329 lines
11 KiB
Text
329 lines
11 KiB
Text
# local_address
|
|
#
|
|
# Specifies a local IP address with an optional mask/bits for local
|
|
# networks. Used to determine the "direction" of an IP packet: sending
|
|
# or receiving or other. Repeat any number of times for all local
|
|
# addresses.
|
|
#
|
|
local_address 127.0.0.1;
|
|
local_address ::1;
|
|
#local_address 127.0.0.0 255.0.0.0;
|
|
#local_address 192.168.0.0 24;
|
|
#local_address 10.0.0.0 8;
|
|
|
|
# run_dir
|
|
#
|
|
# dsc passes this directory to chdir() after starting.
|
|
#
|
|
run_dir "@DSC_DATA_DIR@";
|
|
|
|
# minfree_bytes
|
|
#
|
|
# If the filesystem has less than this amount of free
|
|
# space, then dsc will not write its XML files to disk.
|
|
# The data will be lost.
|
|
#
|
|
minfree_bytes 5000000;
|
|
|
|
# pid_file
|
|
#
|
|
# filename where DSC should store its process-id
|
|
#
|
|
pid_file "@DSC_PID_FILE@";
|
|
|
|
# bpf_program
|
|
#
|
|
# a berkely packet filter program. it can be used to limit
|
|
# the number and type of queries that the application receives
|
|
# from the kernel. note if you limit it to "udp port 53" the
|
|
# IP-based collectors do not work
|
|
#
|
|
# NOTE: bpf_program must GO BEFORE interface
|
|
#
|
|
# use this to see only DNS messages
|
|
#bpf_program "udp port 53";
|
|
#
|
|
# use this to see only DNS *queries*
|
|
#bpf_program "udp dst port 53 and udp[10:2] & 0x8000 = 0";
|
|
|
|
# dns_port
|
|
#
|
|
# DSC will only parse traffic coming to or leaving the DNS port (default 53),
|
|
# this option lets you control which port that is in case it's not standard.
|
|
#dns_port 53;
|
|
|
|
# pcap_buffer_size
|
|
#
|
|
# Set the buffer size (in bytes) for pcap, increasing this may help
|
|
# if you see dropped packets by the kernel but increasing it too much
|
|
# may have other side effects
|
|
#
|
|
# NOTE: pcap_buffer_size must GO BEFORE interface
|
|
#pcap_buffer_size 4194304;
|
|
|
|
# pcap_thread_timeout
|
|
#
|
|
# Set the internal timeout pcap-thread uses when waiting for packets,
|
|
# the default is 100 ms.
|
|
#
|
|
# NOTE: pcap_thread_timeout must GO BEFORE interface
|
|
#pcap_thread_timeout 100;
|
|
|
|
# drop_ip_fragments
|
|
#
|
|
# Drop all packets that are fragments
|
|
#
|
|
# NOTE: drop_ip_fragments must GO BEFORE interface
|
|
#drop_ip_fragments;
|
|
|
|
# interface
|
|
#
|
|
# specifies a network interface to sniff packets from or a pcap
|
|
# file to read packets from, can specify more than one.
|
|
#
|
|
# Under Linux (kernel v2.2+) libpcap can use an "any" interface which
|
|
# will include any interfaces the host has but these interfaces will
|
|
# not be put into promiscuous mode which may prevent capturing traffic
|
|
# that is not directly related to the host.
|
|
#
|
|
#interface eth0;
|
|
#interface fxp0;
|
|
#interface any;
|
|
#interface /path/to/dump.pcap;
|
|
|
|
# DNSTAP
|
|
#
|
|
# specify DNSTAP input from a file, UNIX socket, UDP or TCP connections
|
|
# (dsc will listen for incoming connections).
|
|
#
|
|
# This type of input is delivered directly from the DNS software itself
|
|
# as encapsulated DNS packets as seen or as made by the software.
|
|
# See https://dnstap.info for more information about DNSTAP.
|
|
#
|
|
# dnstap_unixsock can have additional optional options to control access
|
|
# to the socket: [user][:group] [umask]
|
|
#
|
|
# dnstap_unixsock /path/to/unix.sock user:group 0007;
|
|
#
|
|
# NOTE:
|
|
# - Only one DNSTAP input can be specified at a time currently.
|
|
# - Configuration needs to match that of the DNS software.
|
|
# - Don't use these values as default values, no default port for DNSTAP!
|
|
#
|
|
#dnstap_file /path/to/file.dnstap;
|
|
#dnstap_unixsock /path/to/unix.sock;
|
|
#dnstap_tcp 127.0.0.1 5353;
|
|
#dnstap_udp 127.0.0.1 5353;
|
|
|
|
# DNSTAP network information filler
|
|
#
|
|
# per DNSTAP specification, some information may be not included such as
|
|
# receiver or sender of DNS. To be able to produce statistics, dsc needs
|
|
# to know what to put in place when that information is missing.
|
|
# This is configured by dnstap_network and should be the primary IP
|
|
# addresses and port of the DNS software.
|
|
#
|
|
# dnstap_network <IPv4> <IPv6> <port>;
|
|
#
|
|
#dnstap_network 127.0.0.1 ::1 53;
|
|
|
|
# qname_filter
|
|
#
|
|
# Defines a custom QNAME-based filter for DNS messages. If
|
|
# you refer to this named filter on a dataset line, then only
|
|
# queries or replies for matching QNAMEs will be counted.
|
|
# The QNAME argument is a regular expression. For example:
|
|
#
|
|
#qname_filter WWW-Only ^www\. ;
|
|
#dataset qtype dns All:null Qtype:qtype queries-only,WWW-Only ;
|
|
|
|
# datasets
|
|
#
|
|
# please see dsc.conf(5) man-page for more information.
|
|
dataset qtype dns All:null Qtype:qtype queries-only;
|
|
dataset rcode dns All:null Rcode:rcode replies-only;
|
|
dataset opcode dns All:null Opcode:opcode queries-only;
|
|
dataset rcode_vs_replylen dns Rcode:rcode ReplyLen:msglen replies-only;
|
|
dataset client_subnet dns All:null ClientSubnet:client_subnet queries-only max-cells=200;
|
|
dataset qtype_vs_qnamelen dns Qtype:qtype QnameLen:qnamelen queries-only;
|
|
dataset qtype_vs_tld dns Qtype:qtype TLD:tld queries-only,popular-qtypes max-cells=200;
|
|
dataset certain_qnames_vs_qtype dns CertainQnames:certain_qnames Qtype:qtype queries-only;
|
|
dataset client_subnet2 dns Class:query_classification ClientSubnet:client_subnet queries-only max-cells=200;
|
|
dataset client_addr_vs_rcode dns Rcode:rcode ClientAddr:client replies-only max-cells=50;
|
|
dataset chaos_types_and_names dns Qtype:qtype Qname:qname chaos-class,queries-only;
|
|
#dataset country_code dns All:null CountryCode:country queries-only;
|
|
#dataset asn_all dns IPVersion:dns_ip_version ASN:asn queries-only max-cells=200;
|
|
dataset idn_qname dns All:null IDNQname:idn_qname queries-only;
|
|
dataset edns_version dns All:null EDNSVersion:edns_version queries-only;
|
|
dataset edns_bufsiz dns All:null EDNSBufSiz:edns_bufsiz queries-only;
|
|
dataset do_bit dns All:null D0:do_bit queries-only;
|
|
dataset rd_bit dns All:null RD:rd_bit queries-only;
|
|
dataset idn_vs_tld dns All:null TLD:tld queries-only,idn-only;
|
|
dataset ipv6_rsn_abusers dns All:null ClientAddr:client queries-only,aaaa-or-a6-only,root-servers-net-only max-cells=50;
|
|
dataset transport_vs_qtype dns Transport:transport Qtype:qtype queries-only;
|
|
dataset client_port_range dns All:null PortRange:dns_sport_range queries-only;
|
|
#dataset second_ld_vs_rcode dns Rcode:rcode SecondLD:second_ld replies-only max-cells=50;
|
|
#dataset third_ld_vs_rcode dns Rcode:rcode ThirdLD:third_ld replies-only max-cells=50;
|
|
dataset direction_vs_ipproto ip Direction:ip_direction IPProto:ip_proto any;
|
|
#dataset dns_ip_version_vs_qtype dns IPVersion:dns_ip_version Qtype:qtype queries-only;
|
|
#dataset response_time dns All:null ResponseTime:response_time;
|
|
#dataset label_count dns All:null LabelCount:label_count any;
|
|
#dataset encryption dns All:null Encryption:encryption queries-only;
|
|
|
|
# datasets for collecting data on priming queries at root nameservers
|
|
#dataset priming_queries dns Transport:transport EDNSBufSiz:edns_bufsiz priming-query,queries-only;
|
|
#dataset priming_responses dns All:null ReplyLen:msglen priming-query,replies-only;
|
|
|
|
# dataset for monitoring an authoritative nameserver for DNS reflection attack
|
|
#dataset qr_aa_bits dns Direction:ip_direction QRAABits:qr_aa_bits any;
|
|
|
|
# dataset for servfail response for dnssec validation fail.
|
|
#dataset servfail_qname dns ALL:null Qname:qname servfail-only,replies-only;
|
|
|
|
# dataset for successful validation.
|
|
#dataset ad_qname dns ALL:null Qname:qname authentic-data-only,replies-only;
|
|
|
|
# bpf_vlan_tag_byte_order
|
|
#
|
|
# Set this to 'host' on FreeBSD-4 where the VLAN id that we
|
|
# get from BPF appears to already be in host byte order.
|
|
#bpf_vlan_tag_byte_order host;
|
|
|
|
# match_vlan
|
|
#
|
|
# A whitespace-separated list of VLAN IDs. If set, only the
|
|
# packets with these VLAN IDs will be analyzed by DSC.
|
|
#
|
|
#match_vlan 100 200;
|
|
|
|
# statistics_interval
|
|
#
|
|
# Specify how often we write statistics, default to 60 seconds.
|
|
#
|
|
#statistics_interval 60;
|
|
|
|
# no_wait_interval
|
|
#
|
|
# Do not wait on interval sync to start capturing, normally DSC will
|
|
# sleep for time() % statistics_interval to align with the minute
|
|
# (as was the default interval before) but now if you change the interval
|
|
# to more then a minute you can use with option to begin capture right
|
|
# away.
|
|
#
|
|
#no_wait_interval;
|
|
|
|
# output_format
|
|
#
|
|
# Specify the output format, can be give multiple times to output in more then
|
|
# one format. Default output format is XML.
|
|
#
|
|
# Available formats are:
|
|
# - XML
|
|
# - JSON
|
|
#
|
|
#output_format XML;
|
|
#output_format JSON;
|
|
|
|
# output file access
|
|
#
|
|
# Following options controls the user, group and file mode bits for the
|
|
# output file.
|
|
#
|
|
#output_user root;
|
|
#output_group root;
|
|
#output_mod 0664;
|
|
|
|
# dump_reports_on_exit
|
|
#
|
|
# Dump any remaining report before exiting.
|
|
#
|
|
# NOTE: Timing in the data files will be off!
|
|
#
|
|
#dump_reports_on_exit;
|
|
|
|
# geoip
|
|
#
|
|
# Following configuration is used for MaxMind GeoIP Legacy API
|
|
# if present and enabled during compilation.
|
|
#
|
|
#geoip_v4_dat "/usr/share/GeoIP/GeoIP.dat" STANDARD MEMORY_CACHE MMAP_CACHE;
|
|
#geoip_v6_dat "/usr/share/GeoIP/GeoIPv6.dat";
|
|
#geoip_asn_v4_dat "/usr/share/GeoIP/GeoIPASNum.dat" MEMORY_CACHE;
|
|
#geoip_asn_v6_dat "/usr/share/GeoIP/GeoIPASNumv6.dat" MEMORY_CACHE;
|
|
|
|
# ASN/Country Indexer and MaxMind DB
|
|
#
|
|
# Following configuration controls what backend the ASN and Country indexer
|
|
# will use and if/what MaxMind database (GeoIP2) files.
|
|
#
|
|
# Available backends:
|
|
# - geoip
|
|
# - maxminddb
|
|
#
|
|
#asn_indexer_backend geoip;
|
|
#country_indexer_backend geoip;
|
|
#maxminddb_asn "/path/to/GeoLite2/ASN.mmdb";
|
|
#maxminddb_country "/path/to/GeoLite2/Country.mmdb";
|
|
|
|
# Client Subnet Mask
|
|
#
|
|
# Set the IPv4/IPv6 client subnet mask which is used for the
|
|
# ClientSubnet indexer.
|
|
#
|
|
#client_v4_mask 255.255.255.0;
|
|
#client_v6_mask ffff:ffff:ffff:ffff:ffff:ffff:0000:0000;
|
|
|
|
# Response Time indexer
|
|
#
|
|
# These settings are for the response time indexer, it tracks query
|
|
# to match it with a response and gives statistics about the time it
|
|
# took to answer the query.
|
|
#
|
|
# Available statistical output modes:
|
|
# - bucket
|
|
# - log10 (default)
|
|
# - log2
|
|
#
|
|
#response_time_mode log10;
|
|
#response_time_max_queries 1000000;
|
|
#
|
|
# If the number of queries tracked exceeds max_queries the full_mode
|
|
# will control how to handle it:
|
|
# - drop_query: Drop the incoming query.
|
|
# - drop_oldest: Drop the oldest query being tracked and accept the
|
|
# incoming one.
|
|
#
|
|
#response_time_full_mode drop_query;
|
|
#
|
|
# Set the maximum seconds to keep a query but a query can still be
|
|
# matched to a response while being outside this limit and therefor
|
|
# there is a mode on how to handle that situation:
|
|
# - ceil: The query will be counted as successful but the time it took
|
|
# will be the maximum seconds (think ceiling, or ceil()).
|
|
# - timed_out: The query will be counted as timed out.
|
|
#
|
|
#response_time_max_seconds 5;
|
|
#response_time_max_sec_mode ceil;
|
|
#
|
|
# Control the size of bucket (microseconds) in bucket mode.
|
|
#
|
|
#response_time_bucket_size 100;
|
|
|
|
# Known TLDs
|
|
#
|
|
# Load known TLDs from a file, see https://data.iana.org/TLD/tlds-alpha-by-domain.txt
|
|
#
|
|
#knowntlds_file file;
|
|
|
|
# TLD list (aka Public Suffix List)
|
|
#
|
|
# This option changes what DSC considers a TLD (similar to Public Suffix
|
|
# List) and affects any indexers that gathers statistics on TLDs, such as
|
|
# the tld, second_ld and third_ld indexers.
|
|
# The file format is simply one line per suffix and supports commenting out
|
|
# lines with #.
|
|
# You can use dsc-psl-convert to convert the Public Suffix List to this
|
|
# format, see dsc-psl-convert (5) for more information and examples on how
|
|
# to setup.
|
|
#
|
|
#tld_list file;
|