Default YAML fileΒΆ

This section contains the complete default YAML configuration file that is used for DNS Probe. It is also included in the project repository (data-model/dns-probe.yml) and packages.

# Last revision: 2024-04-02
#
# Default instance configuration.
# This configuration is always loaded before other configuration specified by given instance's ID.
# DNS Probe contains default configuration values within itself so this file can be left empty
# if desired.
default:

  # List of network interfaces to process traffic from in addition to interfaces passed
  # with '-i' command line parameter.
  interface-list: []

  # List of PCAPs to process in addition to PCAPs passed with '-p' command line parameter.
  pcap-list: []

  # List of unix sockets to process dnstap data from in addition to sockets passed with '-d'
  # command line parameter.
  dnstap-socket-list: []

  # Name of existing user group under which to create dnstap sockets. By default the group of
  # probe's process is used.
  dnstap-socket-group: ''

  # Path to directory in which to create unix sockets for reading Knot interface data. Might get
  # overriden by '-s' command line parameter.
  knot-socket-path: '/tmp'

  # Number of Knot interface sockets to create in 'knot-socket-path' directory. Might get
  # overriden by '-k' command line parameter.
  knot-socket-count: 0

  # Indicates RAW PCAPs as input in 'pcap-list' or from command line with '-p' parameter.
  # Might get overriden by '-r' command line parameter.
  # MUST be set to 'false' if 'interface-list' or '-i' command line parameter are used.
  raw-pcap: false

  # Path (including file's name) to log file for storing logs. Might get overriden by '-l'
  # command line parameter.
  # By default logs are written to stdout.
  log-file: ''

  # This parameter is used for selecting CPU cores on which the application will be running.
  coremask: 0x7

  # List of allowed IPv4 addreses and prefixes to process traffic from.
  # By default all IPv4 addresses are allowed.
  ipv4-allowlist: []

  # List of IPv4 addresses and prefixes from which to NOT process traffic.
  # By default all IPv4 addresses are allowed.
  ipv4-denylist: []

  # List of allowed IPv6 addresses and prefixes to process traffic from.
  # By default all IPv6 addresses are allowed.
  ipv6-allowlist: []

  # List of IPv6 addresses and prefixes from which to NOT process traffic.
  # By default all IPv6 addresses are allowed.
  ipv6-denylist: []

  # List of ports used for identifying DNS traffic.
  dns-ports:
    - 53
    # - 853
    # - 443

  # [SECTION] Items for configuration of exported data
  export:

    # Location for the storage of exported DNS records.
    # Valid values are 'local' and 'remote'.
    location: 'local'

    # Directory for exported data.
    export-dir: '.'

    # IP address for remote export of DNS records.
    remote-ip-address: '127.0.0.1'

    # Transport protocol port number for remote export of DNS records.
    remote-port: 6378

    # Backup IP address for remote export of DNS records
    backup-remote-ip-address: ''

    # Backup transport protocol port number for remote export of DNS records.
    backup-remote-port: 6378

    # Path (including file's name) to the CA certificate against which the remote server's
    # certificate will be authenticated during TLS handshake.
    # By default server's certificate will be authenticated against OpenSSL's default directory
    # with CA certificates.
    remote-ca-cert: ''

    # Format of exported data.
    # Valid values are 'parquet' and 'cdns'.
    export-format: 'parquet'

    # This sequence indicates which fields from the C-DNS standard schema are included in exported data.
    # 3 implementation specific fields are also included (asn, country_code, round_trip_time).
    # By default all fields available in DNS Probe are enabled as shown below.
    cdns-fields:
      - 'transaction_id'
      - 'time_offset'
      - 'query_name'
      - 'client_hoplimit'
      - 'qr_transport_flags'
      - 'client_address'
      - 'client_port'
      - 'server_address'
      - 'server_port'
      - 'query_size'
      - 'qr_dns_flags'
      - 'query_ancount'
      - 'query_arcount'
      - 'query_nscount'
      - 'query_qdcount'
      - 'query_opcode'
      - 'response_rcode'
      - 'query_classtype'
      - 'query_edns_version'
      - 'query_edns_udp_size'
      - 'query_opt_rdata'
      - 'response_answer_sections'
      - 'response_additional_sections'
      - 'response_size'
      - 'asn' # asn-maxmind-db configuration option also needs to be set
      - 'country_code' # country-maxmind-db configuration option also needs to be set
      - 'round_trip_time' # TCP RTT

    # Maximum number of DNS records in one exported C-DNS block.
    cdns-records-per-block: 10000

    # Maximum number of C-DNS blocks in one exported C-DNS file.
    cdns-blocks-per-file: 0

    # If this flag is set to true, exported C-DNS files will contain full Answer and Additional RRs
    # from responses in each record.
    # NOTE: Won't work for traffic captured via Knot interface as this data doesn't contain full RRs.
    cdns-export-response-rr: false

    # Maximum number of Parquet records per file.
    parquet-records-per-file: 5000000

    # Common prefix of exported files' names.
    file-name-prefix: 'dns_'

    # Time interval after which the current export file is rotated.
    # Value is in seconds.
    timeout: 0

    # Size limit for the export file. If the limit is exceeded, the export file is rotated.
    # The value of 0 (default) means no size-based rotation.
    file-size-limit: 0

    # if this flag is true, the exported Parquet or C-DNS files will be compressed using GZIP.
    # C-DNS willl be compressed explicitly with .gz sufix; Parquet files will be compressed
    # internally due to the nature of the format.
    file-compression: true

    # Selection of packets to be stored in PCAP files, in addition to normal Parquet or C-DNS export.
    # It's recommended to use this option only for testing purposes.
    # Valid values are 'all', 'invalid', 'disabled'.
    pcap-export: 'disabled'

    # Path to Maxmind Country database. If this option is set to a valid database file, the 'country'
    # field in exported Parquets or 'country-code' implementation field in exported C-DNS will be
    # filled with ISO 3166-1 country code based on client's IP address.
    country-maxmind-db: ''

    # Path to Maxmind ASN database. If this iption is set to a valid database file, the 'asn'
    # implementation field in exported Parquets or C-DNS will be filled with Autonomous System
    # Number (ASN) based on client's IP address.
    asn-maxmind-db: ''

  # [SECTION] Configuration of client IP anonymization in exported data (Parquet or C-DNS).
  # The optional PCAP export does NOT get anonymized!!!
  ip-anonymization:

    # If this flag is true, client IP addresses in exported data will be anonymized using
    # Crypto-PAn prefix-preserving algorithm.
    anonymize-ip: false

    # Encryption algorithm to be used during anonymization of client IP addresses if enabled.
    # Valid values are 'aes', 'blowfish', 'md5', 'sha1'.
    encryption: 'aes'

    # Path (including file's name) to the file with encryption key that is to be used for client
    # IP anonymization if enabled. If the file doesn't exist, it is generated by the probe.
    # The key needs to be compatible with the encryption algorithm set in the 'encryption' option
    # above. User should generate the key using 'scramble-ips' tool installed by the cryptopANT
    # dependency like this:
    #
    # scramble_ips --newkey --type=<encryption> <key-file>
    key-path: 'key.cryptopant'

  # [SECTION] Configuration of transaction table parameters.
  transaction-table:

    # Maximum number of entries in the transaction table.
    # MUST be a power of 2.
    max-transactions: 1048576

    # Time interval after which a query record is removed from the transaction database if no
    # response is observed.
    # Value is in milliseconds.
    query-timeout: 1000

    # If this flag is true, DNS QNAME (if present) is used as a secondary key for matching
    # requests with responses.
    match-qname: false

  # [SECTION] Configuration of TCP processing
  tcp-table:

    # Maximum number of concurrent TCP connections.
    # MUST be a power of 2.
    concurrent-connections: 131072

    # Time interval after which a TCP connection is removed from the connection database
    # if no data is received through that connection.
    # Value is in milliseconds.
    timeout: 60000

  # [SECTION] Configuration of run-time statistics export
  statistics:

    # If this flag is true, run-time statistics will be exported in JSON format every
    # 'stats-timeout' seconds.
    export-stats: false

    # If this flag is true and any IP addresses are set in 'ipv4-allowlist' or 'ipv6-allowlist',
    # 'queries*' run-time statistics will be exported for each of the IP addresses in addition
    # to overall statistics in format '"[<IP-address>]queries*":<value>'.
    stats-per-ip: false

    # Time interval after which run-time statistics will be periodically exported in JSON locally
    # or to remote location, if enabled by 'export-stats' option. If value is 0, statistics
    # will be exported only on probe's exit.
    # Value is in seconds.
    # RECOMMENDATION: For optimal results the value should be the same as moving-avg-window.
    stats-timeout: 300

    # Location for the storage of exported run-time statistics in JSON.
    # Valid values are 'local' and 'remote'.
    location: 'local'

    # Directory for exported run-time statistics.
    export-dir: '.'

    # IP address for remote export of run-time statistics.
    remote-ip: '127.0.0.1'

    # Transport protocol port number for remote export of run-time statistics.
    remote-port: 6379

    # Backup IP address for remote export of run-time statistics.
    backup-remote-ip: ''

    # Backup transport protocol port number for remote export of run-time statistics.
    backup-remote-port: 6379

    # Path (including file's name) to the CA certificate against which the remote server's
    # certificate will be authenticated during TLS handshake.
    # By default server's certificate will be authenticated against OpenSSL's default directory
    # with CA certificates.
    remote-ca-cert: ''

    # Time window in seconds for which to compute moving average of queries-per-second*
    # run-time statistics. Window can be set in interval from 1 second to 1 hour.
    moving-avg-window: 300

    # This sequence indicates which run-time statistics should be exported if export is enabled.
    # By default all statistics available in DNS Probe are enabled as shown below.
    stats-fields:
      - 'processed-packets'
      - 'processed-transactions'
      - 'exported-records'
      - 'pending-transactions'
      - 'exported-pcap-packets'
      - 'ipv4-source-entropy'
      - 'queries-ipv4'
      - 'queries-ipv6'
      - 'queries-tcp'
      - 'queries-udp'
      - 'queries-dot'
      - 'queries-doh'
      - 'queries'
      - 'queries-per-second-ipv4'
      - 'queries-per-second-ipv6'
      - 'queries-per-second-tcp'
      - 'queries-per-second-udp'
      - 'queries-per-second-dot'
      - 'queries-per-second-doh'
      - 'queries-per-second'
      - 'unix-timestamp' # timestamp of given export

# Configuration for specific instances of DNS Probe (set by '-n' command line parameter).
# Only changes to default configuration need to be specified here.
#
# test1:
#   interface-list:
#     - 'lo'
#   ipv4-allowlist:
#     - '192.168.1.1'
#     - '192.168.2.0/24'
#
# test2:
#   interface-list:
#     - 'enp0'
#   ipv6-denylist:
#     - '2001:db8:abcd:0012::0/64'