93.184.216.34

A dnstap plugin has been added in CoreDNS-010. Currently it can only log client level messages. Logging for additional types of exchanges is being implemented.

The dnstap plugin is used in combination with the dnstap command-line tool. They use a socket to communicate: the plugin will send the logs as long as the tool is listening.

To start with the dnstap plugin add it to the Corefile in a server block:

dnstap /tmp/dnstap.sock full

With the full option given to the dnstap plugin you will also include the full (binary) data of the DNS message. Now you can use the dnstap tool to read from the socket where CoreDNS writes to.

$ dnstap -u /tmp/dnstap.sock

Or listen on the dnstap socket and store message payloads to a binary dnstap-format log file:

$ dnstap -u /tmp/dnstap.sock -w /tmp/july.dnstap

And then read back July’s logs in the YAML-format:

$ dnstap -r /tmp/july.dnstap -y