CoreDNS
Overview
This document outlines the process for submitting data from a DNS server to AlphaSOC for analysis. AlphaSOC analyzes DNStap files by identifying security threats and detecting anomalies.
To transfer data, configure the CoreDNS Corefile of the DNS server to allow connection to AlphaSOC's API.
Corefile Configuration for CoreDNS version 1.11.0 and later
Replace the following placeholders with the appropriate resource identifiers listed below.
{{ALPHASOC_TOKEN}}- token assigned in the AlphaSOC's console{{DATA_SCOPE}}- unique identifier that defines the source of DNS traffic, e.g. cluster name, site location
Add the following configuration to the Corefile:
.:53 {
dnstap tls://dnstap.alphasoc.net:443 full {
identity "alphasoc:{{ALPHASOC_TOKEN}}:{{DATA_SCOPE}}"
}
}
Corefile Configuration for CoreDNS versions prior to 1.11.0
For CoreDNS releases before 1.11.0, the DNStap plugin doesn't support TLS encryption natively. A proxy service, such as stunnel, can be used to ensure secure data transmission.
Replace the following placeholders with the appropriate resource identifiers listed below.
{{ALPHASOC_TOKEN}}- token assigned in the AlphaSOC's console{{DATA_SCOPE}}- unique identifier that defines the source of DNS traffic, e.g. cluster name, site location{{STUNNEL_SERVICE_ADDRESS}}- address at which stunnel service is available, e.g. IP address, domain{{STUNNEL_ACCEPT_PORT}}- port number at which stunnel accepts incoming connections
Add the following configuration to the Corefile:
.:53 {
dnstap tcp://{{STUNNEL_SERVICE_ADDRESS}}:{{STUNNEL_ACCEPT_PORT}} full {
identity "alphasoc:{{ALPHASOC_TOKEN}}:{{DATA_SCOPE}}"
}
}
If CoreDNS is deployed in Kubernetes:
- Deploy stunnel using stunnel container image.
- Set the following environment variables in stunnel container:
STUNNEL_SERVICE=<name of the stunnel config, e.g. dnstap-tunnel>
STUNNEL_ACCEPT=<port on which stunnel accepts connections>
STUNNEL_CONNECT=dnstap.alphasoc.net:443
STUNNEL_CLIENT=yes
- Configure CoreDNS to forward DNStap data to stunnel via TCP.