pdns-recursor: dnstapFrameStreamServer log responses for rpz mappings

[ousatov-ua]

Hi!
I have pdns-recursor setup.

PowerDNS Recursor 5.0.3 (C) PowerDNS.COM BV
Using 64-bits mode. Built using clang 16.0.3 (CLANG: AOCC_4.2.0-Build#89 2023_12_13)
Configured with: " '--enable-dnstap' '--enable-lto' '--enable-systemd' '--with-libcap' '--with-libcurl=/usr/lib' 'CFLAGS=-O3 -pipe -march=znver3 -flto' 'CPPFLAGS=-O3 -pipe -march=znver3 -flto' 'CXX=clang++' 'CXXFLAGS=-O3 -pipe -march=znver3 -flto'"

Also, I have some blocklists as rpz loaded:

rpzFile("/opt/powerdns/blocklists/oisd-nsfw.rpz", {ignoreDuplicates = true})

Added dnstap logging for pdns-recursor:

dnstapFrameStreamServer("/var/lib/pdns-recursor/dnstap.sock", {logQueries=false})

Everything works ok, responses for recursions are logged.

The problem that I want to log responses for which recursion was not executed: basically, those from rpz.

For instance, I have rpz rule to return NXDOMAIN for all "*.xyz". When client requests some domain asd.xyz, he receives NXDOMAIN... but this is not logged!
Is there a possibility to turn it on?

Thank you in advance!

[omoerbeek]

dnstapFrameStreamServer only logs traffic between the recursor and upstream servers. We also have protobuf logging that logs traffic traffic between clients and rec. This includes the information you want. It's in a powerdns specific protobuf format, but the information is pretty easy to decode.