dnstap: high speed DNS logging without packet capture Robert Edmonds (edmonds@fsi.io) Farsight Security, Inc.

Similar documents
Improving DNS performance using Stateless TCP in FreeBSD 9

Resource Utilization of Middleware Components in Embedded Systems

dnsperf DNS Performance Tool Manual

VMWARE WHITE PAPER 1

Network Intrusion Detection Systems. Beyond packet filtering

How do I get to

I3: Maximizing Packet Capture Performance. Andrew Brown

SIDN Server Measurements

Job Reference Guide. SLAMD Distributed Load Generation Engine. Version 1.8.2

Key Components of WAN Optimization Controller Functionality

Intel DPDK Boosts Server Appliance Performance White Paper

OpenFlow with Intel Voravit Tanyingyong, Markus Hidell, Peter Sjödin

D1.2 Network Load Balancing

MEASURING WIRELESS NETWORK CONNECTION QUALITY

IP SAN Best Practices

The Lagopus SDN Software Switch. 3.1 SDN and OpenFlow. 3. Cloud Computing Technology

Datacenter Operating Systems

Architecture Overview

ReadyNAS Remote White Paper. NETGEAR May 2010

MAGENTO HOSTING Progressive Server Performance Improvements

IP - The Internet Protocol

Final exam review, Fall 2005 FSU (CIS-5357) Network Security

Transport Layer Protocols

Question: 3 When using Application Intelligence, Server Time may be defined as.

Firewall Server 7.2. Release Notes. What's New in Firewall Server 7.2

A Comparative Study on Vega-HTTP & Popular Open-source Web-servers

Barracuda Networks Web Application Firewall

MEASURING WORKLOAD PERFORMANCE IS THE INFRASTRUCTURE A PROBLEM?

SAN Conceptual and Design Basics

Allocating Network Bandwidth to Match Business Priorities

IP SAN BEST PRACTICES

Achieving Mainframe-Class Performance on Intel Servers Using InfiniBand Building Blocks. An Oracle White Paper April 2003

IMPLEMENTING GREEN IT

Ethernet. Ethernet. Network Devices

Performance Guideline for syslog-ng Premium Edition 5 LTS

Protocols. Packets. What's in an IP packet

Chapter 14 Analyzing Network Traffic. Ed Crowley

Using MySQL for Big Data Advantage Integrate for Insight Sastry Vedantam

Log Management with Open-Source Tools. Risto Vaarandi SEB Estonia

Chapter 3. TCP/IP Networks. 3.1 Internet Protocol version 4 (IPv4)

NAS 272 Using Your NAS as a Syslog Server

Chapter 3. Internet Applications and Network Programming

Quality of Service (QoS)) in IP networks

Network Attached Storage. Jinfeng Yang Oct/19/2015

Quantifying the Performance Degradation of IPv6 for TCP in Windows and Linux Networking

How To Monitor And Test An Ethernet Network On A Computer Or Network Card

Network Performance Optimisation and Load Balancing. Wulf Thannhaeuser

SNARE Agent for Windows v Release Notes

Dell PowerVault MD Series Storage Arrays: IP SAN Best Practices

Improving the Database Logging Performance of the Snort Network Intrusion Detection Sensor

Defending your DNS in a post-kaminsky world. Paul Wouters <paul@xelerance.com>

IBM Tivoli Composite Application Manager for Microsoft Applications: Microsoft Internet Information Services Agent Version Fix Pack 2.

An Oracle White Paper July Oracle Primavera Contract Management, Business Intelligence Publisher Edition-Sizing Guide

Measure wireless network performance using testing tool iperf

Netflow Overview. PacNOG 6 Nadi, Fiji

Frequently Asked Questions

Large-Scale TCP Packet Flow Analysis for Common Protocols Using Apache Hadoop

Performance of Software Switching

Monitoring PostgreSQL database with Verax NMS

Tue Apr 19 11:03:19 PDT 2005 by Andrew Gristina thanks to Luca Deri and the ntop team

Scalable Internet Services and Load Balancing

A Packet Forwarding Method for the ISCSI Virtualization Switch

High-Speed TCP Performance Characterization under Various Operating Systems

Scalable Internet Services and Load Balancing

ΕΠΛ 674: Εργαστήριο 5 Firewalls

Transparent Optimization of Grid Server Selection with Real-Time Passive Network Measurements. Marcia Zangrilli and Bruce Lowekamp

Research Report: The Arista 7124FX Switch as a High Performance Trade Execution Platform

Transformation of honeypot raw data into structured data

Access Control: Firewalls (1)

Self-Adapting Load Balancing for DNS

Solving Monitoring Challenges in the Data Center

Application Compatibility Best Practices for Remote Desktop Services

Measuring IP Performance. Geoff Huston Telstra

Benchmarking Cassandra on Violin

Wireshark in a Multi-Core Environment Using Hardware Acceleration Presenter: Pete Sanders, Napatech Inc. Sharkfest 2009 Stanford University

Course Title: Penetration Testing: Security Analysis

The installation of pylon for Linux is described in the INSTALL text document.

Network Layer: Network Layer and IP Protocol

Capturing Network Traffic With Wireshark

Sockets vs. RDMA Interface over 10-Gigabit Networks: An In-depth Analysis of the Memory Traffic Bottleneck

Lab VI Capturing and monitoring the network traffic

SO_REUSEPORT Scaling Techniques for Servers with High Connection Rates. Ying Cai

Tomcat Tuning. Mark Thomas April 2009

Internet Measurement Research

Proxy Server, Network Address Translator, Firewall. Proxy Server

point to point and point to multi point calls over IP

Log Management with Open-Source Tools. Risto Vaarandi rvaarandi 4T Y4H00 D0T C0M

Internet Control Protocols Reading: Chapter 3

Linux Virtual Server Tutorial

DOMAIN NAME SECURITY EXTENSIONS

Telematics. 14th Tutorial - Proxies, Firewalls, P2P

COMP 3331/9331: Computer Networks and Applications. Lab Exercise 3: TCP and UDP (Solutions)

Wireshark Tutorial INTRODUCTION

Revisiting Software Zero-Copy for Web-caching Applications with Twin Memory Allocation

Indian Institute of Technology Kharagpur. TCP/IP Part I. Prof Indranil Sengupta Computer Science and Engineering Indian Institute of Technology

Transcription:

: high speed DNS logging without packet capture Robert Edmonds (edmonds@fsi.io) Farsight Security, Inc.

URL http://.info Documentation Presentations Tutorials Mailing list Downloads Code repositories Slide 2 of 42

Simplified DNS overview Slide 3 of 42

Query logging Slide 4 of 42

Query logging Log information about DNS queries: Client IP address Question name Question type Other related information? EDNS options DNSSEC status Cache miss or cache hit? May have to look at both queries and responses. Slide 5 of 42

Query logging DNS server generates log messages in the normal course of processing requests. Reputed to impact performance significantly. Typical implementation: Parse the request. Format it into a text string. Send to syslog or write to a log file. Slide 6 of 42

Query logging Implementation issues that affect performance: Transforming the query into a text string takes time. Memory copies, format string parsing, etc. Writing the log message using synchronous I/O in the worker thread. Using syslog instead of writing log files directly. syslog() takes out a process-wide lock and does a blocking, unbuffered write for every log message. Using stdio to write log files. printf(), fwrite(), etc. take out a lock on the output stream. Slide 7 of 42

Query logging Do it with packet capture instead: Eliminates the performance issues. But, can't replicate state that doesn't appear directly in the packet. E.g., whether the request was served from the cache. What if the performance issues in the server software were fixed? Slide 8 of 42

Passive DNS replication Slide 9 of 42

Passive DNS replication Deployment options: (1) Below the recursive (2) Above the recursive Slide 10 of 42

Passive DNS replication Log information about zone content: Record name Record type Record data Nameserver IP address Slide 11 of 42

Passive DNS replication Typical implementation: Capture the DNS response packets at the recursive DNS server. Reassemble the DNS response messages from the packets. Extract the DNS resource records contained in the response messages. Low to no performance impact. Slide 12 of 42

Passive DNS replication Issues: Discard out-of-bailiwick records. Discard spoofed UDP responses. UDP fragment, TCP stream reassembly. UDP checksum verification. But, the DNS server and its networking stack are already doing these things... Slide 13 of 42

Insights Query logging: Passive DNS replication: Make it faster by eliminating bottlenecks like text formatting and synchronous I/O. Avoid complicated state reconstruction issues by capturing messages instead of packets. Support both use cases with the same generic mechanism. Slide 14 of 42

Add a lightweight message duplication facility directly into the DNS server. Verbatim wire-format DNS messages with context. Use a fast logging implementation that doesn't degrade performance. Circular queues. Asynchronous, buffered I/O. Prefer to drop log payloads instead of blocking the server under load. Slide 15 of 42

: message duplication DNS server has internal message buffers: Receiving a query. Sending a query. Receiving a response. Sending a response. Instrument the call sites in the server implementation so that message buffers can be duplicated and exported outside of the server process. Be able to enable/disable each logging site independently. Slide 16 of 42

: Message log format Currently 10 defined subtypes of Message : AUTH_QUERY AUTH_RESPONSE RESOLVER_QUERY RESOLVER_RESPONSE CLIENT_QUERY CLIENT_RESPONSE FORWARDER_QUERY FORWARDER_RESPONSE STUB_QUERY STUB_RESPONSE Slide 17 of 42

Slide 18 of 42

Slide 19 of 42

Query logging with Turn on AUTH_QUERY and/or CLIENT_QUERY message duplication. Optionally turn on AUTH_RESPONSE and/or CLIENT_RESPONSE. Connect a receiver to the DNS server. Slide 20 of 42

Query logging with Performance impact should be minimal. Full verbatim message content is available without text log parsing. Slide 21 of 42

Passive DNS replication with Turn on RESOLVER_RESPONSE message duplication. Connect a receiver to the DNS server. Slide 22 of 42

Passive DNS replication with Once inside the DNS server, the issues caused by being outside disappear. Out-of-bailiwick records: the DNS server already knows which servers are responsible for which zones. Spoofing: the DNS server already has its state table. Unsuccessful spoofs are excluded. TCP/UDP packet issues: already handled by the kernel and the DNS server. Slide 23 of 42

components Flexible, structured log format for DNS software. Helper libraries for adding support to DNS software. Patch sets that integrate support into existing DNS software. Capture tools for receiving messages from -enabled software. Slide 24 of 42

log format Encoded using Protocol Buffers. Compact Binary clean Backwards, forwards compatibility Implementations for numerous programming languages available Slide 25 of 42

Helper libraries fstrm: Frame Streams library. Encoding-agnostic transport. Adds ~1.5K LOC to the DNS server. protobuf-c: Protocol Buffers library. Transport-agnostic encoding. Adds ~2.5K LOC to the DNS server. Slide 26 of 42

integration Plans to add support to software that handles DNS messages: DNS servers: BIND, Unbound, Knot DNS, etc. Analysis tools: Wireshark, etc. Utilities: dig, kdig, drill, dnsperf, resperf More? Slide 27 of 42

integration Unbound DNS server with support. Supports the relevant Message types for a recursive DNS server: {CLIENT,RESOLVER,FORWARDER}_{QUERY_RESPONSE} Adds <1K LOC to the DNS server. Slide 28 of 42

capture tool Command-line tool/daemon for collecting log payloads. Print payloads. Save to log file. Retransmit over the network. Similar role to tcpdump, syslogd, or flow-tools. Slide 29 of 42

Benchmarks More of a microbenchmark. Meant to validate the architectural approach. Not meant to accurately characterize the performance of a -enabled DNS server under realistic load. Slide 30 of 42

Benchmarks One receiver: Intel(R) Xeon(R) CPU E3-1245 v3 @ 3.40GHz One sender: No HyperThreading, no SpeedStep, no Turbo Boost. Intel(R) Core(TM) i3-4130 CPU @ 3.40GHz Intel Corporation I350 Gigabit Network Connection Sender and receiver directly connected via crossover cable. No switch, RX/TX flow control disabled. Slide 31 of 42

Benchmarks Linux 3.11/3.12. Defaults, no attempt to tune networking stack. trafgen used to generate identical UDP DNS questions with random UDP ports / DNS IDs. tc token bucket filter used to precisely vary the query load offered by the sender. mpstat used to measure system load on the receiver. ifpps used to measure packet RX/TX rates on the receiver. perf used for whole-system profiling. Slide 32 of 42

Benchmarks Offer particular DNS query loads in 25 Mbps steps. 25 Mbps, 50 Mbps,, 725 Mbps, 750 Mbps. Measure system load and responses/second at the receiver, where the DNS server is running. Most DNS benchmarks plot queries/second against response rate to characterize drop rates. Plotting responses/second can still reveal bottlenecks. Slide 33 of 42

Slide 34 of 42

Slide 35 of 42

Slide 36 of 42

Slide 37 of 42

Slide 38 of 42

Benchmark summary Three recursive DNS servers were tested: BIND 9.9.4, with and without query logging. Unbound 1.4.21, with and without query logging. Unbound with a patch logging incoming queries. Slide 39 of 42

Benchmark summary Unbound generally scaled better than BIND 9. Both DNS servers implement query logging in a way that significantly impacts performance. added some overhead, but scaled well. Slide 40 of 42

Future work Additional logging payload types: DNS cache events: insertions, expirations, overwrites of individual resource records Patches to add support to more DNS software Not just DNS servers! More documentation More tools that can consume formatted data More benchmarking Specifications Slide 41 of 42

Summary Examined query logging and passive DNS replication. Introduced new technology that can support both use cases with an in-process message duplication facility. Slide 42 of 42

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information