Compiling / using Dnstap

Fred Morris m3047-unbound-b3u at m3047.net
Sun Jul 24 18:05:43 UTC 2022 

I looked through the last six months of archives and didn't see anything
pertinent to Dnstap.

TLDR: Unix socket permissions was the biggest problem I ran into.


I'm the author of ShoDoHFlo (https://github.com/m3047/shodohflo) and
Rear View RPZ (https://github.com/m3047/rear_view_rpz) and I've gotten
several inquiries in the last few months concerning Dnstap and Unbound.
In particular dnstap2json.py (/shodohflo/examples.dnstap2json.py) has
come up so I'll use that as an example; this code expects the
affirmative /fstrm/ handshake.


First off, there are a lot of old instructions out there on the web.
Start with the release notes for 1.11.0:
https://nlnetlabs.nl/news/2020/Jul/27/unbound-1.11.0-released/ from July
2020.

I decided to build Unbound 1.16.1 on SuSE Leap 15.3. I started by
installing the Unbound package; that turns out to be version 1.6.8
(January 2018). This is too old to have mature Dnstap support; I left it
installed with the objective of seeing what it takes to tinbash a
"typical" build to suit.


_Prerequisites_

https://unbound.docs.nlnetlabs.nl/en/latest/getting-started/installation.html#building-from-source-compiling

I expect package naming conventions will be similar across Linux
distributions but I don't think you should expect particular package names.

If the prereq is a "lib" then it needs to be "dev". So for example
"libopenssl" -> "libopenssl-devel". Again, don't get too hung up on the
literal naming, pay attention to the convention though.
__

You'll need make and gcc (note no "dev" because no "lib").

You don't need Frame Streams (fstrm).
__

You don't need Dnstap protobuf definitions, but you do need protobuf.
Protobuf will come in two or three packages. Conceptually there is a
library as well as a compiler (for the protobuf definitions included
with the Unbound source). It comprised three packages on SuSE Leap:
libprotobuf-c, protobuf-c (the compiler) and protobuf-devel (breaking
the lib -> devel rule).


_Build & Install_

This was as straightforward as

    ./configure --enable-dnstap
    make
    make install

Note that it installs into /usr/local/sbin by default and this is ok for
our purposes.


_Systemd_

I copied /usr/lib/systemd/system/unbound.service to/etc/systemd/system
and modified it as follows:

    # diff /usr/lib/systemd/system/unbound.service /etc/systemd/system/unbound.service
    14,16c14,16
    < ExecStartPre=/usr/bin/sudo -u unbound /usr/sbin/unbound-anchor -a /var/lib/unbound/root.key -c /etc/unbound/icannbundle.pem
    < ExecStartPre=/usr/sbin/unbound-checkconf
    < ExecStart=/usr/sbin/unbound -d $UNBOUND_OPTIONS
    ---
    > ExecStartPre=/usr/bin/sudo -u unbound /usr/local/sbin/unbound-anchor -a /var/lib/unbound/root.key -c /etc/unbound/icannbundle.pem
    > ExecStartPre=/usr/local/sbin/unbound-checkconf /etc/unbound/unbound.conf
    > ExecStart=/usr/local/sbin/unbound -d $UNBOUND_OPTIONS -c/etc/unbound/unbound.conf

Note that I specified the location of the original configuration
(/etc/unbound/unbound.conf).

At this point it seems to run just like the original. (Your mileage on
other distros may vary!)


_Enabling Dnstap_

To enable Dnstap I created /etc/unbound/conf.d/dnstap.conf:

    # cat /etc/unbound/conf.d/dnstap.conf
    dnstap:
        dnstap-enable: yes
        dnstap-bidirectional: yes
        dnstap-socket-path: /tmp/dnstap
        dnstap-log-client-response-messages: yes

This setting is compatible with what BIND expects.


_Running dnstap2json.py_

Be sure to install dnspython (pip3 install dnspython).

For clarity:

  * dnstap2json.py creates and manages the socket
  * unbound connects to it

For testing purposes, there's an inclination to want to run everything
asroot. However, Unbound runs as the user unbound. The default
permissions on the created Unix domain socket (/tmp/dnstap) are
read/write only for the user. Both ends of the pipe need read/write access.

I suppose we could edit the script to change the permissions, but of
course that's not what I did. I figured I'd run the script as the
unbound user, however this doesn't work out of the box as the account is
set nologin and the shell is /bin/false. (If whoami doesn't report what
you expect, something is wrong.)

If you get that sorted out

    ./dnstap2json.py /tmp/dnstap

should produce output.

If you want to put a print statement somewhere, start here:
https://github.com/m3047/shodohflo/blob/d25ac412e025864591cb288300ef93c02faf4188/shodohflo/fstrm.py#L432


Happy hacking...

--

Fred Morris, internet plumber


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20220724/525ce49e/attachment.htm>

More information about the Unbound-users mailing list