NODATA is a concept not a record type. It indicates that the name is correct
but there are no records of the requested type.
--
Mark Andrews
> El 12 sept 2025, a las 0:34, Wolfgang Riedel via bind-users
> <bind-users@lists.isc.org> escribió:
>
> Hi Folks,
>
> I just wonder if I am missing something ;-)
>
> I am currently running a POC for RPC Logging into Elasticsearch and just
> wonder why I can’t see any "rpz QNAME NODATA” in Elasticsearch?
>
> I am running BIND 9.20.12 as recursive resolvers -> dnstap -> DNS-collector
> -> Elasticsearch
>
> BIND:
>
> dnstap { all; };
>
> // dnstap { auth; resolver query; resolver response; };
>
>
> /* where to capture to: file or unix (socket) */
>
> // dnstap-output file "/tmp/named.tap";
>
> dnstap-output unix "/run/named/dnstap.sock";
> dnstap-identity
> “rr1.xyz.net”;
>
>
>
> channel rpz_file {
>
> file "/var/log/named/rpz.log" versions
> 10 size
> 10m;
>
> severity dynamic;
>
> print-time yes;
>
> print-category yes;
>
> print-severity yes;
>
> };
>
>
> I am seeing a lot of "rpz QNAME NODATA rewrite” messages in
> /var/log/named/rpz.log and would like to export them via dnstap instead of
> local log files and them shipping them to elastic search via a log shipper.
>
>
> DNSCollector:
>
>
> pipelines:
>
> - name: "input-bind-dnstap"
>
> # Read DNSTap stream from a UNIX socket
>
> dnstap:
>
> sock-path: /run/named/dnstap.sock
>
> sock-rcvbuf: 0
>
> routing-policy:
>
> # Routes DNS messages from the Unix socket to Elasticsearch
>
> forward: [output-elastic]
>
> dropped: [output-error-log]
>
>
> - name: "output-elastic"
>
> elasticsearch:
>
> server: "https://k8s-eck.xyz.net:30200";
>
> index: "logs-network_traffic.dnscollector-default"
>
> bulk-size: 1048576 # 1MB
>
> bulk-channel-size: 10
>
> # bulk-size refers to the size of the batch of DNS messages sent to your
> Elasticsearch instance
>
> # bulk-channel-size defines the number of batches the DNS collector can hold
> in memory before dropping them
>
> flush-interval: 10 # in seconds
>
> # Interval in seconds before to flush the buffer. Set the maximum time
> interval before the buffer is flushed.
>
> # If the bulk batches reach this interval before reaching the maximum size,
> they will be sent to Elasticsearch.
>
> compression: none
>
> chan-buffer-size: 0
>
> basic-auth-enable: true
> basic-auth-login:
> “aaa"
> basic-auth-pwd:
> “bbb"
>
> Elasticsearch:
>
> In Elasticsearch I can see all kind of Resource Record types besides NODATA
> which is what I am looking for ;-)
>
> So I just wonder if BIND is not exporting NODATA if it’s a result of RPZ or I
> am missing something else?
>
> —
> Thank you,
> Wolfgang
> ______________________________________________________________________________________________
> Wolfgang Riedel | Distinguished Engineer | CCIE #13804 | VCP #42559
>
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
> this list.
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list.
