<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<p>I looked through the last six months of archives and didn't see
anything pertinent to Dnstap.<br>
</p>
<p>TLDR: Unix socket permissions was the biggest problem I ran into.</p>
<p><br>
</p>
I'm the author of ShoDoHFlo (<a class="moz-txt-link-freetext" href="https://github.com/m3047/shodohflo">https://github.com/m3047/shodohflo</a>) and
Rear View RPZ (<a class="moz-txt-link-freetext" href="https://github.com/m3047/rear_view_rpz">https://github.com/m3047/rear_view_rpz</a>) and I've
gotten several inquiries in the last few months concerning Dnstap
and Unbound. In particular dnstap2json.py
(/shodohflo/examples.dnstap2json.py) has come up so I'll use that as
an example; this code expects the affirmative <i>fstrm</i>
handshake.<br>
<p><br>
</p>
<p>First off, there are a lot of old instructions out there on the
web. Start with the release notes for 1.11.0:
<a class="moz-txt-link-freetext" href="https://nlnetlabs.nl/news/2020/Jul/27/unbound-1.11.0-released/">https://nlnetlabs.nl/news/2020/Jul/27/unbound-1.11.0-released/</a>
from July 2020.</p>
<p>I decided to build Unbound 1.16.1 on SuSE Leap 15.3. I started by
installing the Unbound package; that turns out to be version 1.6.8
(January 2018). This is too old to have mature Dnstap support; I
left it installed with the objective of seeing what it takes to
tinbash a "typical" build to suit.</p>
<p><br>
</p>
<p><u>Prerequisites</u></p>
<p><a class="moz-txt-link-freetext" href="https://unbound.docs.nlnetlabs.nl/en/latest/getting-started/installation.html#building-from-source-compiling">https://unbound.docs.nlnetlabs.nl/en/latest/getting-started/installation.html#building-from-source-compiling</a><br>
</p>
<p>I expect package naming conventions will be similar across Linux
distributions but I don't think you should expect particular
package names.<br>
</p>
<p>If the prereq is a "lib" then it needs to be "dev". So for
example "libopenssl" -> "libopenssl-devel". Again, don't get
too hung up on the literal naming, pay attention to the convention
though.<br>
<u></u></p>
<p>You'll need make and gcc (note no "dev" because no "lib").</p>
<p>You don't need Frame Streams (fstrm).<br>
<u></u></p>
You don't need Dnstap protobuf definitions, but you do need
protobuf. Protobuf will come in two or three packages. Conceptually
there is a library as well as a compiler (for the protobuf
definitions included with the Unbound source). It comprised three
packages on SuSE Leap: libprotobuf-c, protobuf-c (the compiler) and
protobuf-devel (breaking the lib -> devel rule).<br>
<p><br>
</p>
<p><u>Build & Install</u></p>
<p>This was as straightforward as</p>
<blockquote>
<pre>./configure --enable-dnstap
make
make install
</pre>
</blockquote>
<p>Note that it installs into /usr/local/sbin by default and this is
ok for our purposes.<br>
</p>
<p><br>
</p>
<p><u>Systemd</u></p>
<p>I copied <tt>/usr/lib/systemd/system/unbound.service </tt>to<tt>
/etc/systemd/system</tt> and modified it as follows:</p>
<blockquote>
<pre># diff /usr/lib/systemd/system/unbound.service /etc/systemd/system/unbound.service
14,16c14,16
< ExecStartPre=/usr/bin/sudo -u unbound /usr/sbin/unbound-anchor -a /var/lib/unbound/root.key -c /etc/unbound/icannbundle.pem
< ExecStartPre=/usr/sbin/unbound-checkconf
< ExecStart=/usr/sbin/unbound -d $UNBOUND_OPTIONS
---
> ExecStartPre=/usr/bin/sudo -u unbound /usr/local/sbin/unbound-anchor -a /var/lib/unbound/root.key -c /etc/unbound/icannbundle.pem
> ExecStartPre=/usr/local/sbin/unbound-checkconf /etc/unbound/unbound.conf
> ExecStart=/usr/local/sbin/unbound -d $UNBOUND_OPTIONS -c/etc/unbound/unbound.conf
</pre>
</blockquote>
<p>Note that I specified the location of the original configuration
(/etc/unbound/unbound.conf).</p>
<p>At this point it seems to run just like the original. (Your
mileage on other distros may vary!)<br>
</p>
<p><br>
</p>
<p><u>Enabling Dnstap</u></p>
<p>To enable Dnstap I created /etc/unbound/conf.d/dnstap.conf:</p>
<blockquote>
<pre># cat /etc/unbound/conf.d/dnstap.conf
dnstap:
dnstap-enable: yes
dnstap-bidirectional: yes
dnstap-socket-path: /tmp/dnstap
dnstap-log-client-response-messages: yes
</pre>
</blockquote>
<p>This setting is compatible with what BIND expects.</p>
<p><br>
</p>
<p><u>Running dnstap2json.py</u></p>
<p>Be sure to install dnspython (<tt>pip3 install dnspython</tt>).</p>
<p>For clarity:</p>
<ul>
<li>dnstap2json.py creates and manages the socket</li>
<li>unbound connects to it<br>
</li>
</ul>
<p>For testing purposes, there's an inclination to want to run
everything as<tt> root</tt>. However, Unbound runs as the user <tt>unbound</tt>.
The default permissions on the created Unix domain socket
(/tmp/dnstap) are read/write only for the user. Both ends of the
pipe need read/write access.</p>
<p>I suppose we could edit the script to change the permissions, but
of course that's not what I did. I figured I'd run the script as
the <tt>unbound</tt> user, however this doesn't work out of the
box as the account is set nologin and the shell is /bin/false. (If
<tt>whoami</tt> doesn't report what you expect, something is
wrong.)</p>
<p>If you get that sorted out</p>
<blockquote>
<pre>./dnstap2json.py /tmp/dnstap
</pre>
</blockquote>
<p>should produce output.<br>
</p>
<p>If you want to put a print statement somewhere, start here:
<a class="moz-txt-link-freetext" href="https://github.com/m3047/shodohflo/blob/d25ac412e025864591cb288300ef93c02faf4188/shodohflo/fstrm.py#L432">https://github.com/m3047/shodohflo/blob/d25ac412e025864591cb288300ef93c02faf4188/shodohflo/fstrm.py#L432</a></p>
<p><br>
</p>
<p>Happy hacking...</p>
<p>--</p>
<p>Fred Morris, internet plumber</p>
<p><br>
</p>
</body>
</html>