Hi everybody,
facts first: as per 24.7.11_2 the packaged unbound comes without the support for dnstap compiled into the executable. Trying to enable dnstap logging results in the following error:
2025-01-06T14:56:31 Critical unbound [78275:0] fatal error: dnstap enabled in config but not built with dnstap support
Why would it be great to have dnstap enabled? Because it is the only feasible way in unbound to log the the resolved IP as part of the result of the query (see: https://github.com/NLnetLabs/unbound/issues/733). Having the result is important because it allows correlations with blocklists and helps greatly to detect DNS based attacks. In addition it helps to verify that unbound actually returns the "right" IP (e.g. 127.0.0.1) for blocked sites or malicious domains.
Hence I suggest to build the dnstap support into the packaged unbound binary in order to better support the integration of opnsense/unbound with SIEM platforms like splunk/wazuh.
If needed, I'm happy to supply further details and/or help with implementing/integrating the functionality into the logging subsystem.
Let's have a great 2025!
Oliver
We need this as well. We are currently deciding whether to shift our DNS forwarding from OpnSense to another device just so we can have access to DNSTAP data.
Create an issue in github
https://github.com/opnsense/ports/issues