Skip to content


Repository files navigation

Gravwell CoreDNS plugin

The Gravwell CoreDNS plugin allows for directly integrating DNS auditing into Gravwell. The plugin acts as an integrated ingester and ships DNS requests and responses directly to a Gravwell instance.

DNS Requests and responses can be encoded as text, JSON, or as a packed binary format.

CoreDNS Kit in Gravwell

Gravwell provides a CoreDNS Kit to work with data ingested by CoreDNS out of the box and provides a number of prebuilt queries, dashboards, and investigation tools.

Gravwell CoreDNS Kit

Building CoreDNS with the Gravwell plugin

git clone
pushd coredns
sed -i 's/metadata:metadata/metadata:metadata\\/gravwell\/coredns/g' plugin.cfg
go generate
go get
CGO_ENABLED=0 go build -trimpath -ldflags="-s -w" -o /tmp/coredns

The statically CoreDNS server with the Gravwell plugin will be located at /tmp/coredns

Getting started with gravwell

Install Gravwell community edition!quickstart/

Grab a free Gravwell license

Configure your Corefile with an indexer target and your Ingest-Secret

Example Corefile

.:53 {
  forward .
  errors stdout
  cache 240
  gravwell {
   Ingest-Secret IngestSecretToken
   Tag dns
   Encoding json
   Log-Level INFO
   #Cleartext-Target #second indexer
   #Insecure-Novalidate-TLS true #disable TLS certificate validation
   #Ingest-Cache-Path /tmp/coredns_ingest.cache #enable the local ingest cache
   #Max-Cache-Size-MB 1024