Gravwell CoreDNS plugin
Switch branches/tags
Nothing to show
Clone or download
kristopher watts
Latest commit 1baa0c3 Jul 16, 2018

Gravwell CoreDNS plugin

The Gravwell CoreDNS plugin allows for directly integrating DNS auditing into Gravwell. The plugin acts as an integrated ingester and ships DNS requests and responses directly to a Gravwell instance.

DNS Requests and responses can be encoded as text, JSON, or as a packed binary format.

Building CoreDNS with the Gravwell plugin

go get
pushd $GOPATH/src/
sed -i 's/metadata:metadata/metadata:metadata\\/gravwell\/coredns/g' plugin.cfg
go generate
CGO_ENABLED=0 go build -o /tmp/coredns

The statically CoreDNS server with the Gravwell plugin will be located at /tmp/coredns

Getting started with gravwell

Install Gravwell community edition!quickstart/

Grab a free Gravwell license

Configure your Corefile with an indexer target and your Ingest-Secret

Example Corefile

.:53 {
  forward .
  errors stdout
  cache 240
  gravwell {
   Ingest-Secret IngestSecretToken
   Tag dns
   Encoding json
   Log-Level INFO
   #Cleartext-Target #second indexer
   #Insecure-Novalidate-TLS true #disable TLS certificate validation
   #Ingest-Cache-Path /tmp/coredns_ingest.cache #enable the local ingest cache
   #Max-Cache-Size-MB 1024