dnstap high speed dns logging without packet capture
play

dnstap : high speed DNS logging without packet capture Jeroen - PowerPoint PPT Presentation

May 15, 2023 •383 likes •786 views

dnstap : high speed DNS logging without packet capture Jeroen Massar Farsight Security, Inc. Unifying the Global Response to Cybercrime Credits & More Info Design & Implementation: Robert Edmonds <edmonds@fsi.io> Website:

  1. dnstap : high speed DNS logging without packet capture Jeroen Massar Farsight Security, Inc. Unifying the Global Response to Cybercrime

  2. Credits & More Info Design & Implementation: Robert Edmonds <edmonds@fsi.io> Website: http://dnstap.info Documentation/Presos/Tutorials/Mailinglist/ Downloads/Code-repos Unifying the Global Response 2 to Cybercrime

  3. Simplified DNS Overview Unifying the Global Response 3 to Cybercrime

  4. Query Logging Unifying the Global Response 4 to Cybercrime

  5. Query Logging: Details Logged • Log information about DNS queries: • Client IP address • Question name • Question type • Other related information? • EDNS options • DNSSEC status • Cache miss or cache hit? • May have to look at both queries and responses. Unifying the Global Response 5 to Cybercrime

  6. Query Logging: How • DNS server generates log messages in the normal course of processing requests. • Reputed to impact performance significantly. • Typical implementation: • Parse the request. • Format it into a text string. • Send to syslog or write to a log file. Unifying the Global Response 6 to Cybercrime

  7. Query Logging: Issues • Implementation issues that affect performance: • Transforming the query into a text string takes time. • Memory copies, format string parsing, etc. • Writing the log message using synchronous I/O in the worker thread. • Using syslog instead of writing log files directly. • syslog() takes out a process-wide lock and does a blocking, unbuffered write for every log message. • Using stdio to write log files. • printf(), fwrite(), etc. take out a lock on the output Unifying the Global Response 7 to Cybercrime

  8. Query Logging: Improving § Do it with packet capture instead: • Eliminates the performance issues. • But, can't replicate state that doesn't appear directly in the packet. • E.g., whether the request was served from the cache. § What if the performance issues in the server software were fixed? Unifying the Global Response 8 to Cybercrime

  9. Passive DNS Unifying the Global Response 9 to Cybercrime

  10. Passive DNS: Setup • Deployment options: • (1) “Below the recursive” • (2) “Above the recursive” Unifying the Global Response 10 to Cybercrime

  11. Passive DNS: Details Logged § Log information about zone content: • Record name • Record type • Record data • Nameserver IP address Unifying the Global Response 11 to Cybercrime

  12. Passive DNS: Implementations § Typical implementation: • Capture the DNS response packets at the recursive DNS server. • Reassemble the DNS response messages from the packets. • Extract the DNS resource records contained in the response messages. • Low to no performance impact Unifying the Global Response 12 to Cybercrime

  13. Passive DNS: Issues § Discard out-of-bailiwick records. § Discard spoofed UDP responses. § UDP fragment, TCP stream reassembly. § UDP checksum verification. But, the DNS server and its networking stack are already doing these things... Unifying the Global Response 13 to Cybercrime

  14. Insights § Query logging: • Make it faster by eliminating bottlenecks like text formatting and synchronous I/O. § Passive DNS replication: • Avoid complicated state reconstruction issues by capturing messages instead of packets. § Support both use cases with the same generic mechanism. Unifying the Global Response 14 to Cybercrime

  15. dnstap § Add a lightweight message duplication facility directly into the DNS server. • Verbatim wire-format DNS messages with context. § Use a fast logging implementation that doesn't degrade performance. • Circular queues. • Asynchronous, buffered I/O. • Prefer to drop log payloads instead of blocking the server under load. Unifying the Global Response 15 to Cybercrime

  16. dnstap: Message Duplication § DNS server has internal message buffers: • Receiving a query. • Sending a query. • Receiving a response. • Sending a response. § Instrument the call sites in the server implementation so that message buffers can be duplicated and exported outside of the server process. § Be able to enable/disable each logging site independently. Unifying the Global Response 16 to Cybercrime

  17. dnstap: “Message” Log Format Currently 10 defined subtypes of dnstap “Message”: § AUTH_QUERY § AUTH_RESPONSE § RESOLVER_QUERY § RESOLVER_RESPONSE § CLIENT_QUERY § CLIENT_RESPONSE § FORWARDER_QUERY § FORWARDER_RESPONSE § STUB_QUERY § STUB_RESPONSE Unifying the Global Response 17 to Cybercrime

  18. Dnstap: Overview Unifying the Global Response 18 to Cybercrime

  19. Unifying the Global Response 19 to Cybercrime

  20. dnstap: Query Logging § Turn on AUTH_QUERY and/or CLIENT_QUERY message duplication. • Optionally turn on AUTH_RESPONSE and/or CLIENT_RESPONSE . § Connect a dnstap receiver to the DNS server. § Performance impact should be minimal. § Full verbatim message content is available without text log parsing. Unifying the Global Response 20 to Cybercrime

  21. dnstap: Passive DNS § Turn on RESOLVER_RESPONSE message duplication. § Connect a dnstap receiver to the DNS server. Unifying the Global Response 21 to Cybercrime

  22. dnstap: Passive DNS advantages § Once inside the DNS server, the issues caused by being outside disappear. • Out-of-bailiwick records: the DNS server already knows which servers are responsible for which zones. • Spoofing: the DNS server already has its state table. Unsuccessful spoofs are excluded. • TCP/UDP packet issues: already handled by the kernel and the DNS server. Unifying the Global Response 22 to Cybercrime

  23. dnstap: Components § Flexible, structured log format for DNS software. § Helper libraries for adding support to DNS software. § Patch sets that integrate dnstap support into existing DNS software. § Capture tools for receiving dnstap messages from dnstap-enabled software. Unifying the Global Response 23 to Cybercrime

  24. dnstap: Log Format § Encoded using Protocol Buffers. • Compact • Binary clean • Backwards, forwards compatibility • Implementations for numerous programming languages available Unifying the Global Response 24 to Cybercrime

  25. Dnstap: Helper Libraries § fstrm: “Frame Streams” library. • Encoding-agnostic transport. • Adds ~1.5K LOC to the DNS server. • https://github.com/farsightsec/fstrm § protobuf-c: “Protocol Buffers” library. • Transport-agnostic encoding. • Adds ~2.5K LOC to the DNS server. • https://github.com/protobuf-c/protobuf-c Unifying the Global Response 25 to Cybercrime

  26. Dnstap: Integration Plans to add dnstap support to software that handles DNS messages: § DNS servers: BIND, Unbound, Knot DNS, etc. § Analysis tools: Wireshark, etc. § Utilities: dig, kdig, drill, dnsperf, resperf § More? Unifying the Global Response 26 to Cybercrime

  27. dnstap: Unbound Integration Unbound DNS server with dnstap support. § Supports the relevant dnstap “Message” types for a recursive DNS server: § { CLIENT , RESOLVER , FORWARDER }_{ QUERY_RESPONSE } § Adds <1K LOC to the DNS server. Unifying the Global Response 27 to Cybercrime

  28. Dnstap: Capture Tool § Command-line tool/daemon for collecting dnstap log payloads. • Print payloads. • Save to log file. • Retransmit over the network. § Similar role to tcpdump, syslogd, or flow-tools. Unifying the Global Response 28 to Cybercrime

  29. Benchmark § More of a “microbenchmark”. § Meant to validate the architectural approach. § Not meant to accurately characterize the performance of a dnstap-enabled DNS server under “realistic” load. Unifying the Global Response 29 to Cybercrime

  30. Benchmark setup § One receiver: • Intel(R) Xeon(R) CPU E3-1245 v3 @ 3.40GHz • No HyperThreading, no SpeedStep, no Turbo Boost. § One sender: • Intel(R) Core(TM) i3-4130 CPU @ 3.40GHz § Intel Corporation I350 Gigabit Network Connection § Sender and receiver directly connected via crossover cable. No switch, RX/TX flow control disabled. Unifying the Global Response 30 to Cybercrime

  31. Benchmark host setup § Linux 3.11/3.12. § Defaults, no attempt to tune networking stack. § trafgen used to generate identical UDP DNS questions with random UDP ports / DNS IDs. § tc token bucket filter used to precisely vary the query load offered by the sender. § mpstat used to measure receiver’s system load. § ifpps used to measure packet RX/TX rates on the receiver. § perf used for whole-system profiling. Unifying the Global Response 31 to Cybercrime

  32. Benchmark tests § Offer particular DNS query loads in 25 Mbps steps: • 25 Mbps, 50 Mbps, …, 725 Mbps, 750 Mbps. § Measure system load and responses/second at the receiver, where the DNS server is running. • Most DNS benchmarks plot queries/second against response rate to characterize drop rates. • Plotting responses/second can still reveal bottlenecks. Unifying the Global Response 32 to Cybercrime

  33. Unifying the Global Response 33 to Cybercrime

  34. Unifying the Global Response 34 to Cybercrime

  35. Unifying the Global Response 35 to Cybercrime

  36. Unifying the Global Response 36 to Cybercrime

Recommend

dnstap : high speed DNS logging without packet capture Robert Edmonds (edmonds@fsi.io) Farsight

dnstap : high speed DNS logging without packet capture Robert Edmonds (edmonds@fsi.io) Farsight

dnstap : high speed DNS logging without packet capture Robert Edmonds (edmonds@fsi.io) Farsight Security, Inc. URL http://dnstap.info Documentation Presentations Tutorials Mailing list Downloads Code repositories

695 views • 42 slides
dnstap (brief intro and update) Merike Kaeo

dnstap (brief intro and update) Merike Kaeo

dnstap (brief intro and update) Merike Kaeo merike@interne6den6ty.com NANOG61 - DNS Track dnstap What is it? High speed DNS logging without

420 views • 12 slides
Cisco IOS Embedded Packet Capture (EPC) Cisco IOS Embedded Packet Capture (EPC) The Cisco IOS

Cisco IOS Embedded Packet Capture (EPC) Cisco IOS Embedded Packet Capture (EPC) The Cisco IOS

Cisco IOS Embedded Packet Capture (EPC) Cisco IOS Embedded Packet Capture (EPC) The Cisco IOS Embedded Packet Capture (EPC) delivers a powerful troubleshooting and tracing tool. The feature allows for network administrators to capture data

518 views • 24 slides
Selective Packet Capture at High Speed Rates Reservoir Labs Peter Cullen, James Ezick, Kelly Fox,

Selective Packet Capture at High Speed Rates Reservoir Labs Peter Cullen, James Ezick, Kelly Fox,

Selective Packet Capture at High Speed Rates Reservoir Labs Peter Cullen, James Ezick, Kelly Fox, Troy Hanson, Richard Lethin, Erik Mogus, Jordi Ros-Giralt, Alison Ryan, {cullen, ezick, fox, hanson, lethin, mogus, giralt, ryan}@reservoir.com

710 views • 31 slides
How a wave packet propagates at a speed faster than the speed of light A novel superluminal

How a wave packet propagates at a speed faster than the speed of light A novel superluminal

How a wave packet propagates at a speed faster than the speed of light A novel superluminal mechanism with high transmission and broad bandwidth Tsun-Hsu Chang ( ) Department of Physics, National Tsing Hua University Claim: The

454 views • 23 slides
Chapter: 9 9 9 9 Chapter: Chapter: Chapter: High-Speed Downlink High-Speed Downlink Packet

Chapter: 9 9 9 9 Chapter: Chapter: Chapter: High-Speed Downlink High-Speed Downlink Packet

3G Evolution 3G Evolution 3G Evolution 3G Evolution Chapter: 9 9 9 9 Chapter: Chapter: Chapter: High-Speed Downlink High-Speed Downlink Packet Access Deepak Dasalukunte Department of Electrical and Information Technology 16-Apr-2009

393 views • 25 slides
Leveraging Traffic Repetitions for High-Speed Deep Packet Inspection INFOCOM 2015 Paper #54 used

Leveraging Traffic Repetitions for High-Speed Deep Packet Inspection INFOCOM 2015 Paper #54 used

Leveraging Traffic Repetitions for High-Speed Deep Packet Inspection INFOCOM 2015 Paper #54 used to enhance the scanning process. Specifically, even if the Abstract Deep Packet Inspection (DPI) plays a major role in contemporary networks, and

479 views • 9 slides
Hybrid cache architecture for high-speed packet processing Z. Liu, K. Zheng and B. Liu Abstract:

Hybrid cache architecture for high-speed packet processing Z. Liu, K. Zheng and B. Liu Abstract:

Hybrid cache architecture for high-speed packet processing Z. Liu, K. Zheng and B. Liu Abstract: The exposed memory hierarchies employed in many network processors (NPs) are expensive in terms of meeting the worst-case processing requirement.

427 views • 8 slides
Multicore Based Packet Splitting Multicore Based Packet Splitting Approaches for High Speed

Multicore Based Packet Splitting Multicore Based Packet Splitting Approaches for High Speed

Multicore Based Packet Splitting Multicore Based Packet Splitting Approaches for High Speed Network A Approaches for High Speed Network A h h f f Hi h S Hi h S d N t d N t k k Security Security Security Security APAN 32 nd Meeting

459 views • 21 slides
dnstap: introduction and status update Robert Edmonds (edmonds@fsi.io) Farsight Security, Inc.

dnstap: introduction and status update Robert Edmonds (edmonds@fsi.io) Farsight Security, Inc.

dnstap: introduction and status update Robert Edmonds (edmonds@fsi.io) Farsight Security, Inc. URL http://dnstap.info Documentation Presentations Tutorials Mailing list Downloads Code repositories dnstap Slide 2 of

336 views • 18 slides
tCap : High-Speed Human Motion Capture using Eve EventC an Event Camera Lan XU Hong

tCap : High-Speed Human Motion Capture using Eve EventC an Event Camera Lan XU Hong

tCap : High-Speed Human Motion Capture using Eve EventC an Event Camera Lan XU Hong Kong University of Science and Technology 2020/06/11 Background 2 1. Background q Previous MoCap systems 2 nd Generation 3 rd Generation 1 st

439 views • 31 slides
Ruler: High-Speed Packet Matching and Rewriting on Network Processors Tom Hrub Kees van

Ruler: High-Speed Packet Matching and Rewriting on Network Processors Tom Hrub Kees van

Ruler: High-Speed Packet Matching and Rewriting on Network Processors Tom Hrub Kees van Reeuwijk Herbert Bos Vrije Universiteit, Amsterdam World45 Ltd. ANCS 2007 Tom Hrub (VU Amsterdam, World45) Ruler on NPUs December 3, 2007

415 views • 25 slides
How to (passively) measure? Packet Monitoring 1 What to expect? Overview / What is packet

How to (passively) measure? Packet Monitoring 1 What to expect? Overview / What is packet

How to (passively) measure? Packet Monitoring 1 What to expect? Overview / What is packet monitor? How to acquire the data Handling performance bottlenecks Case Study: Packet Capture Performance Analyzing the transport and

487 views • 37 slides
Network Network sniffing sniffing packet capture and analysis packet

Network Network sniffing sniffing packet capture and analysis packet

Network Network sniffing sniffing packet capture and analysis packet capture and analysis October 2, 2020 Administrative submittal instructions submittal instructions Administrative answer the lab

366 views • 17 slides
MoonGen A Scriptable High-Speed Packet Generator Sebastian Gallenm uller, Paul Emmerich

MoonGen A Scriptable High-Speed Packet Generator Sebastian Gallenm uller, Paul Emmerich

Chair for Network Architectures and Services Technical University of Munich (TUM) MoonGen A Scriptable High-Speed Packet Generator Sebastian Gallenm uller, Paul Emmerich October 31th, 2015 Chair for Network Architectures and Services

519 views • 7 slides
MoonGen A Scriptable High-Speed Packet Generator Paul Emmerich March 4th, 2015 Chair for

MoonGen A Scriptable High-Speed Packet Generator Paul Emmerich March 4th, 2015 Chair for

Chair for Network Architectures and Services Technische Universit at M unchen MoonGen A Scriptable High-Speed Packet Generator Paul Emmerich March 4th, 2015 Chair for Network Architectures and Services Department of Informatics

477 views • 21 slides
The 'dnstap' Approach Dr. Paul Vixie, CEO Farsight Security, Inc. 2014-01-16 Charleston, SC

The 'dnstap' Approach Dr. Paul Vixie, CEO Farsight Security, Inc. 2014-01-16 Charleston, SC

Passive DNS Collection and Analysis The 'dnstap' Approach Dr. Paul Vixie, CEO Farsight Security, Inc. 2014-01-16 Charleston, SC Importance of Measuring DNS High volume low latency datagram protocol sie-xyzzy1 547,128,709,757 bytes,

323 views • 17 slides
Passive DNS Collection and Analysis The 'dnstap' (&amp; fstrm) Approach Farsight Security, Inc.

Passive DNS Collection and Analysis The 'dnstap' (&amp; fstrm) Approach Farsight Security, Inc.

Passive DNS Collection and Analysis The 'dnstap' (&amp; fstrm) Approach Farsight Security, Inc. December 2014 Importance of Measuring DNS High volume low latency datagram protocol Channel 202; 40 sources; 1,657,398,226,932 bytes/day;

196 views • 19 slides
MoonGen A Scriptable High-Speed Packet Generator Paul Emmerich January 31st, 2016 FOSDEM 2016

MoonGen A Scriptable High-Speed Packet Generator Paul Emmerich January 31st, 2016 FOSDEM 2016

Chair for Network Architectures and Services Technical University of Munich (TUM) MoonGen A Scriptable High-Speed Packet Generator Paul Emmerich January 31st, 2016 FOSDEM 2016 Chair for Network Architectures and Services Department of

1.2k views • 30 slides
Hacking Hands on with wireless LAN routers, packet capture and wireless security Organised by

Hacking Hands on with wireless LAN routers, packet capture and wireless security Organised by

Free Technology Workshop Hacking Hands on with wireless LAN routers, packet capture and wireless security Organised by Steven Gordon Bangkadi 3 rd floor IT Lab 10:30-13:30 Friday 18 July 2014 http://ict.siit.tu.ac.th/moodle/ _______

795 views • 48 slides
Samson Logging Tires Logging Tire Size Definition 24.5-32/16 24.5 = section width in inches -

Samson Logging Tires Logging Tire Size Definition 24.5-32/16 24.5 = section width in inches -

Samson Logging Tires Logging Tire Size Definition 24.5-32/16 24.5 = section width in inches - = bias carcass construction 32 = rim diameter in inches 16 = load range Samson Logging Tire TUBE TYPE SERVICE TUBE MAX SPEED 20 TYPE TIRE

241 views • 8 slides
Less is More with Intelligent Packet Capture RANDY CALDEJON FLOCON 2020 Objectives Consider

Less is More with Intelligent Packet Capture RANDY CALDEJON FLOCON 2020 Objectives Consider

Less is More with Intelligent Packet Capture RANDY CALDEJON FLOCON 2020 Objectives Consider merits of streaming analytics Expose to advanced open source tools Encourage to experiment with OpenArgus 2 2 Streaming Analytics

581 views • 36 slides
MINUTES OF ORAL EVIDENCE taken before the HIGH SPEED RAIL BILL COMMITTEE on the HIGH SPEED RAIL

MINUTES OF ORAL EVIDENCE taken before the HIGH SPEED RAIL BILL COMMITTEE on the HIGH SPEED RAIL

MINUTES OF ORAL EVIDENCE taken before the HIGH SPEED RAIL BILL COMMITTEE on the HIGH SPEED RAIL (WEST MIDLANDS CREWE) BILL Monday 19 March 2018 (Afternoon) In Committee Room 5 PRESENT: James Duddridge (Chair) Sandy Martin Mrs Sheryll

956 views • 57 slides
Logging and Recovery Module 6, Lectures 3 and 4 If you are going to be in the logging business,

Logging and Recovery Module 6, Lectures 3 and 4 If you are going to be in the logging business,

Logging and Recovery Module 6, Lectures 3 and 4 If you are going to be in the logging business, one of the things that you have to do is to learn about heavy equipment. Robert VanNatta, Logging History of Columbia County Database Management

534 views • 26 slides

More recommend