Skip to content

Latest commit



58 lines (43 loc) · 1.82 KB

File metadata and controls

58 lines (43 loc) · 1.82 KB

Gravwell CoreDNS plugin

The Gravwell CoreDNS plugin allows for directly integrating DNS auditing into Gravwell. The plugin acts as an integrated ingester and ships DNS requests and responses directly to a Gravwell instance.

DNS Requests and responses can be encoded as text, JSON, or as a packed binary format.

CoreDNS Kit in Gravwell

Gravwell provides a CoreDNS Kit to work with data ingested by CoreDNS out of the box and provides a number of prebuilt queries, dashboards, and investigation tools.

Gravwell CoreDNS Kit

Building CoreDNS with the Gravwell plugin

git clone
pushd coredns
sed -i 's/metadata:metadata/metadata:metadata\\/gravwell\/coredns/g' plugin.cfg
go generate
go get
CGO_ENABLED=0 go build -trimpath -ldflags="-s -w" -o /tmp/coredns

The statically CoreDNS server with the Gravwell plugin will be located at /tmp/coredns

Getting started with gravwell

Install Gravwell community edition!quickstart/

Grab a free Gravwell license

Configure your Corefile with an indexer target and your Ingest-Secret

Example Corefile

.:53 {
  forward .
  errors stdout
  cache 240
  gravwell {
   Ingest-Secret IngestSecretToken
   Tag dns
   Encoding json
   Log-Level INFO
   #Cleartext-Target #second indexer
   #Insecure-Novalidate-TLS true #disable TLS certificate validation
   #Ingest-Cache-Path /tmp/coredns_ingest.cache #enable the local ingest cache
   #Max-Cache-Size-MB 1024