How it works

All the software components in dstore accept events over the network and process them in some way; for example distributing them to different destinations, converting them to different formats, aggregating them into reports etc. Each event contains a DNS message (source address, query name, query type, etc.) augmented by performance counters.

dstore receives events wrapped in Protocol Buffers (a.k.a. protobuf). These are a language-neutral, platform-neutral, extensible mechanism for serializing structured data.

The events destined for dstore can be emitted by a variety of sources:

  • PowerDNS Recursor
  • PowerDNS dnsdist
  • PowerDNS Authoritative Server
  • dnspcap2protobuf from the PowerDNS distribution


dstore consists of a number of components which interact with each other.

We next describe the individual components which make up dstore.


The dstore-dist is the primary daemon which listens for events on TCP port 2000, and performs a variety of processing on those events, including filtering, distribution to different destinations, and conversion to new protocols such as Kafka. It is responsible for listening for events, decoding protobufs, and the onwards forwarding of events.


The dstore-dist-topn-reporter is used to generate reports from protobuf messages. These reports are usually based on sampled data (dstore-dist can be used to perform the data sampling before passing the events to topn-reporter). Reports are stored in a backend, which can either be HTTP or Elasticsearch.


The dnspcap2protobuf utility from the PowerDNS distribution reads a pcap file and converts it to protobuf format which you can subsequently feed to dstore:

tcpdump -i enp0s25 udp port 53 -w example.pcap
dnspcap2protobuf example.pcap /dev/stdout | nc 2000