Start playing with dnstap #55
Conversation
audit.go
Outdated
| if err != nil { | ||
| el.Fatal(err) | ||
| } | ||
|
|
||
| dnstapClient, err := NewDnsTapClient(config.GetString("dnstap.socket")) |
There was a problem hiding this comment.
should this block be within a if config.GetString("dnstap.socket") != ""?
|
My biggest question is what happens when a bunch of hostnames all resolve to the same IP address (common case for a reverse proxy fronting a bunch of services). It seems like it could be hard to trust this value since it will always just be the last lookup. Do we just hope that the dnstap event will be processed right before the go-audit event? We could cache and output all known hostnames for a given IP, but that could be unbounded size... |
| @@ -6,6 +6,10 @@ socket_buffer: | |||
| # Maximum max is net.core.rmem_max (/proc/sys/net/core/rmem_max) | |||
| receive: 16384 | |||
|
|
|||
| # Configure dnstap socket path if available | |||
| dnstap: | |||
| socket: /var/run/dnstap.sock | |||
There was a problem hiding this comment.
dnstap.enabled: bool as well
There was a problem hiding this comment.
We will also need config directives for the cache size and timeout
marshaller.go
Outdated
| case 1306: | ||
| // delay the mapping | ||
| time.Sleep(time.Millisecond * 100) | ||
| msg.mapDns(m) |
There was a problem hiding this comment.
If map dns fails then you need to exit and let the dnstap input flush this event
parser.go
Outdated
| start += 6 | ||
| if end = strings.IndexByte(data[start:], spaceChar); end < 0 { | ||
| end = len(data) - start | ||
| if end > 34 { |
There was a problem hiding this comment.
How did you arrive at this length? Make it a constant and document the parts that get to 34
parser.go
Outdated
| switch family := saddr[0:4]; family { | ||
| // 0200: ipv4 | ||
| case "0200": | ||
| octet, _ := hex.DecodeString(saddr[8:16]) |
parser.go
Outdated
|
|
||
| switch family := saddr[0:4]; family { | ||
| // 0200: ipv4 | ||
| case "0200": |
There was a problem hiding this comment.
Let's support ipv6 as well
parser.go
Outdated
|
|
||
| host, ok := c.Get(ip) | ||
| if ok { | ||
| amg.DnsMap[ip] = host.(string) |
There was a problem hiding this comment.
There could be a performance enhancement here by separating ipv4 and ipv6 caches where ipv4 uses a proper uint32 and ipv6 uses a string. Not a today problem though.
parser.go
Outdated
| break | ||
| } | ||
|
|
||
| data = data[next:] |
There was a problem hiding this comment.
I'm not sure a saddr event can ever have multiples, we could avoid a few more ops by not doing a loop and just looking for the single occurrence
dnstap.go
Outdated
| "github.com/patrickmn/go-cache" | ||
| ) | ||
|
|
||
| const defaultTimeout = time.Hour |
There was a problem hiding this comment.
cache and timeout as members of the DnsTapClient instance
dnstap.go
Outdated
|
|
||
| const defaultTimeout = time.Hour | ||
|
|
||
| var c = cache.New(defaultTimeout, defaultTimeout*2) |
There was a problem hiding this comment.
Should use values derived from the config with sane defaults. The cache lib we use would be more beneficial if we could control the size of the cache and the expiry.
dnstap.go
Outdated
| } | ||
|
|
||
| func (d *DnsTapClient) Receive() { | ||
| for { |
There was a problem hiding this comment.
Add a defer to close and delete the socket on shutdown
dnstap.go
Outdated
| if err != nil { | ||
| el.Printf("msg.Unpack() failed: %s \n", err) | ||
| } else { | ||
| for i, r := range m.Answer { |
There was a problem hiding this comment.
This is where you want to check and see if any events are waiting for this data to "complete" the event
There was a problem hiding this comment.
This is also where you want to try and flush old messages. Actually it might not matter since 1305 shoves events through for us anyways.
dnstap.go
Outdated
| } | ||
|
|
||
| func (d *DnsTapClient) cache(dt *dnstap.Dnstap) { | ||
| m := new(dns.Msg) |
There was a problem hiding this comment.
Add a defer to close the socket
|
|
PR Summary
wip, go-audit dnstap client
Related Issues
Test strategy