Home / Industry

Join Paul Vixie & Robert Edmonds at the Upcoming Distinguished Speaker Series

Verisign Labs Distinguished Speaker Series is a quarterly forum to bring together members of the technical community to network and listen to distinguished speakers about issues related to internet technology.

Discussion: Passive DNS Collection and Analysis – the “DNSTAP” Approach

DNS is a high volume low latency datagram protocol at the heart of the Internet—it enables almost all other traffic flows. Any analysis of network traffic for security purposes will necessarily include contemporaneous DNS traffic which might have resulted from or directed that traffic. Netflow by itself can answer the question, “what happened?” but it cannot by itself answer the equally important question, “why?”

Collecting DNS query and response data has always been challenging due to the impedance mismatch between DNS as an asynchronous datagram service and available synchronous persistent storage systems. Success in DNS telemetry has historically come from the PCAP/BPF approach, where the collection agent reassembles packets seen ‘on the wire’ into DNS transaction records, with complete asynchrony from the DNS server itself. It is literally and always preferable to drop transactions from the telemetry path than to impact the operation a production DNS server in any way.

BPF/PCAP is not a panacea, though, since the complexity of state-keeping means that most passive DNS collectors are blind to TCP transactions, and all are blind to data elements which don’t appear on the wire, such as cache purge or cache expiration events, or to “view” identifiers or current delegation point. The Farsight Security team has therefore designed a new open source and open protocol system called “dnstap” with a transmission/reception paradigm that preserves the necessary lossiness of DNS transaction collection while avoiding the state-keeping of BPF/PCAP based systems.

The upcoming event will cover passive DNS including collection, sharing, post-processing, database construction, and access, using the Farsight Security system as a model. “dnstap” will be introduced in that context, including a status report and road-map.


Paul Vixie – Dr. Paul Vixie is the CEO of Farsight Security. He previously served as President, Chairman and Founder of Internet Systems Consortium (ISC), as President of MAPS, PAIX and MIBH, as CTO of Abovenet/MFN, and on the boards of several for-profit and non-profit companies. He has served on the ARIN Board of Trustees since 2005, where he served as Chairman in 2008 and 2009, and is a founding member of ICANN Root Server System Advisory Committee (RSSAC) and ICANN Security and Stability Advisory Committee (SSAC). He operated the ISC’s F-Root name server for many years, and is a member of Cogent’s C-Root team. He is a sysadmin for Op Sec Trust.

Vixie has been contributing to Internet protocols and UNIX systems as a protocol designer and software architect since 1980. He wrote Cron (for BSD and Linux), and is considered the primary author and technical architect of BIND 4.9 and BIND 8, and he hired many of the people who wrote BIND 9. He has authored or co-authored a dozen or so RFCs, mostly on DNS and related topics, and of Sendmail: Theory and Practice (Digital Press, 1994). His technical contributions include DNS Response Rate Limiting (RRL), DNS Response Policy Zones (RPZ), and Network Telemetry Capture (NCAP). He earned his Ph.D. from Keio University for work related to DNS and DNSSEC.

Robert Edmonds – Robert Edmonds is a software developer at Farsight Security. He is responsible for maintaining several core components of Farsight’s Security Information Exchange (SIE) and DNSDB products, including the ‘nmsg’ network message encapsulation library, the ‘mtbl’ immutable sorted string table library, and the ‘wdns’ low-level DNS library. His current projects include the development of ‘dnstap’, a framework for exporting event data from DNS software, and the ongoing maintenance of ‘protobuf-c’, a C implementation of the “Protocol Buffers” data serialization format.

Event Date & Time

Wednesday, December 17, 2014
8:30 a.m. – 10:30 a.m.

Event Location

Verisign Reston Headquarters
12061 Bluemont Way
Reston, VA 20190
(703) 948-3200


Breakfast/Networking (8:30 – 9:00 am)
Presentation (9:00 – 10:00 am)
Networking (10:00 – 10:30 am)

Registration Page

Questions? Contact Verisign’s Events Team at [email protected]

By Verisign, A Global Provider of Critical Internet Infrastructure and Domain Name Registry Services

Verisign, a global provider of domain name registry services and internet infrastructure, enables internet navigation for many of the world’s most recognized domain names. Verisign enables the security, stability, and resiliency of key internet infrastructure and services, including providing root zone maintainer services, operating two of the 13 global internet root servers, and providing registration services and authoritative resolution for the .com and .net top-level domains, which support the majority of global e-commerce. To learn more about what it means to be Powered by Verisign, please visit Verisign.com.

Visit Page

Filed Under


Commenting is not available in this channel entry.
CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet



Brand Protection

Sponsored byCSC

New TLDs

Sponsored byRadix

IPv4 Markets

Sponsored byIPv4.Global


Sponsored byVerisign

Domain Names

Sponsored byVerisign

Threat Intelligence

Sponsored byWhoisXML API