dnstap high speed dns logging without packet capture
play

dnstap : high speed DNS logging without packet capture Jeroen - PowerPoint PPT Presentation

May 15, 2023 •383 likes •786 views

dnstap : high speed DNS logging without packet capture Jeroen Massar Farsight Security, Inc. Unifying the Global Response to Cybercrime Credits & More Info Design & Implementation: Robert Edmonds <edmonds@fsi.io> Website:

  1. dnstap : high speed DNS logging without packet capture Jeroen Massar Farsight Security, Inc. Unifying the Global Response to Cybercrime

  2. Credits & More Info Design & Implementation: Robert Edmonds <edmonds@fsi.io> Website: http://dnstap.info Documentation/Presos/Tutorials/Mailinglist/ Downloads/Code-repos Unifying the Global Response 2 to Cybercrime

  3. Simplified DNS Overview Unifying the Global Response 3 to Cybercrime

  4. Query Logging Unifying the Global Response 4 to Cybercrime

  5. Query Logging: Details Logged • Log information about DNS queries: • Client IP address • Question name • Question type • Other related information? • EDNS options • DNSSEC status • Cache miss or cache hit? • May have to look at both queries and responses. Unifying the Global Response 5 to Cybercrime

  6. Query Logging: How • DNS server generates log messages in the normal course of processing requests. • Reputed to impact performance significantly. • Typical implementation: • Parse the request. • Format it into a text string. • Send to syslog or write to a log file. Unifying the Global Response 6 to Cybercrime

  7. Query Logging: Issues • Implementation issues that affect performance: • Transforming the query into a text string takes time. • Memory copies, format string parsing, etc. • Writing the log message using synchronous I/O in the worker thread. • Using syslog instead of writing log files directly. • syslog() takes out a process-wide lock and does a blocking, unbuffered write for every log message. • Using stdio to write log files. • printf(), fwrite(), etc. take out a lock on the output Unifying the Global Response 7 to Cybercrime

  8. Query Logging: Improving § Do it with packet capture instead: • Eliminates the performance issues. • But, can't replicate state that doesn't appear directly in the packet. • E.g., whether the request was served from the cache. § What if the performance issues in the server software were fixed? Unifying the Global Response 8 to Cybercrime

  9. Passive DNS Unifying the Global Response 9 to Cybercrime

  10. Passive DNS: Setup • Deployment options: • (1) “Below the recursive” • (2) “Above the recursive” Unifying the Global Response 10 to Cybercrime

  11. Passive DNS: Details Logged § Log information about zone content: • Record name • Record type • Record data • Nameserver IP address Unifying the Global Response 11 to Cybercrime

  12. Passive DNS: Implementations § Typical implementation: • Capture the DNS response packets at the recursive DNS server. • Reassemble the DNS response messages from the packets. • Extract the DNS resource records contained in the response messages. • Low to no performance impact Unifying the Global Response 12 to Cybercrime

  13. Passive DNS: Issues § Discard out-of-bailiwick records. § Discard spoofed UDP responses. § UDP fragment, TCP stream reassembly. § UDP checksum verification. But, the DNS server and its networking stack are already doing these things... Unifying the Global Response 13 to Cybercrime

  14. Insights § Query logging: • Make it faster by eliminating bottlenecks like text formatting and synchronous I/O. § Passive DNS replication: • Avoid complicated state reconstruction issues by capturing messages instead of packets. § Support both use cases with the same generic mechanism. Unifying the Global Response 14 to Cybercrime

  15. dnstap § Add a lightweight message duplication facility directly into the DNS server. • Verbatim wire-format DNS messages with context. § Use a fast logging implementation that doesn't degrade performance. • Circular queues. • Asynchronous, buffered I/O. • Prefer to drop log payloads instead of blocking the server under load. Unifying the Global Response 15 to Cybercrime

  16. dnstap: Message Duplication § DNS server has internal message buffers: • Receiving a query. • Sending a query. • Receiving a response. • Sending a response. § Instrument the call sites in the server implementation so that message buffers can be duplicated and exported outside of the server process. § Be able to enable/disable each logging site independently. Unifying the Global Response 16 to Cybercrime

  17. dnstap: “Message” Log Format Currently 10 defined subtypes of dnstap “Message”: § AUTH_QUERY § AUTH_RESPONSE § RESOLVER_QUERY § RESOLVER_RESPONSE § CLIENT_QUERY § CLIENT_RESPONSE § FORWARDER_QUERY § FORWARDER_RESPONSE § STUB_QUERY § STUB_RESPONSE Unifying the Global Response 17 to Cybercrime

  18. Dnstap: Overview Unifying the Global Response 18 to Cybercrime

  19. Unifying the Global Response 19 to Cybercrime

  20. dnstap: Query Logging § Turn on AUTH_QUERY and/or CLIENT_QUERY message duplication. • Optionally turn on AUTH_RESPONSE and/or CLIENT_RESPONSE . § Connect a dnstap receiver to the DNS server. § Performance impact should be minimal. § Full verbatim message content is available without text log parsing. Unifying the Global Response 20 to Cybercrime

  21. dnstap: Passive DNS § Turn on RESOLVER_RESPONSE message duplication. § Connect a dnstap receiver to the DNS server. Unifying the Global Response 21 to Cybercrime

  22. dnstap: Passive DNS advantages § Once inside the DNS server, the issues caused by being outside disappear. • Out-of-bailiwick records: the DNS server already knows which servers are responsible for which zones. • Spoofing: the DNS server already has its state table. Unsuccessful spoofs are excluded. • TCP/UDP packet issues: already handled by the kernel and the DNS server. Unifying the Global Response 22 to Cybercrime

  23. dnstap: Components § Flexible, structured log format for DNS software. § Helper libraries for adding support to DNS software. § Patch sets that integrate dnstap support into existing DNS software. § Capture tools for receiving dnstap messages from dnstap-enabled software. Unifying the Global Response 23 to Cybercrime

  24. dnstap: Log Format § Encoded using Protocol Buffers. • Compact • Binary clean • Backwards, forwards compatibility • Implementations for numerous programming languages available Unifying the Global Response 24 to Cybercrime

  25. Dnstap: Helper Libraries § fstrm: “Frame Streams” library. • Encoding-agnostic transport. • Adds ~1.5K LOC to the DNS server. • https://github.com/farsightsec/fstrm § protobuf-c: “Protocol Buffers” library. • Transport-agnostic encoding. • Adds ~2.5K LOC to the DNS server. • https://github.com/protobuf-c/protobuf-c Unifying the Global Response 25 to Cybercrime

  26. Dnstap: Integration Plans to add dnstap support to software that handles DNS messages: § DNS servers: BIND, Unbound, Knot DNS, etc. § Analysis tools: Wireshark, etc. § Utilities: dig, kdig, drill, dnsperf, resperf § More? Unifying the Global Response 26 to Cybercrime

  27. dnstap: Unbound Integration Unbound DNS server with dnstap support. § Supports the relevant dnstap “Message” types for a recursive DNS server: § { CLIENT , RESOLVER , FORWARDER }_{ QUERY_RESPONSE } § Adds <1K LOC to the DNS server. Unifying the Global Response 27 to Cybercrime

  28. Dnstap: Capture Tool § Command-line tool/daemon for collecting dnstap log payloads. • Print payloads. • Save to log file. • Retransmit over the network. § Similar role to tcpdump, syslogd, or flow-tools. Unifying the Global Response 28 to Cybercrime

  29. Benchmark § More of a “microbenchmark”. § Meant to validate the architectural approach. § Not meant to accurately characterize the performance of a dnstap-enabled DNS server under “realistic” load. Unifying the Global Response 29 to Cybercrime

  30. Benchmark setup § One receiver: • Intel(R) Xeon(R) CPU E3-1245 v3 @ 3.40GHz • No HyperThreading, no SpeedStep, no Turbo Boost. § One sender: • Intel(R) Core(TM) i3-4130 CPU @ 3.40GHz § Intel Corporation I350 Gigabit Network Connection § Sender and receiver directly connected via crossover cable. No switch, RX/TX flow control disabled. Unifying the Global Response 30 to Cybercrime

  31. Benchmark host setup § Linux 3.11/3.12. § Defaults, no attempt to tune networking stack. § trafgen used to generate identical UDP DNS questions with random UDP ports / DNS IDs. § tc token bucket filter used to precisely vary the query load offered by the sender. § mpstat used to measure receiver’s system load. § ifpps used to measure packet RX/TX rates on the receiver. § perf used for whole-system profiling. Unifying the Global Response 31 to Cybercrime

  32. Benchmark tests § Offer particular DNS query loads in 25 Mbps steps: • 25 Mbps, 50 Mbps, …, 725 Mbps, 750 Mbps. § Measure system load and responses/second at the receiver, where the DNS server is running. • Most DNS benchmarks plot queries/second against response rate to characterize drop rates. • Plotting responses/second can still reveal bottlenecks. Unifying the Global Response 32 to Cybercrime

  33. Unifying the Global Response 33 to Cybercrime

  34. Unifying the Global Response 34 to Cybercrime

  35. Unifying the Global Response 35 to Cybercrime

  36. Unifying the Global Response 36 to Cybercrime

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

dnstap : high speed DNS logging without packet capture Robert Edmonds (edmonds@fsi.io) Farsight

dnstap : high speed DNS logging without packet capture Robert Edmonds (edmonds@fsi.io) Farsight

dnstap : high speed DNS logging without packet capture Robert Edmonds (edmonds@fsi.io) Farsight Security, Inc. URL http://dnstap.info Documentation Presentations Tutorials Mailing list Downloads Code repositories

695 views • 42 slides
dnstap (brief intro and update) Merike Kaeo

dnstap (brief intro and update) Merike Kaeo

dnstap (brief intro and update) Merike Kaeo merike@interne6den6ty.com NANOG61 - DNS Track dnstap What is it? High speed DNS logging without

420 views • 12 slides
Cisco IOS Embedded Packet Capture (EPC) Cisco IOS Embedded Packet Capture (EPC) The Cisco IOS

Cisco IOS Embedded Packet Capture (EPC) Cisco IOS Embedded Packet Capture (EPC) The Cisco IOS

Cisco IOS Embedded Packet Capture (EPC) Cisco IOS Embedded Packet Capture (EPC) The Cisco IOS Embedded Packet Capture (EPC) delivers a powerful troubleshooting and tracing tool. The feature allows for network administrators to capture data

518 views • 24 slides
Selective Packet Capture at High Speed Rates Reservoir Labs Peter Cullen, James Ezick, Kelly Fox,

Selective Packet Capture at High Speed Rates Reservoir Labs Peter Cullen, James Ezick, Kelly Fox,

Selective Packet Capture at High Speed Rates Reservoir Labs Peter Cullen, James Ezick, Kelly Fox, Troy Hanson, Richard Lethin, Erik Mogus, Jordi Ros-Giralt, Alison Ryan, {cullen, ezick, fox, hanson, lethin, mogus, giralt, ryan}@reservoir.com

710 views • 31 slides
How a wave packet propagates at a speed faster than the speed of light A novel superluminal

How a wave packet propagates at a speed faster than the speed of light A novel superluminal

How a wave packet propagates at a speed faster than the speed of light A novel superluminal mechanism with high transmission and broad bandwidth Tsun-Hsu Chang ( ) Department of Physics, National Tsing Hua University Claim: The

454 views • 23 slides
Chapter: 9 9 9 9 Chapter: Chapter: Chapter: High-Speed Downlink High-Speed Downlink Packet

Chapter: 9 9 9 9 Chapter: Chapter: Chapter: High-Speed Downlink High-Speed Downlink Packet

3G Evolution 3G Evolution 3G Evolution 3G Evolution Chapter: 9 9 9 9 Chapter: Chapter: Chapter: High-Speed Downlink High-Speed Downlink Packet Access Deepak Dasalukunte Department of Electrical and Information Technology 16-Apr-2009

393 views • 25 slides
Leveraging Traffic Repetitions for High-Speed Deep Packet Inspection INFOCOM 2015 Paper #54 used

Leveraging Traffic Repetitions for High-Speed Deep Packet Inspection INFOCOM 2015 Paper #54 used

Leveraging Traffic Repetitions for High-Speed Deep Packet Inspection INFOCOM 2015 Paper #54 used to enhance the scanning process. Specifically, even if the Abstract Deep Packet Inspection (DPI) plays a major role in contemporary networks, and

479 views • 9 slides
Hybrid cache architecture for high-speed packet processing Z. Liu, K. Zheng and B. Liu Abstract:

Hybrid cache architecture for high-speed packet processing Z. Liu, K. Zheng and B. Liu Abstract:

Hybrid cache architecture for high-speed packet processing Z. Liu, K. Zheng and B. Liu Abstract: The exposed memory hierarchies employed in many network processors (NPs) are expensive in terms of meeting the worst-case processing requirement.

427 views • 8 slides
Multicore Based Packet Splitting Multicore Based Packet Splitting Approaches for High Speed

Multicore Based Packet Splitting Multicore Based Packet Splitting Approaches for High Speed

Multicore Based Packet Splitting Multicore Based Packet Splitting Approaches for High Speed Network A Approaches for High Speed Network A h h f f Hi h S Hi h S d N t d N t k k Security Security Security Security APAN 32 nd Meeting

459 views • 21 slides
dnstap: introduction and status update Robert Edmonds (edmonds@fsi.io) Farsight Security, Inc.

dnstap: introduction and status update Robert Edmonds (edmonds@fsi.io) Farsight Security, Inc.

dnstap: introduction and status update Robert Edmonds (edmonds@fsi.io) Farsight Security, Inc. URL http://dnstap.info Documentation Presentations Tutorials Mailing list Downloads Code repositories dnstap Slide 2 of

336 views • 18 slides
tCap : High-Speed Human Motion Capture using Eve EventC an Event Camera Lan XU Hong

tCap : High-Speed Human Motion Capture using Eve EventC an Event Camera Lan XU Hong

tCap : High-Speed Human Motion Capture using Eve EventC an Event Camera Lan XU Hong Kong University of Science and Technology 2020/06/11 Background 2 1. Background q Previous MoCap systems 2 nd Generation 3 rd Generation 1 st

439 views • 31 slides
Ruler: High-Speed Packet Matching and Rewriting on Network Processors Tom Hrub Kees van

Ruler: High-Speed Packet Matching and Rewriting on Network Processors Tom Hrub Kees van

Ruler: High-Speed Packet Matching and Rewriting on Network Processors Tom Hrub Kees van Reeuwijk Herbert Bos Vrije Universiteit, Amsterdam World45 Ltd. ANCS 2007 Tom Hrub (VU Amsterdam, World45) Ruler on NPUs December 3, 2007

415 views • 25 slides
How to (passively) measure? Packet Monitoring 1 What to expect? Overview / What is packet

How to (passively) measure? Packet Monitoring 1 What to expect? Overview / What is packet

How to (passively) measure? Packet Monitoring 1 What to expect? Overview / What is packet monitor? How to acquire the data Handling performance bottlenecks Case Study: Packet Capture Performance Analyzing the transport and

487 views • 37 slides
Network Network sniffing sniffing packet capture and analysis packet

Network Network sniffing sniffing packet capture and analysis packet

Network Network sniffing sniffing packet capture and analysis packet capture and analysis October 2, 2020 Administrative submittal instructions submittal instructions Administrative answer the lab

366 views • 17 slides
MoonGen A Scriptable High-Speed Packet Generator Sebastian Gallenm uller, Paul Emmerich

MoonGen A Scriptable High-Speed Packet Generator Sebastian Gallenm uller, Paul Emmerich

Chair for Network Architectures and Services Technical University of Munich (TUM) MoonGen A Scriptable High-Speed Packet Generator Sebastian Gallenm uller, Paul Emmerich October 31th, 2015 Chair for Network Architectures and Services

519 views • 7 slides
MoonGen A Scriptable High-Speed Packet Generator Paul Emmerich March 4th, 2015 Chair for

MoonGen A Scriptable High-Speed Packet Generator Paul Emmerich March 4th, 2015 Chair for

Chair for Network Architectures and Services Technische Universit at M unchen MoonGen A Scriptable High-Speed Packet Generator Paul Emmerich March 4th, 2015 Chair for Network Architectures and Services Department of Informatics

477 views • 21 slides
() Instructor: Fengwei Zhang SUSTech CS315 Computer Security 1 Who Am I?

() Instructor: Fengwei Zhang SUSTech CS315 Computer Security 1 Who Am I?

CS 315 Computer Security () Instructor: Fengwei Zhang SUSTech CS315 Computer Security 1 Who Am I? Fengwei Zhang Associate Professor of Computer Science Office: Innovation Park Building 10, Room 404 Email: TBA

795 views • 20 slides
... sclass1 sclass10 Net-linux Net-linux DHCP DHCP The lab has 10 dell systems. Each dell

... sclass1 sclass10 Net-linux Net-linux DHCP DHCP The lab has 10 dell systems. Each dell

Notes on Running Dsniff and the Lab Network Environment Cyber Security Lab 2/16/10 1 General Overview 1.1 Initial machine configuration Outside World DMZ Management 192.168.50.50 192.168.50.60 Dmz 192.168.50.0/24 FW1 Outside =

182 views • 4 slides
AjaxTracker: Active Measurement System for High-Fidelity Characterization of AJAX Applications

AjaxTracker: Active Measurement System for High-Fidelity Characterization of AJAX Applications

AjaxTracker: Active Measurement System for High-Fidelity Characterization of AJAX Applications Myungjin Lee , Ramana Rao Kompella, Sumeet Singh Purdue University, Cisco Systems Wind of changes Asynchronous Javascript Migration

503 views • 22 slides
How to do Packet Sniffing on Linux (tcpdump) NetBeez Webinar Panos Vouzis Co-founder and COO

How to do Packet Sniffing on Linux (tcpdump) NetBeez Webinar Panos Vouzis Co-founder and COO

How to do Packet Sniffing on Linux (tcpdump) NetBeez Webinar Panos Vouzis Co-founder and COO Agenda What is tcpdump? Lab set-up tcpdump usage Output breakdown Saving to file Filtering (host, port, traffic

582 views • 11 slides
NAV NAV Project Update By: Meghan Allen and Peter McLachlan NAV Objectives Develop a tool

NAV NAV Project Update By: Meghan Allen and Peter McLachlan NAV Objectives Develop a tool

NAV NAV Project Update By: Meghan Allen and Peter McLachlan NAV Objectives Develop a tool for network visualization Focus on common protocols: TCP/IP UDP/IP ICMP Within these protocols focus on common services

431 views • 14 slides
Merging packets with System Events using eBPF Luca Deri &lt;deri@ntop.org&gt;, @lucaderi Samuele

Merging packets with System Events using eBPF Luca Deri &lt;deri@ntop.org&gt;, @lucaderi Samuele

Merging packets with System Events using eBPF Luca Deri &lt;deri@ntop.org&gt;, @lucaderi Samuele Sabella &lt;sabella@ntop.org&gt;, @sabellasamuele Brussels - 2/3 February 2019 About Us Luca: lecturer at the University of Pisa, CS

280 views • 26 slides
University of Calgary CPSC 329 Guest Lecture: Carey Williamson What is network

University of Calgary CPSC 329 Guest Lecture: Carey Williamson What is network

University of Calgary CPSC 329 Guest Lecture: Carey Williamson What is network security? Types of attacks Real-world examples Wrapup and questions 2 The field of network security is about: how the bad guys

482 views • 19 slides
Wireshark Drinking straight from the network hose Wireshark Drinking straight from the network

Wireshark Drinking straight from the network hose Wireshark Drinking straight from the network

Wireshark Drinking straight from the network hose Wireshark Drinking straight from the network hose Md. Abdul Awal TEIN Application Workshop 2017 BdREN University of Dhaka awal@bdren.net.bd December 11, 2017 These materials are licensed

612 views • 31 slides

More recommend