Support receiving dnstap binary logs

[andrewkroh]

dnstap is binary log format that DNS servers support that records DNS requests and responses. This would allow Beats to receive DNS data directly from the DNS server rather than trying to get the information from packet capture. dnstap is supported by Bind, CoreDNS, Unbound, and more.

With new protocols like DNS-over-TLS (DoT) and DNS-over-HTTP (DoH) being deployed dnstap can be a necessary monitoring point for traffic that NSMs would otherwise not have visibility to.

An example deployment for an organization might be to have an internal DNS server providing UDP/TCP/DoT/DoH and blocking any DNS traffic (53/udp, 53/tcp, 853/tcp) direct to the internet. With dnstap being enabled, the server it would then let us monitor both the forwarded traffic from the server as well as all the traffic to/from clients.

I'm imagining a dnstap input type for Filebeat.

[icb-]

Is Filebeat the right place for this? I thought Filebeat was only for plain-text(-ish) formats, not pure binary formats like dnstap. Should it be its own separate Beat?

Large portions of the code could be lifted from the DNS protocol parser in Packetbeat. That seems to all be private functions. Should it be refactored into a supporting library that can be used by both Packetbeat and a "Dnstapbeat"? Keeping the format as similar as possible to the output of Packetbeat seems worthwhile.

[lvg01]

I'm looking for this dnstap integration to the elastic-agent. Is there any progress on this?
The packetbeat-like solution (with same ECS) would be a great solution!

[botelastic]

Hi!
We just realized that we haven't looked into this issue in a while. We're sorry!

We're labeling this issue as Stale to make it hit our filters and make sure we get back to it as soon as possible. In the meantime, it'd be extremely helpful if you could take a look at it as well and confirm its relevance. A simple comment with a nice emoji will be enough :+1.
Thank you for your contribution!

[botelastic]

This issue doesn't have a Team:<team> label.

[icb-]

Dnstap is definitely still wanted.

[botelastic]

Hi!
We just realized that we haven't looked into this issue in a while. We're sorry!

We're labeling this issue as Stale to make it hit our filters and make sure we get back to it as soon as possible. In the meantime, it'd be extremely helpful if you could take a look at it as well and confirm its relevance. A simple comment with a nice emoji will be enough :+1.
Thank you for your contribution!

[lvg01]

Dnstap stays actual!

[botelastic]

Hi!
We just realized that we haven't looked into this issue in a while. We're sorry!

We're labeling this issue as Stale to make it hit our filters and make sure we get back to it as soon as possible. In the meantime, it'd be extremely helpful if you could take a look at it as well and confirm its relevance. A simple comment with a nice emoji will be enough :+1.
Thank you for your contribution!