dnstap sourceAddress: "0.0.0.0" instead of real client IP when using TCP transport

[YangTao0]

A note for the community

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Problem

Version: CoreDNS-1.12.0 version="0.54.0"(receiving dnstap over TCP)
Not Kubernetes: CoreDNS is deployed directly on a VM (bare metal).
Network : The CoreDNS server and Vector server are on different hosts.
The sourceAddress field in the dnstap message should contain the real IP address of the DNS client (e.g., the host that sent the query to CoreDNS), All dnstap messages show "sourceAddress": "0.0.0.0"，Is this a known limitation of the dnstap plugin when using TCP transport? Or am I missing a configuration option to preserve the client address information over TCP?

Configuration

**CoreDNS config**:
.:53 { log dnstap tcp://10.218.20.156:6000 full forward . 8.8.8.8 reload }

**Vector Config**:
[sources.dnstap]
type = "dnstap"
address = "0.0.0.0:6000"
mode = "tcp"

[sinks.print]
type = "console"
inputs = [ "dnstap" ]
encoding.codec = "json"

Version

version="0.54.0" arch="x86_64"

Debug Output

Vector logs:
{
	"dataType": "Message",
	"dataTypeId": 1,
	"host": "10.218.20.204:51984",
	"messageType": "ClientQuery",
	"messageTypeId": 5,
	"requestData": {
		"fullRcode": 0,
		"header": {
			"aa": false,
			"ad": true,
			"anCount": 0,
			"arCount": 1,
			"cd": false,
			"id": 3539,
			"nsCount": 0,
			"opcode": 0,
			"qdCount": 1,
			"qr": 0,
			"ra": false,
			"rcode": 0,
			"rd": true,
			"tc": false
		},
		"opt": {
			"do": false,
			"ednsVersion": 0,
			"extendedRcode": 0,
			"udpPayloadSize": 4096
		},
		"question": [{
			"class": "IN",
			"domainName": "www.baidu.com.",
			"questionType": "A",
			"questionTypeId": 1
		}],
		"rcodeName": "NoError"
	},
	"serverId": "vector02-test3-ucscompute43-cloudvsp",
	"serverVersion": "CoreDNS-1.12.0",
	"socketFamily": "INET",
	"socketProtocol": "UDP",
	"sourceAddress": "0.0.0.0",
	"sourcePort": 46185,
	"source_type": "dnstap",
	"time": 1776072095889631680,
	"timePrecision": "ns",
	"timestamp": "2026-04-13T09:21:35.889631680Z"
}

CoreDNS logs:
maxprocs: Leaving GOMAXPROCS=4: CPU quota undefined
.:53
[INFO] plugin/reload: Running configuration SHA512 = 9d43073b6aed7d04aa3bac96b5704a48d8e6bbe996c42df661a0e2497737d16c7f11e490c15691e73245652251679586a0458ebfb869994a2f1f48d2bd932d59
CoreDNS-1.12.0
linux/amd64, go1.23.3, 51e11f1
[INFO] 10.221.7.182:46185 - 3539 "A IN www.baidu.com. udp 42 false 4096" NOERROR qr,rd,ra 149 0.217670503s

10.221.7.182:46185 is real client IP ,but vector output "sourceAddress": "0.0.0.0".

Example Data

No response

Additional Context

No response

References

No response

[YangTao0]

I tried to find the cause of the problem, The frames were fine; the problem was how Vector interpreted query_address when socket_family was INET，Raw data：
CiR2ZWN0b3IwMi10ZXN0My11Y3Njb21wdXRlNDMtY2xvdWR2c3ASDkNvcmVETlMtMS4xMi4wclMIBRABGAEiEAAAAAAAAAAAAAD//wrdB7Yw17YCQPf3/M4GTTu+bClSKuZbASAAAQAAAAAAAQN3d3cFYmFpZHUDY29tAAABAAEAACkQAAAAAAAAAHgB

CoreDNS (via Go’s net.IP encoding) can send the client address as 16 bytes in IPv4-mapped IPv6 form (::ffff:a.b.c.d), while still setting socket_family to INET. The dnstap spec says INET addresses are 4 octets, but several producers use this 16-byte form in practice.

Vector’s parser treated INET as “always take the first 4 bytes” as the IPv4 address. For mapped IPv4, those first four bytes are zeros, so sourceAddress became 0.0.0.0, while sourcePort still matched CoreDNS because it comes from a separate field. https://github.com/vectordotdev/vector/blob/master/lib/vector-vrl/dnstap-parser/src/parser.rs

        if let Some(query_address) = dnstap_message.query_address.as_ref() {
            let source_address = if socket_family == 1 {
                if query_address.len() < 4 {
                    return Err(Error::from("Cannot parse query_address"));
                }
                let address_buffer: [u8; 4] = query_address[0..4].try_into()?;
                IpAddr::V4(Ipv4Addr::from(address_buffer))
            } else {
                if query_address.len() < 16 {
                    return Err(Error::from("Cannot parse query_address"));
                }
                let address_buffer: [u8; 16] = query_address[0..16].try_into()?;
                IpAddr::V6(Ipv6Addr::from(address_buffer))
            };

            DnstapParser::insert(
                event,
                prefix.clone(),
                &DNSTAP_VALUE_PATHS.query_address,
                source_address.to_string(),
            );
        }

I'm a beginner with vectors, so I'm not sure if my understanding is correct.