Files
coredns/plugin/dnstap
Pavel Lazureykis 974d693e6f plugin/dnstap: fix self-deadlock in listener broadcast on client flush error (#8260)
listener.Dnstap holds clientsMu.RLock() while iterating connected sink
clients. In the flush-error branch it called removeClient(c) synchronously,
but removeClient takes clientsMu.Lock(). A sync.RWMutex is not reentrant, so
the goroutine blocks forever waiting to acquire the write lock it can never
get while holding the read lock. The queued Lock() then blocks every
subsequent Dnstap broadcast and close(), and the goroutine leaks.

A flush error is the normal failure mode for a slow or disconnected sink
client (writeMsg buffers into framestream and succeeds; flush does the real
socket write and fails), so a single misbehaving client wedged the whole
listen path. Because Dnstap runs inline in the request-serving goroutine via
TapMessageWithMetadata, this could cascade into stalled request handling.

The write-error branch one line up already offloaded with `go removeClient(c)`.
Do the same in the flush-error branch and drop the early return so the
broadcast still reaches the remaining clients.

Assisted-by: Claude Opus 4.8

Signed-off-by: Pavel Lazureykis <pavel@lazureykis.dev>
2026-07-09 20:43:35 +03:00
..
2018-07-19 16:23:06 +01:00

dnstap

Name

dnstap - enables logging to dnstap.

Description

dnstap is a flexible, structured binary log format for DNS software; see https://dnstap.info. With this plugin you make CoreDNS output dnstap logging.

Every message is sent to the socket as soon as it comes in, the dnstap plugin has a buffer of 10000 messages, above that number dnstap messages will be dropped (this is logged).

Syntax

Outgoing Connections (Connect to Sink)

dnstap SOCKET [full] [writebuffer] [queue] {
  [identity IDENTITY]
  [version VERSION]
  [extra EXTRA]
  [skipverify]
}
  • SOCKET is the socket (path) supplied to the dnstap command line tool.
  • full to include the wire-format DNS message.
  • writebuffer sets the TCP write buffer multiplier in MiB. Valid range: [1, 1024].
  • queue sets the queue multiplier, applied to 10,000 messages. Valid range: [1, 4096].
  • IDENTITY to override the identity of the server. Defaults to the hostname.
  • VERSION to override the version field. Defaults to the CoreDNS version.
  • EXTRA to define "extra" field in dnstap payload, metadata replacement available here.
  • skipverify to skip tls verification during connection. Default to be secure

Incoming Connections (Accept from Sinks)

dnstap listen SOCKET [full] {
  [identity IDENTITY]
  [version VERSION]
  [extra EXTRA]
  [tls CERT KEY [CA]]
  [skipverify]
}
  • listen indicates this is a listening socket that accepts incoming connections from dnstap sinks.
  • SOCKET is the socket address to listen on (e.g., tcp://127.0.0.1:6000, unix:///tmp/dnstap.sock).
  • full to include the wire-format DNS message.
  • IDENTITY to override the identity of the server. Defaults to the hostname.
  • VERSION to override the version field. Defaults to the CoreDNS version.
  • EXTRA to define "extra" field in dnstap payload, metadata replacement available here.
  • tls CERT KEY [CA] to enable TLS for the listener. CERT and KEY are paths to the server certificate and key files. Optional CA is the path to the CA certificate for client verification.
  • skipverify to skip client certificate verification. Default is to verify client certificates. Equivalent to the CA option above being unspecified.

Note: Incoming connections use unbuffered channels to broadcast events. If a connected sink becomes slow or disconnected, messages are dropped for that sink only, and the connection is closed.

Examples

Log information about client requests and responses to /tmp/dnstap.sock.

dnstap /tmp/dnstap.sock

Log information about client requests and responses with a custom TCP write buffer (1024 MiB) and queue capacity (2048 x 10000).

dnstap /tmp/dnstap.sock full 1024 2048

Log information including the wire-format DNS message about client requests and responses to /tmp/dnstap.sock.

dnstap unix:///tmp/dnstap.sock full

Log to a remote endpoint.

dnstap tcp://127.0.0.1:6000 full

Log to a remote endpoint by FQDN.

dnstap tcp://example.com:6000 full

Log to a socket, overriding the default identity and version.

dnstap /tmp/dnstap.sock {
  identity my-dns-server1
  version MyDNSServer-1.2.3
}

Log to a socket, customize the "extra" field in dnstap payload. You may use metadata provided by other plugins in the extra field.

forward . 8.8.8.8
metadata
dnstap /tmp/dnstap.sock {
  extra "upstream: {/forward/upstream}"
}

Log to a remote TLS endpoint.

dnstap tls://127.0.0.1:6000 full {
  skipverify
}

Listen for incoming dnstap sink connections on a Unix socket.

dnstap listen /tmp/dnstap.sock full

Listen for incoming dnstap sink connections on TCP.

dnstap listen tcp://127.0.0.1:6000 full

Listen for incoming dnstap sink connections on TLS with mTLS client authentication.

dnstap listen tls://127.0.0.1:6000 full {
  tls /path/to/server-cert.pem /path/to/server-key.pem /path/to/ca.pem
}

Listen for incoming dnstap sink connections on TLS without client certificate verification.

dnstap listen tls://127.0.0.1:6000 full {
  tls /path/to/server-cert.pem /path/to/server-key.pem
  skipverify
}

You can use dnstap more than once to define multiple taps. The following logs information including the wire-format DNS message about client requests and responses to /tmp/dnstap.sock, and also sends client requests and responses without wire-format DNS messages to a remote FQDN.

dnstap /tmp/dnstap.sock full
dnstap tcp://example.com:6000

You can also combine outgoing connections with incoming listeners:

dnstap tcp://remote-collector.example.com:6000 full
dnstap listen tcp://127.0.0.1:6001 full

Command Line Tool

Dnstap has a command line tool that can be used to inspect the logging. The tool can be found at GitHub: https://github.com/dnstap/golang-dnstap. It's written in Go.

The following command listens on the given socket and decodes messages to stdout.

$ dnstap -u /tmp/dnstap.sock

The following command listens on the given socket and saves message payloads to a binary dnstap-format log file.

$ dnstap -u /tmp/dnstap.sock -w /tmp/test.dnstap

Listen for dnstap messages on port 6000.

$ dnstap -l 127.0.0.1:6000

Using Dnstap in your plugin

In your setup function, collect and store a list of all dnstap plugins loaded in the config:

x :=  &ExamplePlugin{}

c.OnStartup(func() error {
    if taph := dnsserver.GetConfig(c).Handler("dnstap"); taph != nil {
        for tapPlugin, ok := taph.(*dnstap.Dnstap); ok; tapPlugin, ok = tapPlugin.Next.(*dnstap.Dnstap) {
            x.tapPlugins = append(x.tapPlugins, tapPlugin)
        }
    }
    return nil
})

And then in your plugin:

import (
  "github.com/coredns/coredns/plugin/dnstap/msg"
  "github.com/coredns/coredns/request"

  tap "github.com/dnstap/golang-dnstap"
)

func (x ExamplePlugin) ServeDNS(ctx context.Context, w dns.ResponseWriter, r *dns.Msg) (int, error) {
    for _, tapPlugin := range x.tapPlugins {
        q := new(msg.Msg)
        msg.SetQueryTime(q, time.Now())
        msg.SetQueryAddress(q, w.RemoteAddr())
        if tapPlugin.IncludeRawMessage {
            buf, _ := r.Pack() // r has been seen packed/unpacked before, this should not fail
            q.QueryMessage = buf
        }
        msg.SetType(q, tap.Message_CLIENT_QUERY)
        
        // if no metadata interpretation is needed, just send the message
        tapPlugin.TapMessage(q)

        // OR: to interpret the metadata in "extra" field, give more context info
        tapPlugin.TapMessageWithMetadata(ctx, q, request.Request{W: w, Req: query})
    }
    // ...
}

See Also

The website dnstap.info has info on the dnstap protocol. The forward plugin's dnstap.go uses dnstap to tap messages sent to an upstream.