TCP remote logger issue about go-dnscollector HOT 32 CLOSED

could you share your config.yml ?

from go-dnscollector.

config.txt

from go-dnscollector.

thanks and also your config in dns server side for the dnstap part ?

from go-dnscollector.

--DnsTap
fstl = newRemoteLogger("ip:6000")
addAction(AllRule(), DnstapLogAction("dnsdist03", fstl))
addResponseAction(AllRule(), DnstapLogResponseAction("dnsdist03", fstl))
-- Cache Hits
addCacheHitResponseAction(AllRule(), DnstapLogResponseAction("dnsdist03", fstl))

from go-dnscollector.

I suspect TLS is enabled in the collector (tls-support: true), is it not?

from go-dnscollector.

I have false for all tls-support fields.
Line 25: tls-support: false
Line 149: tls-support: false
Line 197: tls-support: false
Line 215: tls-support: false
Line 256: tls-support: false

from go-dnscollector.

We are missing something because your case (dnsdist to collector) is used in github actions and it works fine.

from go-dnscollector.

Can you provide all the dependencies for dnscollector which must be installed on centos machine?

from go-dnscollector.

You can follow the guide here, you just need to download the binary from github and push it in your centos machine.

from go-dnscollector.

I follow the guide but install the collector in another machine that the dnsdist.

In your example you have installed dnsdist and collector on the same machine.

from go-dnscollector.

I don't succeed to reproduce on my side, it works well in all cases.
can you take a network trace ?

from go-dnscollector.

My collector and dnsdist is on the same subnet

from go-dnscollector.

and have you try on the same machine ?
by the way what is the version of your dnsdist ?

from go-dnscollector.

I don't have working dnsdist configuration with enabled newFrameStreamTcpLogger field. Every time service is failed with this error

dnsdist[3157]: Fatal Lua error: [string "chunk"]:24: Caught exception: fstrm with TCP support is required to build an AF_INET FrameStreamLogger
stack traceback:
[C]: in function 'newFrameStreamTcpLogger'
[string "chunk"]:24: in main chunk

dnsdist version is:
dnsdist 1.6.0 (Lua 5.1.4 [LuaJIT 2.0.4])
Enabled features: cdb dns-over-tls(gnutls openssl) dns-over-https(DOH) dnscrypt fstrm ipcipher libsodium lmdb protobuf re2 recvmmsg/sendmmsg snmp systemd

from go-dnscollector.

It's clear now, you must use the newFrameStreamTcpLogger to sent dnstap messages to the collector, I missed this point.

If your fstrm library does not support TCP and update is not possible, you can use **newFrameStreamUnixLogger ** and follow this post

• dnsdist will write dnstap to the unixsocket
• stunnel read the unix socket and send dnstap messages to the collector with encrypted tunnel
• TLS is activated in the collector.

from go-dnscollector.

when I write dnstap to the unixsocket, is there any way to send dnstap message through a udp connection to dnscollector installed on another machine?

from go-dnscollector.

only tcp+tls

from go-dnscollector.

I have unstable stunnel on dnscollector side
Every five second TLS session is going reset or rejected from dnscollector side
I'm attached the stunnel log from both dnsdist server
dnsdist01_stunnel.txt
dnsdist02_stunnel.txt

from go-dnscollector.

could you try to add the following lines to your stunnel config ?

sslVersion = all
options = NO_SSLv2
options = NO_SSLv3

from go-dnscollector.

I was try it, but result is the same

from go-dnscollector.

on the dnsdist02, you have a network issue "connect_blocking: connect 10.1.1.11:6000: Connection refused (111)", perhaps firewall is enabled on your collector?

can you retry with ?

ciphers=EECDH+AESGCM:EDH+AESGCM
sslVersion = TLSv1.2
options = NO_SSLv2
options = NO_SSLv3

from go-dnscollector.

I tried that too, the result is the same
dnsdist01_stunnel_01.txt

from go-dnscollector.

Could you share the complete config of your stunnel and logs in dns collector side ?

from go-dnscollector.

Yes sure.

chroot = /var/run/stunnel
setuid = dnsdist
setgid = dnsdist
pid = /stunnel.pid
debug = 7

; Some performance tunings
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1

ciphers=EECDH+AESGCM:EDH+AESGCM
sslVersion = TLSv1.2
options = NO_SSLv2
options = NO_SSLv3

[dnsdist-dnstaptls]
client=yes
accept=/var/run/stunnel/dnstap.sock
connect=10.16.32.11:6001

dnstap_collector.txt

from go-dnscollector.

Could you take a network dump between your dnsdist and the collector ?

from go-dnscollector.

Yes sure,

Pcap file size is 260MB, link to download it
https://wormhole.app/J3Kyx#RxBWODsnompUJkJ6i18OSA

from go-dnscollector.

Thanks, finally can you also share the config of your dnscollector ?
Can you try to remove the following options on your stunnel ?

socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1

from go-dnscollector.

config.txt

from go-dnscollector.

thanks; same behaviour with the TCP_NODELAY option ?

from go-dnscollector.

No, the result is the same

from go-dnscollector.

If you want, can you try to use the dns-collector instead of stunnel ?
Deploy the dns collector in your dnsdist lb, configure-it to read the dnstap unix socket and forward to your remote dns collector
Below a config example:

collectors:
  dnstap:
    enable: true
    sock-path: <replace_me_socket_path>
loggers:
  dnstap:
    enable: false
    remote-address: <replace_me_your_collector_ip>
    remote-port:  <replace_me_your_collector_port>

from go-dnscollector.

@anetrjuns A new release 0.14.0 is available, please to re-test with this version and apply my previous post.
Feel free to re-open the issue.

from go-dnscollector.