dnstap io, example.conf example, config_file entries for tcp and tls.

2025-12-20 23:00:56 -05:00 · 2020-02-14 09:03:09 +01:00 · 2020-02-14 09:03:09 +01:00 · 78e6060858
commit 78e6060858
parent 76772fe786
6 changed files with 163 additions and 31 deletions
--- a/3
+++ b/3
@ -649,6 +649,7 @@ ENABLE_DNSCRYPT
 ENABLE_DNSCRYPT_XCHACHA20
 DNSTAP_OBJ
 DNSTAP_SRC
+DNSTAP_SOCKET_PATH
 opt_dnstap_socket_path
 ENABLE_DNSTAP
 PROTOC_C
@ -21038,6 +21039,8 @@ cat >>confdefs.h <<_ACEOF
 #define DNSTAP_SOCKET_PATH "$hdr_dnstap_socket_path"
 _ACEOF

+	DNSTAP_SOCKET_PATH="$hdr_dnstap_socket_path"
+

        DNSTAP_SRC="dnstap/dnstap.c dnstap/dnstap.pb-c.c dnstap/dnstap_fstrm.c dnstap/dtstream.c"

--- a/configure.ac
+++ b/configure.ac
@ -1687,6 +1687,7 @@ dt_DNSTAP([$UNBOUND_RUN_DIR/dnstap.sock],
        ACX_ESCAPE_BACKSLASH($opt_dnstap_socket_path, hdr_dnstap_socket_path)
        AC_DEFINE_UNQUOTED(DNSTAP_SOCKET_PATH,
            ["$hdr_dnstap_socket_path"], [default dnstap socket path])
+	AC_SUBST(DNSTAP_SOCKET_PATH,["$hdr_dnstap_socket_path"])

        AC_SUBST([DNSTAP_SRC], ["dnstap/dnstap.c dnstap/dnstap.pb-c.c dnstap/dnstap_fstrm.c dnstap/dtstream.c"])
        AC_SUBST([DNSTAP_OBJ], ["dnstap.lo dnstap.pb-c.lo dnstap_fstrm.lo dtstream.lo"])
--- a/dnstap/dtstream.c
+++ b/dnstap/dtstream.c
@ -244,41 +244,105 @@ void dt_io_thread_delete(struct dt_io_thread* dtio)

 int dt_io_thread_apply_cfg(struct dt_io_thread* dtio, struct config_file *cfg)
 {
-	/*
-	dtio->upstream_is_tcp = 1;
-	dtio->ip_str = strdup("127.0.0.1@1234");
-	*/
-#ifdef HAVE_SSL
-	dtio->upstream_is_tls = 1;
-	dtio->ip_str = strdup("127.0.0.1@1234");
-	//dtio->tls_server_name;
-	dtio->use_client_certs = 0;
-	if(dtio->use_client_certs) {
-		//dtio->client_key_file = NULL;
-		//dtio->client_cert_file = NULL;
-	} else {
-		free(dtio->client_key_file);
-		dtio->client_key_file = NULL;
-		free(dtio->client_cert_file);
-		dtio->client_cert_file = NULL;
-	}
-	dtio->ssl_ctx = connect_sslctx_create(dtio->client_key_file,
-		dtio->client_cert_file, cfg->tls_cert_bundle,
-		cfg->tls_win_cert);
-	if(!dtio->ssl_ctx) {
-		log_err("could not setup SSL CTX");
+	if(!cfg->dnstap) {
+		log_warn("cannot setup dnstap because dnstap-enable is no");
 		return 0;
 	}
-	/* DEBUG */
-	return 1;
-#endif
-	if(cfg->dnstap_socket_path && cfg->dnstap_socket_path[0]) {
-		dtio->socket_path = strdup(cfg->dnstap_socket_path);
-		if(!dtio->socket_path) {
-			log_err("malloc failure");
+
+	/* what type of connectivity do we have */
+	if(cfg->dnstap_ip && cfg->dnstap_ip[0]) {
+		if(cfg->dnstap_tls)
+			dtio->upstream_is_tls = 1;
+		else	dtio->upstream_is_tcp = 1;
+	} else {
+		dtio->upstream_is_unix = 1;
+	}
+
+	if(dtio->upstream_is_unix) {
+		if(!cfg->dnstap_socket_path ||
+			cfg->dnstap_socket_path[0]==0) {
+			log_err("dnstap setup failed, because dnstap is "
+				"enabled, but no dnstap-ip and no "
+				"dnstap-socket-path are given");
 			return 0;
 		}
-		dtio->upstream_is_unix = 1;
+		free(dtio->socket_path);
+		dtio->socket_path = strdup(cfg->dnstap_socket_path);
+		if(!dtio->socket_path) {
+			log_err("dnstap setup: malloc failure");
+			return 0;
+		}
+	}
+
+	if(dtio->upstream_is_tcp || dtio->upstream_is_tls) {
+		free(dtio->ip_str);
+		dtio->ip_str = strdup(cfg->dnstap_ip);
+		if(!dtio->ip_str) {
+			log_err("dnstap setup: malloc failure");
+			return 0;
+		}
+	}
+
+	if(dtio->upstream_is_tls) {
+#ifdef HAVE_SSL
+		if(cfg->dnstap_tls_server_name &&
+			cfg->dnstap_tls_server_name[0]) {
+			free(dtio->tls_server_name);
+			dtio->tls_server_name = strdup(
+				cfg->dnstap_tls_server_name);
+			if(!dtio->tls_server_name) {
+				log_err("dnstap setup: malloc failure");
+				return 0;
+			}
+		}
+		if(cfg->dnstap_tls_client_key_file &&
+			cfg->dnstap_tls_client_key_file[0]) {
+			dtio->use_client_certs = 1;
+			free(dtio->client_key_file);
+			dtio->client_key_file = strdup(
+				cfg->dnstap_tls_client_key_file);
+			if(!dtio->client_key_file) {
+				log_err("dnstap setup: malloc failure");
+				return 0;
+			}
+			if(!cfg->dnstap_tls_client_cert_file ||
+				cfg->dnstap_tls_client_cert_file[0]==0) {
+				log_err("dnstap setup: client key "
+					"authentication enabled with "
+					"dnstap-tls-client-key-file, but "
+					"no dnstap-tls-client-cert-file "
+					"is given");
+				return 0;
+			}
+			free(dtio->client_cert_file);
+			dtio->client_cert_file = strdup(
+				cfg->dnstap_tls_client_cert_file);
+			if(!dtio->client_cert_file) {
+				log_err("dnstap setup: malloc failure");
+				return 0;
+			}
+		} else {
+			dtio->use_client_certs = 0;
+			dtio->client_key_file = NULL;
+			dtio->client_cert_file = NULL;
+		}
+
+		if(cfg->dnstap_tls_cert_bundle) {
+			dtio->ssl_ctx = connect_sslctx_create(
+				dtio->client_key_file,
+				dtio->client_cert_file,
+				cfg->dnstap_tls_cert_bundle, 0);
+		} else {
+			dtio->ssl_ctx = connect_sslctx_create(
+				dtio->client_key_file,
+				dtio->client_cert_file,
+				cfg->tls_cert_bundle, cfg->tls_win_cert);
+		}
+		if(!dtio->ssl_ctx) {
+			log_err("could not setup SSL CTX");
+			return 0;
+		}
+#endif /* HAVE_SSL */
 	}
 	return 1;
 }
--- a/doc/example.conf.in
+++ b/doc/example.conf.in
@ -1016,6 +1016,38 @@ remote-control:
 #     name-v6: "list-v6"
 #

+# Dnstap logging support, if compiled in.  To enable, set the dnstap-enable
+# to yes and also some of dnstap-log-..-messages to yes.  And select an
+# upstream log destination, by socket path, TCP or TLS destination.
+# dnstap:
+# 	dnstap-enable: no
+# 	dnstap-socket-path: "@DNSTAP_SOCKET_PATH@"
+# 	# if "" use the unix socket in dnstap-socket-path, otherwise,
+# 	# set it to "IPaddress[@port]" of the destination.
+# 	dnstap-ip: ""
+# 	# if set to yes if you want to use TLS to dnstap-ip, no for TCP.
+# 	dnstap-tls: no
+# 	# name for authenticating the upstream server. or "" disabled.
+# 	dnstap-tls-server-name: ""
+# 	# if "", it uses the cert bundle from the main unbound config.
+# 	dnstap-tls-cert-bundle: ""
+# 	# key file for client authentication, or "" disabled.
+# 	dnstap-tls-client-key-file: ""
+# 	# cert file for client authentication, or "" disabled.
+# 	dnstap-tls-client-cert-file: ""
+# 	dnstap-send-identity: no
+# 	dnstap-send-version: no
+# 	# if "" it uses the hostname.
+# 	dnstap-identity: ""
+# 	# if "" it uses the package version.
+# 	dnstap-version: ""
+# 	dnstap-log-resolver-query-messages: no
+# 	dnstap-log-resolver-response-messages: no
+# 	dnstap-log-client-query-messages: no
+# 	dnstap-log-client-response-messages: no
+# 	dnstap-log-forwarder-query-messages: no
+# 	dnstap-log-forwarder-response-messages: no
+
 # Response Policy Zones
 # RPZ policies. Applied in order of configuration. QNAME and Response IP
 # Address trigger are the only supported triggers. Supported actions are:
--- a/util/config_file.c
+++ b/util/config_file.c
@ -632,6 +632,13 @@ int config_set_option(struct config_file* cfg, const char* opt,
 #ifdef USE_DNSTAP
 	else S_YNO("dnstap-enable:", dnstap)
 	else S_STR("dnstap-socket-path:", dnstap_socket_path)
+	else S_STR("dnstap-ip:", dnstap_ip)
+	else S_YNO("dnstap-tls:", dnstap_tls)
+	else S_STR("dnstap-tls-server-name:", dnstap_tls_server_name)
+	else S_STR("dnstap-tls-cert-bundle:", dnstap_tls_cert_bundle)
+	else S_STR("dnstap-tls-client-key-file:", dnstap_tls_client_key_file)
+	else S_STR("dnstap-tls-client-cert-file:",
+		dnstap_tls_client_cert_file)
 	else S_YNO("dnstap-send-identity:", dnstap_send_identity)
 	else S_YNO("dnstap-send-version:", dnstap_send_version)
 	else S_STR("dnstap-identity:", dnstap_identity)
@ -1039,6 +1046,14 @@ config_get_option(struct config_file* cfg, const char* opt,
 #ifdef USE_DNSTAP
 	else O_YNO(opt, "dnstap-enable", dnstap)
 	else O_STR(opt, "dnstap-socket-path", dnstap_socket_path)
+	else O_STR(opt, "dnstap-ip", dnstap_ip)
+	else O_YNO(opt, "dnstap-tls", dnstap_tls)
+	else O_STR(opt, "dnstap-tls-server-name", dnstap_tls_server_name)
+	else O_STR(opt, "dnstap-tls-cert-bundle", dnstap_tls_cert_bundle)
+	else O_STR(opt, "dnstap-tls-client-key-file",
+		dnstap_tls_client_key_file)
+	else O_STR(opt, "dnstap-tls-client-cert-file",
+		dnstap_tls_client_cert_file)
 	else O_YNO(opt, "dnstap-send-identity", dnstap_send_identity)
 	else O_YNO(opt, "dnstap-send-version", dnstap_send_version)
 	else O_STR(opt, "dnstap-identity", dnstap_identity)
@ -1458,6 +1473,11 @@ config_delete(struct config_file* cfg)
 	free(cfg->dns64_prefix);
 	config_delstrlist(cfg->dns64_ignore_aaaa);
 	free(cfg->dnstap_socket_path);
+	free(cfg->dnstap_ip);
+	free(cfg->dnstap_tls_server_name);
+	free(cfg->dnstap_tls_cert_bundle);
+	free(cfg->dnstap_tls_client_key_file);
+	free(cfg->dnstap_tls_client_cert_file);
 	free(cfg->dnstap_identity);
 	free(cfg->dnstap_version);
 	config_deldblstrlist(cfg->ratelimit_for_domain);
--- a/util/config_file.h
+++ b/util/config_file.h
@ -474,6 +474,18 @@ struct config_file {
 	int dnstap;
 	/** dnstap socket path */
 	char* dnstap_socket_path;
+	/** dnstap IP */
+	char* dnstap_ip;
+	/** dnstap TLS enable */
+	int dnstap_tls;
+	/** dnstap tls server authentication name */
+	char* dnstap_tls_server_name;
+	/** dnstap server cert bundle */
+	char* dnstap_tls_cert_bundle;
+	/** dnstap client key for client authentication */
+	char* dnstap_tls_client_key_file;
+	/** dnstap client cert for client authentication */
+	char* dnstap_tls_client_cert_file;
 	/** true to send "identity" via dnstap */
 	int dnstap_send_identity;
 	/** true to send "version" via dnstap */