I looked through the last six months of archives and didn't see anything pertinent to Dnstap.
TLDR: Unix socket permissions was the biggest problem I ran into. I'm the author of ShoDoHFlo (https://github.com/m3047/shodohflo) and Rear View RPZ (https://github.com/m3047/rear_view_rpz) and I've gotten several inquiries in the last few months concerning Dnstap and Unbound. In particular dnstap2json.py (/shodohflo/examples.dnstap2json.py) has come up so I'll use that as an example; this code expects the affirmative /fstrm/ handshake. First off, there are a lot of old instructions out there on the web. Start with the release notes for 1.11.0: https://nlnetlabs.nl/news/2020/Jul/27/unbound-1.11.0-released/ from July 2020. I decided to build Unbound 1.16.1 on SuSE Leap 15.3. I started by installing the Unbound package; that turns out to be version 1.6.8 (January 2018). This is too old to have mature Dnstap support; I left it installed with the objective of seeing what it takes to tinbash a "typical" build to suit. _Prerequisites_ https://unbound.docs.nlnetlabs.nl/en/latest/getting-started/installation.html#building-from-source-compiling I expect package naming conventions will be similar across Linux distributions but I don't think you should expect particular package names. If the prereq is a "lib" then it needs to be "dev". So for example "libopenssl" -> "libopenssl-devel". Again, don't get too hung up on the literal naming, pay attention to the convention though. __ You'll need make and gcc (note no "dev" because no "lib"). You don't need Frame Streams (fstrm). __ You don't need Dnstap protobuf definitions, but you do need protobuf. Protobuf will come in two or three packages. Conceptually there is a library as well as a compiler (for the protobuf definitions included with the Unbound source). It comprised three packages on SuSE Leap: libprotobuf-c, protobuf-c (the compiler) and protobuf-devel (breaking the lib -> devel rule). _Build & Install_ This was as straightforward as ./configure --enable-dnstap make make install Note that it installs into /usr/local/sbin by default and this is ok for our purposes. _Systemd_ I copied /usr/lib/systemd/system/unbound.service to/etc/systemd/system and modified it as follows: # diff /usr/lib/systemd/system/unbound.service /etc/systemd/system/unbound.service 14,16c14,16 < ExecStartPre=/usr/bin/sudo -u unbound /usr/sbin/unbound-anchor -a /var/lib/unbound/root.key -c /etc/unbound/icannbundle.pem < ExecStartPre=/usr/sbin/unbound-checkconf < ExecStart=/usr/sbin/unbound -d $UNBOUND_OPTIONS --- > ExecStartPre=/usr/bin/sudo -u unbound /usr/local/sbin/unbound-anchor -a /var/lib/unbound/root.key -c /etc/unbound/icannbundle.pem > ExecStartPre=/usr/local/sbin/unbound-checkconf /etc/unbound/unbound.conf > ExecStart=/usr/local/sbin/unbound -d $UNBOUND_OPTIONS -c/etc/unbound/unbound.conf Note that I specified the location of the original configuration (/etc/unbound/unbound.conf). At this point it seems to run just like the original. (Your mileage on other distros may vary!) _Enabling Dnstap_ To enable Dnstap I created /etc/unbound/conf.d/dnstap.conf: # cat /etc/unbound/conf.d/dnstap.conf dnstap: dnstap-enable: yes dnstap-bidirectional: yes dnstap-socket-path: /tmp/dnstap dnstap-log-client-response-messages: yes This setting is compatible with what BIND expects. _Running dnstap2json.py_ Be sure to install dnspython (pip3 install dnspython). For clarity: * dnstap2json.py creates and manages the socket * unbound connects to it For testing purposes, there's an inclination to want to run everything asroot. However, Unbound runs as the user unbound. The default permissions on the created Unix domain socket (/tmp/dnstap) are read/write only for the user. Both ends of the pipe need read/write access. I suppose we could edit the script to change the permissions, but of course that's not what I did. I figured I'd run the script as the unbound user, however this doesn't work out of the box as the account is set nologin and the shell is /bin/false. (If whoami doesn't report what you expect, something is wrong.) If you get that sorted out ./dnstap2json.py /tmp/dnstap should produce output. If you want to put a print statement somewhere, start here: https://github.com/m3047/shodohflo/blob/d25ac412e025864591cb288300ef93c02faf4188/shodohflo/fstrm.py#L432 Happy hacking... -- Fred Morris, internet plumber
