doi:10.6043/j.issn.0438-0479.201604023

DNS

361005

Domain Name SystemDNSDNSDNSDNSDNSDNSDNSDNS

;BIND;; ; ;

TP 393 A

Domain Name SystemDNSIPIPDNSDNSDNSDNS[1]BINDDNSDNSDNS

DNSDNSDNSDNSDNSCNDNS[2]CN[3][4]DNS[5][6][7]BEGLEITER R[8]JOSE A S[9]HadoopDNSHadoopHadoopDNS[6]PHPDNSDNS

AnsibleDNSdigtcpdumpbindgraphNagiosFilebeatLogstashElasticsearchHadoopKibana

DNS

DNS

1)

2)

3) DNSDNSDNSACLAXFRAuthoritative Transfer

4) DNS

5) BIND

6) DNS

DNSDNSDNSDNSDNSDNSACL

AnsibleDNSAnsibleDNSIP

DNS

DNSElasticsearchElasticsearchLuceneLuceneKibana

DNS1

1

Fig.1 Architectureof Domain Name System Log Analysis System

1LogstashCPUElasticsearchCPU

1) AnsibleAnsible1DNSAnsibleAnsible

2) DNSDNSDNS1Ansible

3)

4) KibanaGUIJSONElasticsearch

60DNS

1) Lucene

2) drilldown

3)

4)

5)

6)

7)

8) IPv4IPv6 DNS

9) DNS

10) ISP[10]

11)

12)

DNSDNS

DNSBINDPowerDNSDnsmasqMicrosoftDNSDNSDNSDNS[11]WindowsDNSDNSDNSBIND9 DNS

DNS

WindowsLinuxDNS

1DNS

IP1DNSIPIP

1DNSDNSDNSnotifyrndcflushtreeZoneDNSDNSTTL

LVSKeepalived

BIND

BINDDNS1

1

Tab.1 Firewall Configuration Strategy

IPTCP/UDP 53

53

IPTCP/UDP 53

TCP 953

IPTCP/UDP 53

953rndc

IPTCP/UDP 53

Logstash

DNSTCP 5044

Elasticsearch

DNSLogstashKibanaTCP 9200

9200Elasticsearch

Kibana

$INCLUDEDNSDNSDNS$INCLUDEDNSDNS

BIND

1) recursion

2) allow-recursionIP

3) allow-transferAXFRIP

4) max-cache-sizeDNS

5) rate-limit

6) recursive-clientsDNSDNS

DNSIPview[12]

DNS

DNS

1) named-checkconfDNS

2) rndcnamedDNSBIND

3) digDNSDNSDNSedu.cnDNSdigedu.cnDNSdig edu.cnedu.cndig @dns.edu.cn xmu.edu.cn

4) tcpdumpDNSdigDNS

5) NagiosDNS

6) Fail2banFail2banDNSIPDNSDNS

7) grepawksortcutDNSDNSLog

8) bindgraphDNSDNS

DNSDNSDNS

DNS

DNSNagioscheck_pingcheck_tcpTCP53check_udpUDP53check_dnsDNSCPULoad

TopbeatDNSCPUElasticsearch

BIND

DNSDNSTTLTTL[13]DNSTTLDNSTTL

DNSIP

DNSFilebeatFilebeatDNSLogstash

DNSFilebeatLogstashElasticsearchLogstashElasticsearch

LogstashDNS

09-Feb-2016 03:38:25.786 queries: client 127.0.0.1#9527 (dog.xmu.edu.cn): query: dog.xmu.edu.cn IN A + (192.168.0.10)

ElasticsearchElasticsearchElasticsearchIP

IPIPIP

Logstash

grok {

match =>{ "message" => "%{DATA:querydate} queries: client %{IP:clientip}#%{INT} \(%{DATA:queryhost}\): query: %{DATA} IN %{WORD:rrname} [+-]%{WORD}* \(%{IP}\)" }

}

#DNS

geoip {

source => ["clientip"]

}

#messageElasticsearchmessage

mutate {

remove_field => ["message"]

}

if ([queryhost] =~ "^[^.]+\.[^.]+$") {

grok {

match =>{ "queryhost" => "^(?[^.]+)\.(?[^.]+)$" }

}

}

if ([queryhost] =~ "^[^.]+\.[^.]+\.[^.]+$") {

grok {

match =>{ "queryhost" => "^(?[^.]+)\.(?[^.]+)\.(?[^.]+)$" }

}

}

if ([queryhost] =~ "^.*?[^.]+\.[^.]+\.[^.]+\.[^.]+$") {

grok {

match =>{ "queryhost" => "^.*?(?[^.]+)\.(?[^.]+)\.(?[^.]+)\.(?[^.]+)$" }

}

}

LogstashElasticsearchElasticsearch60curatorcrontab

/usr/local/bin/curator --host 127.0.0.1 delete indices --older-than 60 --time-unit days --timestring '%Y.%m.%d' --prefix dnslog

Elasticsearch

ElasticsearchKibanaLucene

ISP2metricsCountbucketsdomainname1domainname2domainname3

2ISP

Fig. 2Sunburst chart of ISP Access Count Ranking

2.com.cn.net.orgqq.combaidu.com360.cn.edu.cn

KibanaDashboard3

3

Fig. 3 Dashboard of Domain Name System Log Analysis System

3DNS

DNS40GDNS3TTLDNS

[1]DNS[D]2013

[2]DNS[D]2009

[3][D]2013

[4]DNS[D]2014

[5]DNS[D]2014

[6][D][]2014

[7][J]2015 07 145- 150

[8]BEGLEITER R, ELOVICI Y, HOLLANDER Y, et al. A fast and scalable method for threat detection in large-scale DNS logs[C]//Big Data, 2013 IEEE International Conference on, 2013: 738-741.

[9]JOSE A S, B A. Automatic detection and rectification of DNS reflection amplification attacks with hadoopmapreduce and chukwa[C]//Advances in Computing and Communications (ICACC), 2014 Fourth International Conference on, 2014: 195-198.

[10]k-meansDNS[J]()2010 04 601-604+608

[11]WIKIPEDIA. Comparison of DNS server software[EB/OL]. Wikipedia[2016-02-12]. https://en.wikipedia.org/wiki/Comparison_of_DNS_server_software.

[12]viewDNS[J]2009 05 75

[13]DNS[D]2013

DNS Query Log Analysis System Based on Open Source Software

ZHENG Haishan

(Information & Network CenterXiamen UniversityXiamen 361005China)

Abstract: Domain Name System is one of the most important parts of the Internet. Robustness and security of the service is extremely important. However, there still remain many problems in the University's DNS configuration. This paper, through the setup experience of Xiamen University, proposes a DNS query log analysis system based on open source software. This system gives the best practice of how to automatically build DNS cluster, the method of monitoring and examining the DNS configuration and running status by using open source tools. Additionally, the system offers the query log visualizations generated by using big data analysis tools combined with a small amount of programming. Furthermore, the system can deal with real time analysis of more than one hundred million amount of data daily through horizontal expansion. After using the system, DNS service has a clear structure and security. The query log statistics shows in real time. All these take a good help for analyzing the running status of the DNS server, showing attack warning, and optimizing network performance.

Key words: Domain Name System; BIND; Big data; Log analysis; Visualization; Automation deployment

2016-04-14 2016-07-06

Emailhaishion@xmu.edu.cn

2016

-

04

-

14

2016

-

07

-

06

Email

haishion@xmu.edu.cn

doi:10.6043/j.issn.0438

-

0479.2016040

2

3

DNS

361005

Domain Name System

DNS

DNS

DNS

DNS

DNS

DNS

DNS

DNS

;

B

I

ND

;

;

;

;

TP

393

A

Domain Name System

DNS

IP

IP

DNS

DNS

DNS

DNS

[1]

BIND

DNS

DNS

DNS

DNS

DNS

DNS

DNS

DNS

CN

DNS

[2]