Skip to content


Root Node Config

A minimal dstore-dist configuration (missing the details of the destination and route configuration) could be:

  - ""
  - "[::1]:2000"
  - addr: ""
      cert_file: /etc/certs/cert.pem
      key_file: /etc/certs/cert.key
  level: Warn
    file: /etc/ipset1.txt
    poll_interval: 10s
    <destination configuration>
    <destination configuration>
    <route configuration>
    <route configuration>

The following YAML key-values are supported for configuration at the root node:

Parameter Type Default Description
batch_buffer_size int 1048576 The size in bytes of the buffer(s) used to batch messages internally. Normally the default of 1048576 (1MB) will suffice, but when using Kafka, making this value around 90% of the value of the kafka max_msg_size is a good idea, to avoid fragmentation of the messages when sending to Kafka.
conn_timeout go:DurationString The idle timeout for incoming connections to dstore-dist. Defaults to no timeout, i,e. only applies if explicitly configured.
debug boolean false Enable/disable very verbose debug logging
destinations Map of Destination Each map key is the name of a destination, and the value is a Destination
history_num_batches int Number of batches to keep in memory for the history API. A batch is capped at 1 MB by default, see batch_buffer_size for the actual size. If this is unset or set to 0, the history API is disabled. The history API can be accessed at /api/history. By default this URL will print additional usage information, including how to switch to Protobuf or JSON output format, and how to filter on certain fields.
http_address string Listen address for HTTP webserver for Prometheus metrics and status page. Value is an address:port string, using the same format as for listen addresses.
http_api_key string If set, an X-API-Key header matching this key is required to access the optional HTTP history API.
ipsets Map of IP Set
listen List of string The addresses that dstore-dist will listen on for new protobuf messages. The value is a list of address:port strings, in either v4 or v6 format. IPv6 addresses must be placed in square brackets like this [::1]. You can omit the address to listen on all local addresses.
log Log Config
routes Map of Route Each map key is the name of a route, and the value is a Route
tls_listen List of TLS Listen The addresses that dstore-dist will listen on for new protobuf messages. The value is a list of address:port strings, in either v4 or v6 format. IPv6 addresses must be placed in square brackets like this [::1]. You can omit the address to listen on all local addresses.

Log Config

Log Configuration is as follows:

Parameter Type Default Description
level string Defaults to Info. Can also be set to Warn, Error, Debug or Trace. For debug level to take effect, the -debug flag must also be set.
stdout boolean false By default logging will go to stderr, set this to true send to stdout instead.
text boolean false If true, enable text-based logging. The default is JSON logging.

TLS Listen

You can configure a TLS Listener as follows:

Parameter Type Default Description
addr string The address:port to listen on
tlsconfig TLS Config Configuration of TLS parameters

TLS Config

Parameter Type Default Description
insecure_skip_verify boolean false Controls whether a client verifies the server's certificate chain and hostname.
ca_file string Optional CA file to use (PEM).
ca string Optional CA to use specified as a string in PEM format.
add_system_ca_pool boolean false Adds the system CA pool if private CAs are enabled, when set.
cert_file string Optional certificate file to use (PEM).
cert string Optional certificate to use specified as a string in PEM format.
key_file string Optional key file to use (PEM).
key string Optional key to use specified as a string in PEM format.
watch_certs boolean false If true, enables background reloading of certifcate files.
watch_certs_poll_interval go:DurationString 5s If watch_certs is true, how often to check for changes.


Parameter Type Required Default Description
file string yes The path to a file containing newline separated IP prefixes (v4 or v6) which can be used for filtering events with various filters.
poll_interval go:DurationString 5s How often to check the file for changes.

An example IPSet file is shown below:
# Comments beginning with # are allowed


The following parameters can be used to configure a destination:

Parameter Type Default Required Description
blackhole string Optional CA file to use (PEM).
burst string Optional certificate file to use (PEM).
rate boolean false Adds the system CA pool if private CAs are enabled, when set.
sample string Optional CA to use specified as a string in PEM format.
type string pdns Type of destination.
Available options: "pdns" "kafka" "storage" "topn".
See below for more configuration options specific to each destination type.

Destination: pdns

Additional parameters are available on dstore-dist destinations with type: pdns (or no type). These should be attributes of the destination item itself. For example:

    type: pdns
Parameter Type Required Default Description
addresses List of string yes List of addresses of downstream servers supporting the pdns protobuf protocol.
Should be either IP:port or host:port
connect_timeout go:DurationString "5s" How long to wait before timing out connection attempts
distribute string roundrobin Distribution algorithm when multiple addresses are configured.
Available options: "roundrobin" "sharded"
framing string "16bit" How to frame protobuf messages.
Available options: "16bit" "32bit" "repeated"
tlsconfig TLS Config {} TLS configuration options
use_tls boolean false If true, attempt to connect to the addresses using TLS
write_timeout go:DurationString "5s" How long to wait before timing out write attempts

Destination: kafka

Additional parameters are available on destinations with type: kafka. These should be nested attributes inside a kafka: item of the destination item itself. For example:

    type: kafka
        - kafka.endpoint.local:9092
      topic: mytopic

The nested kafka: attribute takes the following parameters:

Parameter Type Required Default Description
addresses List of string yes List of addresses of kafka endpoints.
Should be either IP:port or host:port
async boolean false If true, dstore-dist writes to Kafka never block and all responses from Kafka are ignored
balancer string "roundrobin" Balancer used to distribute Kafka messages amongst partitions.
Available options: "roundrobin" "leastbytes" "fnv-1a" "crc32" "murmur2"
batch_size integer 10000 Number of messages which will constitute a batch. dstore-dist will wait for new messages until either the batch size is reached, or the batch_timeout is exceeded
batch_timeout go:DurationString 1ms Timeout before an incomplete batch is written to Kafka
compression string "" Compression codec to use.
Available options: "gzip" "snappy" "lz4" "zstd"
No compression is performed when empty
instance_name string If configured, a header will be added to each Kafka message with this value
json_encode boolean false If true, JSON encode the data before sending to Kafka
max_attempts integer 2 Number of times a message will be attempted to send to kafka
max_msg_size integer 900000 Maximum size of a kafka message (in bytes).
Cannot be lower than 65536.
num_workers integer 2 Number of concurrent workers that will process protobuf messages and send them to kafka
read_timeout go:DurationString 10s Timeout for reads from Kafka
required_acks string "one" How many acks are required from kafka.
Available options: "one" "all" "none"
single_msgs boolean false If true, each Kafka message will only contain a single protobuf message
tlsconfig TLS Config {} TLS configuration options
topic string yes Name of Kafka topic to send messages to
use_tls boolean false If true, attempt to connect to the addresses using TLS
write_timeout go:DurationString 10s Timeout for writes to Kafka

Destination: storage

Additional parameters are available on destinations with type: storage. These should be nested attributes inside a storage: item of the destination item itself. For example:

    type: storage
      type: s3
      encoding: json
        secretName: myS3secret
        endpoint_url: https://my.s3.endpoint.local
        bucket: myBucket
        region: myRegion

The nested storage: attribute takes the following parameters:

Parameter Type Required Default Description
encoding string "protobuf" Encoding used for the files.
Available options: "protobuf" "json" "bind"
flush_interval go:DurationString 300s Time between consecutive flushes to storage (only if max_size is not reached before this interval)
max_size integer Maximum size in bytes of the file (before compression).
Defaults to dstore-dist's toplevel configuration item batchBufferSize. If batchBufferSize is not set the value will be 1048576
num_workers integer 2 Number of concurrent workers that will process protobuf messages and attempt to store them
options Storage Options yes Configuration of the storage backend
type string "s3" Type of storage backend.
Available options: "s3" "fs"
use_compression boolean false If true, compress files using gzip compression

Storage Options

For storage with type: s3 the following can be configured under options:

Parameter Type Required Default Description
access_key string S3 access key.
Use of secretName is recommended for security reasons
bucket string yes Name of the S3 bucket
endpoint_url string yes Endpoint of the S3 service to connect to
region string "us-east-1" Region used when connecting to the S3 endpoint
secret_key string S3 secret key.
Use of secretName is recommended for security reasons
secretAccessKey string "access_key" If secretName is specified: name of the item inside the Secret which holds the access key
secretName string Name of a pre-existing Kubernetes Secret containing a username & password for authentication with Elastic
secretSecretKey string "secret_key" If secretName is specified: name of the item inside the Secret which holds the secret key
tlsconfig TLS Config {} TLS configuration options

For storage with type: fs the following can be configured under options:

Parameter Type Required Default Description
root_path string yes The path to a directory in which the files will be stored


Parameters which can be used to configure a dstore-dist route:

    type: pdns
      - another.dstoredist.endpoint.local:1234
      - mydestination
Parameter Type Required Default Description
append_tags List of string [] List of tags which will be appended to each message for this route
destinations List of string yes List of names of destinations, these must have been configured on this dstore-dist instance
filters List of Filter {} Filters to restrict which messages are sent for this route


By default, all events will be sent to a particular destination, however configuring filters for a route allows only events matching the filter to be sent.

For example the following filters configuration ensures that only events that contain the query name and are sent over IPv4 transport are sent to the destinations listed under myroute:

    type: pdns
      - another.dstoredist.endpoint.local:1234
      - mydestination
      - qname:
      - is_ipv4: true

Note that the top-level filters are joined with an implicit and filter, meaning that all filters have to match for a message to reach the specified destination(s).

Matching Filters

Matching filters are used to match events based on specific information in the query/response. The list of possible filters is listed below:

Parameter Type Default Description
edns_version integer Match the edns version in the message
integer These perform integer comparisons on the edns version in the message
edns_version_not integer This is simply the inverse of edns_version
from_in_ipset string Match all messages where the from IP is in a range contained in the named IP set
has_deviceid boolean Matches if the message has a deviceid field
has_policy boolean Matches if message has an appliedPolicy field in the response
has_requestorid boolean Matches if message has a requestorID fields in the response
has_tags boolean Matches if message has any tags set
has_aa_flag boolean Matches if message has AA flag set
has_tc_flag boolean Matches if message has TC flag set
has_rd_flag boolean Matches if message has RD flag set
has_ra_flag boolean Matches if message has RA flag set
has_ad_flag boolean Matches if message has AD flag set
has_cd_flag boolean Matches if message has CD flag set
has_do_flag boolean Matches if message has DO flag set
has_unique_domain_response boolean Matches if message has a unique domain response flag set in any response RR. Only applied to responses.
is_ipv4 boolean Matches if the DNS query was received over IPv4
is_ipv4 boolean Matches if the DNS query was received over IPv4
is_response boolean Matches if the message is a response message (as opposed to a query message)
is_query boolean Matches if the message is a query message (as opposed to a response message)
is_outgoing_query boolean Matches if the message is an outgoing query message (i.e. a query sent by a server)
is_incoming_response boolean Matches if the message is an incoming response message (i.e. in response to an outgoing query)
is_tcp boolean Matches if the DNS query was received over TCP
is_udp boolean Matches if the DNS query was received over UDP
is_newly_observed_domain boolean Matches if the DNS query was a newly observed domain
is_cache_hit boolean Matches if the DNS query was answered without performing outgoing queries
is_packet_cache_hit boolean Matches if the DNS query was answered specifically from the packet cache
latency_msec integer Matches the latency field in the message, in milliseconds
integer These perform integer comparisons on the latency_msec field in the message
latency_msec_not integer This is simply the inverse of latency_msec
qname string The value is a domain name; the filter matches if the query qname is an exact match (case-insensitive) for the specified domain name.
qname_sub string The value is a domain name; the filter matches if the query qname is a subdomain of the specified domain name. Matches are case-insensitive.
qtype string or integer The value matches the query resource record type of the request. It can be specified as a string or an integer, as any string will be converted to an integer using the mapping specified in If the type is very new, you may need to use the integer version.
string or integer These perform integer comparisons on qtype, after converting the type to an integer
qtype_not string or integer This is simply the inverse of qtype
reqsubnet_in_ipset string Match all messages where the 'origRequestedSubnet' IP is in a range contained in the named IP set
rcode integer Match the response code in the message (only for messages that contain a response)
integer These perform integer comparisons on the response code in the message
rcode_not integer This is simply the inverse of rcode
tag string Match a specific tag
tag_prefix string Match the start of a tag

Boolean Logic Filters

The and, or and not filters are used to combine or invert matching filters to create more complex filter patterns.

Parameter Type Default Description
and List of Filter Applies a logical AND to all the specified filters
not Filter Inverts the specified filter
or List of Filter Applies a logical OR to all the specified filters

For example:

      - mydestination
      - tag: REQUIRED_TAG
      - or:
        - tag: GAMBLING
        - tag: FASHION
      - not: