jxmu.xmu.edu.cnjxmu.xmu.edu.cn/upload/park/c25a95a7-1de6-4acd-a70… · web...
TRANSCRIPT
doi:10.6043/j.issn.0438-0479.201604023
DNS
361005
Domain Name SystemDNSDNSDNSDNSDNSDNSDNSDNS
;BIND;; ; ;
TP 393 A
Domain Name SystemDNSIPIPDNSDNSDNSDNS[1]BINDDNSDNSDNS
DNSDNSDNSDNSDNSCNDNS[2]CN[3][4]DNS[5][6][7]BEGLEITER R[8]JOSE A S[9]HadoopDNSHadoopHadoopDNS[6]PHPDNSDNS
AnsibleDNSdigtcpdumpbindgraphNagiosFilebeatLogstashElasticsearchHadoopKibana
DNS
DNS
1)
2)
3) DNSDNSDNSACLAXFRAuthoritative Transfer
4) DNS
5) BIND
6) DNS
DNSDNSDNSDNSDNSDNSACL
AnsibleDNSAnsibleDNSIP
DNS
DNSElasticsearchElasticsearchLuceneLuceneKibana
DNS1
1
Fig.1 Architectureof Domain Name System Log Analysis System
1LogstashCPUElasticsearchCPU
1) AnsibleAnsible1DNSAnsibleAnsible
2) DNSDNSDNS1Ansible
3)
4) KibanaGUIJSONElasticsearch
60DNS
1) Lucene
2) drilldown
3)
4)
5)
6)
7)
8) IPv4IPv6 DNS
9) DNS
10) ISP[10]
11)
12)
DNSDNS
DNSBINDPowerDNSDnsmasqMicrosoftDNSDNSDNSDNS[11]WindowsDNSDNSDNSBIND9 DNS
DNS
WindowsLinuxDNS
1DNS
IP1DNSIPIP
1DNSDNSDNSnotifyrndcflushtreeZoneDNSDNSTTL
LVSKeepalived
BIND
BINDDNS1
1
Tab.1 Firewall Configuration Strategy
IPTCP/UDP 53
53
IPTCP/UDP 53
TCP 953
IPTCP/UDP 53
953rndc
IPTCP/UDP 53
Logstash
DNSTCP 5044
Elasticsearch
DNSLogstashKibanaTCP 9200
9200Elasticsearch
Kibana
$INCLUDEDNSDNSDNS$INCLUDEDNSDNS
BIND
1) recursion
2) allow-recursionIP
3) allow-transferAXFRIP
4) max-cache-sizeDNS
5) rate-limit
6) recursive-clientsDNSDNS
DNSIPview[12]
DNS
DNS
1) named-checkconfDNS
2) rndcnamedDNSBIND
3) digDNSDNSDNSedu.cnDNSdigedu.cnDNSdig edu.cnedu.cndig @dns.edu.cn xmu.edu.cn
4) tcpdumpDNSdigDNS
5) NagiosDNS
6) Fail2banFail2banDNSIPDNSDNS
7) grepawksortcutDNSDNSLog
8) bindgraphDNSDNS
DNSDNSDNS
DNS
DNSNagioscheck_pingcheck_tcpTCP53check_udpUDP53check_dnsDNSCPULoad
TopbeatDNSCPUElasticsearch
BIND
DNSDNSTTLTTL[13]DNSTTLDNSTTL
DNSIP
DNSFilebeatFilebeatDNSLogstash
DNSFilebeatLogstashElasticsearchLogstashElasticsearch
LogstashDNS
09-Feb-2016 03:38:25.786 queries: client 127.0.0.1#9527 (dog.xmu.edu.cn): query: dog.xmu.edu.cn IN A + (192.168.0.10)
ElasticsearchElasticsearchElasticsearchIP
IPIPIP
Logstash
grok {
match =>{ "message" => "%{DATA:querydate} queries: client %{IP:clientip}#%{INT} \(%{DATA:queryhost}\): query: %{DATA} IN %{WORD:rrname} [+-]%{WORD}* \(%{IP}\)" }
}
#DNS
geoip {
source => ["clientip"]
}
#messageElasticsearchmessage
mutate {
remove_field => ["message"]
}
if ([queryhost] =~ "^[^.]+\.[^.]+$") {
grok {
match =>{ "queryhost" => "^(?[^.]+)\.(?[^.]+)$" }
}
}
if ([queryhost] =~ "^[^.]+\.[^.]+\.[^.]+$") {
grok {
match =>{ "queryhost" => "^(?[^.]+)\.(?[^.]+)\.(?[^.]+)$" }
}
}
if ([queryhost] =~ "^.*?[^.]+\.[^.]+\.[^.]+\.[^.]+$") {
grok {
match =>{ "queryhost" => "^.*?(?[^.]+)\.(?[^.]+)\.(?[^.]+)\.(?[^.]+)$" }
}
}
LogstashElasticsearchElasticsearch60curatorcrontab
/usr/local/bin/curator --host 127.0.0.1 delete indices --older-than 60 --time-unit days --timestring '%Y.%m.%d' --prefix dnslog
Elasticsearch
ElasticsearchKibanaLucene
ISP2metricsCountbucketsdomainname1domainname2domainname3
2ISP
Fig. 2Sunburst chart of ISP Access Count Ranking
2.com.cn.net.orgqq.combaidu.com360.cn.edu.cn
KibanaDashboard3
3
Fig. 3 Dashboard of Domain Name System Log Analysis System
3DNS
DNS40GDNS3TTLDNS
[1]DNS[D]2013
[2]DNS[D]2009
[3][D]2013
[4]DNS[D]2014
[5]DNS[D]2014
[6][D][]2014
[7][J]2015 07 145- 150
[8]BEGLEITER R, ELOVICI Y, HOLLANDER Y, et al. A fast and scalable method for threat detection in large-scale DNS logs[C]//Big Data, 2013 IEEE International Conference on, 2013: 738-741.
[9]JOSE A S, B A. Automatic detection and rectification of DNS reflection amplification attacks with hadoopmapreduce and chukwa[C]//Advances in Computing and Communications (ICACC), 2014 Fourth International Conference on, 2014: 195-198.
[10]k-meansDNS[J]()2010 04 601-604+608
[11]WIKIPEDIA. Comparison of DNS server software[EB/OL]. Wikipedia[2016-02-12]. https://en.wikipedia.org/wiki/Comparison_of_DNS_server_software.
[12]viewDNS[J]2009 05 75
[13]DNS[D]2013
DNS Query Log Analysis System Based on Open Source Software
ZHENG Haishan
(Information & Network CenterXiamen UniversityXiamen 361005China)
Abstract: Domain Name System is one of the most important parts of the Internet. Robustness and security of the service is extremely important. However, there still remain many problems in the University's DNS configuration. This paper, through the setup experience of Xiamen University, proposes a DNS query log analysis system based on open source software. This system gives the best practice of how to automatically build DNS cluster, the method of monitoring and examining the DNS configuration and running status by using open source tools. Additionally, the system offers the query log visualizations generated by using big data analysis tools combined with a small amount of programming. Furthermore, the system can deal with real time analysis of more than one hundred million amount of data daily through horizontal expansion. After using the system, DNS service has a clear structure and security. The query log statistics shows in real time. All these take a good help for analyzing the running status of the DNS server, showing attack warning, and optimizing network performance.
Key words: Domain Name System; BIND; Big data; Log analysis; Visualization; Automation deployment
2016-04-14 2016-07-06
2016
-
04
-
14
2016
-
07
-
06
doi:10.6043/j.issn.0438
-
0479.2016040
2
3
DNS
361005
Domain Name System
DNS
DNS
DNS
DNS
DNS
DNS
DNS
DNS
;
B
I
ND
;
;
;
;
TP
393
A
Domain Name System
DNS
IP
IP
DNS
DNS
DNS
DNS
[1]
BIND
DNS
DNS
DNS
DNS
DNS
DNS
DNS
DNS
CN
DNS
[2]