Dnstap frame stream also contains source port and whole DNS
message including query id.
$ dnstap-ldns -y -r /tmp/dnstap.out
version: "unbound 1.5.9"
query_time: !!timestamp 2016-09-17 07:45:35.903922
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 59383
;; flags: rd ad ; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;www.google.com. IN A
;; EDNS: version 0; flags: ; udp: 4096
Unbound's dnstap feature works well (you will need to
install some not-so-common libraries to build!) but it is not well
documented, for example not described in unbound.conf(5).
Still experimental feature?