1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
|
# local_address
#
# Specifies a local IP address with an optional mask/bits for local
# networks. Used to determine the "direction" of an IP packet: sending
# or receiving or other. Repeat any number of times for all local
# addresses.
#
local_address 127.0.0.1;
local_address ::1;
#local_address 127.0.0.0 255.0.0.0;
#local_address 192.168.0.0 24;
#local_address 10.0.0.0 8;
# run_dir
#
# dsc passes this directory to chdir() after starting.
#
run_dir "@DSC_DATA_DIR@";
# minfree_bytes
#
# If the filesystem has less than this amount of free
# space, then dsc will not write its XML files to disk.
# The data will be lost.
#
minfree_bytes 5000000;
# pid_file
#
# filename where DSC should store its process-id
#
pid_file "@DSC_PID_FILE@";
# bpf_program
#
# a berkely packet filter program. it can be used to limit
# the number and type of queries that the application receives
# from the kernel. note if you limit it to "udp port 53" the
# IP-based collectors do not work
#
# NOTE: bpf_program must GO BEFORE interface
#
# use this to see only DNS messages
#bpf_program "udp port 53";
#
# use this to see only DNS *queries*
#bpf_program "udp dst port 53 and udp[10:2] & 0x8000 = 0";
# dns_port
#
# DSC will only parse traffic coming to or leaving the DNS port (default 53),
# this option lets you control which port that is in case it's not standard.
#dns_port 53;
# pcap_buffer_size
#
# Set the buffer size (in bytes) for pcap, increasing this may help
# if you see dropped packets by the kernel but increasing it too much
# may have other side effects
#
# NOTE: pcap_buffer_size must GO BEFORE interface
#pcap_buffer_size 4194304;
# pcap_thread_timeout
#
# Set the internal timeout pcap-thread uses when waiting for packets,
# the default is 100 ms.
#
# NOTE: pcap_thread_timeout must GO BEFORE interface
#pcap_thread_timeout 100;
# drop_ip_fragments
#
# Drop all packets that are fragments
#
# NOTE: drop_ip_fragments must GO BEFORE interface
#drop_ip_fragments;
# interface
#
# specifies a network interface to sniff packets from or a pcap
# file to read packets from, can specify more than one.
#
# Under Linux (kernel v2.2+) libpcap can use an "any" interface which
# will include any interfaces the host has but these interfaces will
# not be put into promiscuous mode which may prevent capturing traffic
# that is not directly related to the host.
#
#interface eth0;
#interface fxp0;
#interface any;
#interface /path/to/dump.pcap;
# DNSTAP
#
# specify DNSTAP input from a file, UNIX socket, UDP or TCP connections
# (dsc will listen for incoming connections).
#
# This type of input is delivered directly from the DNS software itself
# as encapsulated DNS packets as seen or as made by the software.
# See https://dnstap.info for more information about DNSTAP.
#
# dnstap_unixsock can have additional optional options to control access
# to the socket: [user][:group] [umask]
#
# dnstap_unixsock /path/to/unix.sock user:group 0007;
#
# NOTE:
# - Only one DNSTAP input can be specified at a time currently.
# - Configuration needs to match that of the DNS software.
# - Don't use these values as default values, no default port for DNSTAP!
#
#dnstap_file /path/to/file.dnstap;
#dnstap_unixsock /path/to/unix.sock;
#dnstap_tcp 127.0.0.1 5353;
#dnstap_udp 127.0.0.1 5353;
# DNSTAP network information filler
#
# per DNSTAP specification, some information may be not included such as
# receiver or sender of DNS. To be able to produce statistics, dsc needs
# to know what to put in place when that information is missing.
# This is configured by dnstap_network and should be the primary IP
# addresses and port of the DNS software.
#
# dnstap_network <IPv4> <IPv6> <port>;
#
#dnstap_network 127.0.0.1 ::1 53;
# qname_filter
#
# Defines a custom QNAME-based filter for DNS messages. If
# you refer to this named filter on a dataset line, then only
# queries or replies for matching QNAMEs will be counted.
# The QNAME argument is a regular expression. For example:
#
#qname_filter WWW-Only ^www\. ;
#dataset qtype dns All:null Qtype:qtype queries-only,WWW-Only ;
# datasets
#
# please see dsc.conf(5) man-page for more information.
dataset qtype dns All:null Qtype:qtype queries-only;
dataset rcode dns All:null Rcode:rcode replies-only;
dataset opcode dns All:null Opcode:opcode queries-only;
dataset rcode_vs_replylen dns Rcode:rcode ReplyLen:msglen replies-only;
dataset client_subnet dns All:null ClientSubnet:client_subnet queries-only max-cells=200;
dataset qtype_vs_qnamelen dns Qtype:qtype QnameLen:qnamelen queries-only;
dataset qtype_vs_tld dns Qtype:qtype TLD:tld queries-only,popular-qtypes max-cells=200;
dataset certain_qnames_vs_qtype dns CertainQnames:certain_qnames Qtype:qtype queries-only;
dataset client_subnet2 dns Class:query_classification ClientSubnet:client_subnet queries-only max-cells=200;
dataset client_addr_vs_rcode dns Rcode:rcode ClientAddr:client replies-only max-cells=50;
dataset chaos_types_and_names dns Qtype:qtype Qname:qname chaos-class,queries-only;
#dataset country_code dns All:null CountryCode:country queries-only;
#dataset asn_all dns IPVersion:dns_ip_version ASN:asn queries-only max-cells=200;
dataset idn_qname dns All:null IDNQname:idn_qname queries-only;
dataset edns_version dns All:null EDNSVersion:edns_version queries-only;
dataset edns_bufsiz dns All:null EDNSBufSiz:edns_bufsiz queries-only;
dataset do_bit dns All:null D0:do_bit queries-only;
dataset rd_bit dns All:null RD:rd_bit queries-only;
dataset idn_vs_tld dns All:null TLD:tld queries-only,idn-only;
dataset ipv6_rsn_abusers dns All:null ClientAddr:client queries-only,aaaa-or-a6-only,root-servers-net-only max-cells=50;
dataset transport_vs_qtype dns Transport:transport Qtype:qtype queries-only;
dataset client_port_range dns All:null PortRange:dns_sport_range queries-only;
#dataset second_ld_vs_rcode dns Rcode:rcode SecondLD:second_ld replies-only max-cells=50;
#dataset third_ld_vs_rcode dns Rcode:rcode ThirdLD:third_ld replies-only max-cells=50;
dataset direction_vs_ipproto ip Direction:ip_direction IPProto:ip_proto any;
#dataset dns_ip_version_vs_qtype dns IPVersion:dns_ip_version Qtype:qtype queries-only;
#dataset response_time dns All:null ResponseTime:response_time;
#dataset label_count dns All:null LabelCount:label_count any;
#dataset encryption dns All:null Encryption:encryption queries-only;
# datasets for collecting data on priming queries at root nameservers
#dataset priming_queries dns Transport:transport EDNSBufSiz:edns_bufsiz priming-query,queries-only;
#dataset priming_responses dns All:null ReplyLen:msglen priming-query,replies-only;
# dataset for monitoring an authoritative nameserver for DNS reflection attack
#dataset qr_aa_bits dns Direction:ip_direction QRAABits:qr_aa_bits any;
# dataset for servfail response for dnssec validation fail.
#dataset servfail_qname dns ALL:null Qname:qname servfail-only,replies-only;
# dataset for successful validation.
#dataset ad_qname dns ALL:null Qname:qname authentic-data-only,replies-only;
# bpf_vlan_tag_byte_order
#
# Set this to 'host' on FreeBSD-4 where the VLAN id that we
# get from BPF appears to already be in host byte order.
#bpf_vlan_tag_byte_order host;
# match_vlan
#
# A whitespace-separated list of VLAN IDs. If set, only the
# packets with these VLAN IDs will be analyzed by DSC.
#
#match_vlan 100 200;
# statistics_interval
#
# Specify how often we write statistics, default to 60 seconds.
#
#statistics_interval 60;
# no_wait_interval
#
# Do not wait on interval sync to start capturing, normally DSC will
# sleep for time() % statistics_interval to align with the minute
# (as was the default interval before) but now if you change the interval
# to more then a minute you can use with option to begin capture right
# away.
#
#no_wait_interval;
# output_format
#
# Specify the output format, can be give multiple times to output in more then
# one format. Default output format is XML.
#
# Available formats are:
# - XML
# - JSON
#
#output_format XML;
#output_format JSON;
# output file access
#
# Following options controls the user, group and file mode bits for the
# output file.
#
#output_user root;
#output_group root;
#output_mod 0664;
# dump_reports_on_exit
#
# Dump any remaining report before exiting.
#
# NOTE: Timing in the data files will be off!
#
#dump_reports_on_exit;
# geoip
#
# Following configuration is used for MaxMind GeoIP Legacy API
# if present and enabled during compilation.
#
#geoip_v4_dat "/usr/share/GeoIP/GeoIP.dat" STANDARD MEMORY_CACHE MMAP_CACHE;
#geoip_v6_dat "/usr/share/GeoIP/GeoIPv6.dat";
#geoip_asn_v4_dat "/usr/share/GeoIP/GeoIPASNum.dat" MEMORY_CACHE;
#geoip_asn_v6_dat "/usr/share/GeoIP/GeoIPASNumv6.dat" MEMORY_CACHE;
# ASN/Country Indexer and MaxMind DB
#
# Following configuration controls what backend the ASN and Country indexer
# will use and if/what MaxMind database (GeoIP2) files.
#
# Available backends:
# - geoip
# - maxminddb
#
#asn_indexer_backend geoip;
#country_indexer_backend geoip;
#maxminddb_asn "/path/to/GeoLite2/ASN.mmdb";
#maxminddb_country "/path/to/GeoLite2/Country.mmdb";
# Client Subnet Mask
#
# Set the IPv4/IPv6 client subnet mask which is used for the
# ClientSubnet indexer.
#
#client_v4_mask 255.255.255.0;
#client_v6_mask ffff:ffff:ffff:ffff:ffff:ffff:0000:0000;
# Response Time indexer
#
# These settings are for the response time indexer, it tracks query
# to match it with a response and gives statistics about the time it
# took to answer the query.
#
# Available statistical output modes:
# - bucket
# - log10 (default)
# - log2
#
#response_time_mode log10;
#response_time_max_queries 1000000;
#
# If the number of queries tracked exceeds max_queries the full_mode
# will control how to handle it:
# - drop_query: Drop the incoming query.
# - drop_oldest: Drop the oldest query being tracked and accept the
# incoming one.
#
#response_time_full_mode drop_query;
#
# Set the maximum seconds to keep a query but a query can still be
# matched to a response while being outside this limit and therefor
# there is a mode on how to handle that situation:
# - ceil: The query will be counted as successful but the time it took
# will be the maximum seconds (think ceiling, or ceil()).
# - timed_out: The query will be counted as timed out.
#
#response_time_max_seconds 5;
#response_time_max_sec_mode ceil;
#
# Control the size of bucket (microseconds) in bucket mode.
#
#response_time_bucket_size 100;
# Known TLDs
#
# Load known TLDs from a file, see https://data.iana.org/TLD/tlds-alpha-by-domain.txt
#
#knowntlds_file file;
# TLD list (aka Public Suffix List)
#
# This option changes what DSC considers a TLD (similar to Public Suffix
# List) and affects any indexers that gathers statistics on TLDs, such as
# the tld, second_ld and third_ld indexers.
# The file format is simply one line per suffix and supports commenting out
# lines with #.
# You can use dsc-psl-convert to convert the Public Suffix List to this
# format, see dsc-psl-convert (5) for more information and examples on how
# to setup.
#
#tld_list file;
|
