Hi Mark, Yes, that’s what I see in the default log but when looking into rpz.log I see the query and RPZ rewrites
rpz: info: client @0x7f033dd7f000 MyHiddenMaster#56341 (ads.pubmatic.com): rpz QNAME NODATA rewrite ads.pubmatic.com/HTTPS/IN via ads.pubmatic.com.rpz.f1-online.net<http://online.net> Likewise NXDOMAIN is mentioned here for RPZ and dnstap <https://protodoc.io/isc-projects/bind9/dnstap> dnstap - isc-projects/bind9 - protodoc.io<https://protodoc.io/isc-projects/bind9/dnstap> protodoc.io<https://protodoc.io/isc-projects/bind9/dnstap> [X] <https://protodoc.io/isc-projects/bind9/dnstap> So I wonder if I am doing something wrong or missing something from a configuration point of view to get the RPZ infos I see in the logs somehow exported via dnstap ? Thank you, Wolfgang On 13. Sep 2025, at 07:50, Mark Andrews <[email protected]> wrote: NODATA is a concept not a record type. It indicates that the name is correct but there are no records of the requested type. -- Mark Andrews El 12 sept 2025, a las 0:34, Wolfgang Riedel via bind-users <[email protected]> escribió: Hi Folks, I just wonder if I am missing something ;-) I am currently running a POC for RPC Logging into Elasticsearch and just wonder why I can’t see any "rpz QNAME NODATA” in Elasticsearch? I am running BIND 9.20.12 as recursive resolvers -> dnstap -> DNS-collector -> Elasticsearch BIND: dnstap { all; }; // dnstap { auth; resolver query; resolver response; }; /* where to capture to: file or unix (socket) */ // dnstap-output file "/tmp/named.tap"; dnstap-output unix "/run/named/dnstap.sock"; dnstap-identity “rr1.xyz.net”; channel rpz_file { file "/var/log/named/rpz.log" versions 10 size 10m; severity dynamic; print-time yes; print-category yes; print-severity yes; }; I am seeing a lot of "rpz QNAME NODATA rewrite” messages in /var/log/named/rpz.log and would like to export them via dnstap instead of local log files and them shipping them to elastic search via a log shipper. DNSCollector: pipelines: - name: "input-bind-dnstap" # Read DNSTap stream from a UNIX socket dnstap: sock-path: /run/named/dnstap.sock sock-rcvbuf: 0 routing-policy: # Routes DNS messages from the Unix socket to Elasticsearch forward: [output-elastic] dropped: [output-error-log] - name: "output-elastic" elasticsearch: server: "https://k8s-eck.xyz.net:30200"; index: "logs-network_traffic.dnscollector-default" bulk-size: 1048576 # 1MB bulk-channel-size: 10 # bulk-size refers to the size of the batch of DNS messages sent to your Elasticsearch instance # bulk-channel-size defines the number of batches the DNS collector can hold in memory before dropping them flush-interval: 10 # in seconds # Interval in seconds before to flush the buffer. Set the maximum time interval before the buffer is flushed. # If the bulk batches reach this interval before reaching the maximum size, they will be sent to Elasticsearch. compression: none chan-buffer-size: 0 basic-auth-enable: true basic-auth-login: “aaa" basic-auth-pwd: “bbb" Elasticsearch: In Elasticsearch I can see all kind of Resource Record types besides NODATA which is what I am looking for ;-) So I just wonder if BIND is not exporting NODATA if it’s a result of RPZ or I am missing something else? — Thank you, Wolfgang ______________________________________________________________________________________________ Wolfgang Riedel | Distinguished Engineer | CCIE #13804 | VCP #42559 -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list.
-- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list.
