The software consists of two major parts:

• DNS TAPIR Edge – A service that runs close to a DNS resolver that aggregates logs and forwards data to the cloud service.
• DNS TAPIR Core – The cloud service that aggregates, analyses and annotates data, and produces observations.

Overview

Core

Portal

The portal is a (future) web UI to manage edge devices and monitor system performance and operations.

Analyse

Analyse is a collection of modules creating events and aggregates from events and aggregates. Analyse modules can be implemented as serverless (aka "lambda") functions or long term running processes depending on requirements.

Intelligence Feeder

Intelligence Feeder feeds policy events generated by Analyse to Edge and other consumers (e.g., 3rd parties and partners).

Event Receiver

Incoming events from Minimise are written to a database as well as republished to Analyse for immediate processing.

Aggregate Receiver

Incoming aggregates from Aggregate Feeder are written as received (without modification) to an object store. Additional data about each aggregate (e.g. signatures, headers, timestamps) is written to a metadata database. Once a new aggregate is ready for processing, a new aggregate event is created.

Edge

Resolver client DNS queries are sent either directly to a classic resolver or via a resolver proxy. Queries and response actions are logged via DNSTAP to Minimise where initial query processing will commence. Analysed queries that require immediate action are sent to core as real time events or as part of a query aggregate.

Minimise

Minimise receives DNSTAP messages from the Resolver and/or from the Resolver Proxy. Messages requiring immediate action are sent as real time events to Core, whereas other messages are aggregated using the Featurestore. Aggregates are periodically submitted to Core.

Examples of real time events are:

• New domains

• Domains matching a pattern on the watchlist?

Interfaces

• DNSTAP messages are received via DNSTAP over TLS or cleartext TCP.

• Realtime events are submitted as signed JSON messages via MQTTv5 over mTLS.

• Incremental policies are received from Edge Manager

• Bootstrap configurations are received from Core Configuration API.

Featurestore

The Featurestore is used to store messages to be aggregated. Initially implemented using ClickHouse, but could utilise other similar databases if required.

Aggregate Feeder

Interfaces

• Configuration is received from Edge Manager.

• Aggregates are submitted as signed Apache Parquet files via HTTP over mTLS.

Resolver

If standalone the resolver is any DNS resolver implementing DNSTAP for query logging. If using a Resolver Proxy the DNS resolver does not need to support DNSTAP.

Resolver Proxy

A Resolver Proxy may be used as a frontend proxy to the Resolver. If incoming DNS queries are routed via the proxy, it can apply more efficient and more complex policy decisions as well as feed more specific data to Minimise. The system is designed to work without a resolver proxy, but will perform better with one.

Edge Manager

The Edge Manager receives policy events generated by the Intelligence Feeder and configures other Edge components, e.g. Resolver via RPZ, Resolver Proxy via proprietary configuration. It can request extended data from Minimise (which may or may not be willing to provide such data).