How to store Private DNS logs to Simple Log Service?_Private DNS Resolution - Alibaba Cloud DNS

Important

Simple Log Service (SLS) allows you to store logs only for regions and virtual private clouds (VPCs) for which the traffic analysis feature is enabled. The prerequisite for storing traffic analysis logs in SLS is that you have enabled the traffic analysis feature. If you disable the traffic analysis feature, no logs are stored in SLS. For more information, see the Enable traffic analysis section of the "Enable or disable traffic analysis" topic.

Scenarios

Enterprises store and analyze network logs to meet their business compliance and security requirements. Private DNS logs provide clear insights into Alibaba Cloud Domain Name System (DNS) requests for internal domain names, which helps enterprises efficiently audit user behavior on internal networks and identify potential security risks at the earliest opportunity.

What are Private DNS logs?

Private DNS logs record DNS requests sent from terminals that reside in all VPCs within an Alibaba Cloud account, and responses returned by DNS servers. The recorded information includes the regions from which the DNS requests are sent, VPC IDs, source IP addresses, destination IP addresses (addresses of the DNS servers), queried domain names, record types, and response results. Domain names queried by terminals can be built-in authoritative domain names configured in Private DNS and public domain names. The Private DNS log feature is integrated with Log Audit Service of SLS. You can enable the Private DNS log feature to quickly and easily collect, manage, query, and analyze Private DNS logs across accounts and regions in a centralized manner.

Private DNS logs record DNS requests sent from terminals in VPCs for the following types of domain names and responses returned by DNS servers:

1. Domain names in built-in authoritative zones

Private DNS is a private domain name resolution and management service in VPCs. You can use Private DNS to map private domain names to IP addresses in one or more VPCs. Private DNS allows you to access Alibaba Cloud resources including Elastic Compute Service (ECS) instances, Server Load Balancer (SLB) instances, and Object Storage Service (OSS) buckets in VPCs by using private domain names. However, you cannot use private domain names outside VPCs. You can also connect your VPCs to on-premises data centers over Express Connect circuits or VPN gateways. This way, you can share resources between on-premises data centers and VPCs by using private domain names.

2. Domain names of cloud service instances configured on the DNS of the Apsara system

All domain names of Alibaba Cloud service instances are resolved by using the DNS of the Apsara system.

3. External domain names for which requests are forwarded to your internal DNS servers

In most cases, your internal DNS servers are the DNS servers on your internal network in your data center. When Private DNS receives a VPC DNS request for a domain name that is configured to be forwarded to your internal DNS servers, the forward module forwards the DNS request to your internal DNS servers. This way, ECS instances in an Alibaba Cloud VPC can access the domain names of applications in your data center.

4. Public domain names on authoritative DNS servers

Public authoritative DNS servers are DNS servers that are configured at domain name registrars for specific public domain names, such as example.com. Public authoritative DNS servers manage and resolve authoritative information about root domain names, top-level domain names, and other levels of domain names. Public authoritative DNS servers resolve only domain names configured on the DNS servers and reject requests for domain names not configured on the DNS servers.

Parameters of Private DNS logs

1. Parameters of DNS request logs

Parameter	Description	Example
dns_msg_flags	The flags of the DNS message. Valid values: QR: A value of 0 indicates that the message is a request from the terminal. A value of 1 indicates that the message is a response from the server. RD: A value of 0 indicates that recursive queries are not desired. A value of 1 indicates that recursive queries are desired. AA: A value of 0 indicates that the request is not responded by the authoritative DNS server configured for the domain name. A value of 1 indicates that the request is responded by the authoritative DNS server configured for the domain name. TC: A value of 0 indicates that the message is not truncated. A value of 1 indicates that the message is truncated. AD: A value of 0 indicates that the DNS server responding to the DNS request checks the DNS Security Extensions (DNSSEC) digital signature for querying the domain name and that the signature fails the verification. A value of 1 indicates that the DNS server responding to the DNS request checks the DNSSEC digital signature and that the signature passes the verification. If the request contains this parameter, the recursive DNS server is expected to verify DNS response packets by using the DNSSEC digital signature. CD: A value of 0 indicates that the DNS server responds to the request only after the DNSSEC digital signature passes the verification. A value of 1 indicates that the DNS server must respond to the request regardless of whether the DNSSEC digital signature passes the verification.	RD
dns_msg_id	The ID of the DNS message, which is the unique identifier of the DNS request.	30914
dst_addr	The destination IP address.	100.100.2.136
dst_port	The destination port.	53
ecs_hostname	The hostname of the ECS instance.	iZbp1b1mx9fhe34k*****
ecs_id	The ID of the ECS Instance.	i-bp1b1mx9fhe34kh****
module_type	The type of the module. The value is fixed to GLOBAL, which indicates global logs.	GLOBAL
query_name	The queried domain name.	www.example.com.
query_type	The type of the queried DNS record. Valid values: A, AAAA, CNAME, TXT, and MX.	A
region_id	The region ID.	cn-shanghai
src_addr	The source IP address.	192.168.0.1
src_port	The source port.	42071
transport	The transmission protocol.	UDP
user_id	The ID of the Alibaba Cloud account.	139749398683****
vpc_id	The VPC ID.	vpc-bp1eyy43516itw78****
edns	The Extension Mechanisms for DNS.	"flags: DO udp: 1408 CLIENT-SUBNET: 1.1.XX.XX/32/24"

2. Parameters of global response logs

Parameter	Description	Example
answer_rrset	The resource records in the response.	Json array: ["www.example.com. 600 A 192.168.1.1", "www.example.com 600 A 192.168.1.2", ]
authority_rrset	The DNS records in the built-in authoritative module.	Json array: ["example.com. 600 SOA ns1.example.com. hostmaster.example.com. 2023010101 3600 1200 3600 360" ]
additional_rrset	The additional resource records.	Json array: ["ns1.example.com. 600 A 100.100.2.136"]
dns_msg_flags	The flags of the DNS message. Valid values: QR: A value of 0 indicates that the message is a request from the terminal. A value of 1 indicates that the message is a response from the server. RD: A value of 0 indicates that recursive queries are not desired. A value of 1 indicates that recursive queries are desired. AA: A value of 0 indicates that the request is not responded by the authoritative DNS server configured for the domain name. A value of 1 indicates that the request is responded to by the authoritative DNS server configured for the domain name. TC: A value of 0 indicates that the message is not truncated. A value of 1 indicates that the message is truncated. AD: A value of 0 indicates that the DNS server responding to the DNS request checks the DNSSEC digital signature for querying the domain name and that the signature fails the verification. A value of 1 indicates that the DNS server responding to the DNS request checks the DNSSEC digital signature and that the signature passes the verification. CD: A value of 0 indicates that the DNS server responds to the request only after the DNSSEC digital signature passes the verification. A value of 1 indicates that the DNS server must respond to the request regardless of whether the DNSSEC digital signature passes the verification.	QR
dns_msg_id	The ID of the DNS message, which is the unique identifier of the DNS request.	30914
dst_addr	The destination IP address.	192.168.0.1
dst_port	The destination port.	42071
ecs_hostname	The hostname of the ECS instance.	iZbp1b1mx9fhe34k*****
ecs_id	The ID of the ECS Instance.	i-bp1b1mx9fhe34kh****
module_type	The type of the module. The value is fixed to GLOBAL, which indicates global logs.	GLOBAL
query_name	The queried domain name.	www.example.com.
query_type	The type of the queried DNS record. Valid values: A, AAAA, CNAME, TXT, and MX.	A
rcode	The response code. Valid values: 0: NOERROR, which indicates that no error occurred during DNS resolution. 1: FORMERR, which indicates that the DNS server cannot resolve the DNS request due to the invalid format of the DNS request. 2: SERVFAIL, which indicates that the DNS resolution failed because an internal error occurred in the DNS server or the DNS response timed out. 3: NXDOMAIN, which indicates that the DNS resolution failed because the queried domain name does not exist. 4: NOTIMP, which indicates that the DNS server does not support the specified operation code. 5: REFUSED, which indicates that the DNS resolution failed because the DNS server refused to respond to the DNS request due to policies or for security reasons.	0
region_id	The region ID.	cn-shanghai
resolve_path	The resolution path. This parameter is available only in global response logs. The value consists of five placeholders, which indicate the authoritative acceleration, authoritative regular, cache, forward, and recursion modules. The placeholders are separated with commas (,). If 1 is specified for a placeholder, the module is involved in resolution. If 0 is specified for a placeholder, the module is not involved in resolution. If a domain name is pointed to another domain name that is pointed to another domain name, 1 is specified for multiple placeholders.	1,0,0,0,0
rt	The response latency. The global response latency indicates the interval between the time when the terminal sends the request and the time when the terminal receives a response. The response latency for module logs indicates the interval between request receiving and responding in each module.	10ms
src_addr	The source IP address.	100.100.2.136
src_port	The source port.	53
transport	The transmission protocol.	UDP
user_id	The ID of the Alibaba Cloud account.	139749398683****
vpc_id	The VPC ID.	vpc-bp1eyy43516itw78****
edns	The Extension Mechanisms for DNS.	"flags: DO udp: 1408 CLIENT-SUBNET: 1.1.XX.XX/32/24"

3. Parameters of module response logs

Parameter	Description	Example
answer_rrset	The resource records in the response.	Json array: ["www.example.com. 600 A 192.168.1.1", "www.example.com 600 A 192.168.1.2", ]
authority_rrset	The DNS records in the built-in authoritative module.	Json array: ["example.com. 600 SOA ns1.example.com. hostmaster.example.com. 2023010101 3600 1200 3600 360" ]
additional_rrset	The additional resource records.	Json array: ["ns1.example.com. 600 A 100.100.2.136"]
dns_msg_id	The ID of the DNS message, which is the unique identifier of the DNS request.	30914
dst_addr	The destination IP address.	100.100.2.136
dst_port	The destination port.	53
ecs_hostname	The hostname of the ECS instance.	iZbp1b1mx9fhe34k*****
ecs_id	The ID of the ECS Instance.	i-bp1b1mx9fhe34kh****
module_type	The type of the module. Valid value: AUTH_FAST: the authoritative acceleration module AUTH_SLOW: the authoritative regular module FORWARD: the forward module CACHE: the cache module RECURSION: the recursion module	AUTH_FAST
query_name	The queried domain name.	www.example.com.
query_type	The type of the queried DNS record. Valid values: A, AAAA, CNAME, TXT, and MX.	A
rcode	The response code. Valid values: 0: NOERROR, which indicates that no error occurred during DNS resolution. 1: FORMERR, which indicates that the DNS server cannot resolve the DNS request due to the invalid format of the DNS request. 2: SERVFAIL, which indicates that the DNS resolution failed because an internal error occurred in the DNS server or the DNS response timed out. 3: NXDOMAIN, which indicates that the DNS resolution failed because the queried domain name does not exist. 4: NOTIMP, which indicates that the DNS server does not support the specified operation code. 5: REFUSED, which indicates that the DNS resolution failed because the DNS server refused to respond to the DNS request due to policies or for security reasons.	0
region_id	The region ID.	cn-shanghai
rt	The response latency. The global response latency indicates the interval between the time when the terminal sends the request and the time when the terminal receives a response. The response latency for module logs indicates the interval between request receiving and responding in each module.	1ms
src_addr	The source IP address.	192.168.0.1
src_port	The source port.	42071
transport	The transmission protocol.	UDP
user_id	The ID of the Alibaba Cloud account.	139749398683****
vpc_id	The VPC ID.	vpc-bp1eyy43516itw78****
edns	The Extension Mechanisms for DNS.	"flags: DO udp: 1408 CLIENT-SUBNET: 1.1.XX.XX/32/24"

Log audit service for Private DNS

1. What is Log Audit Service?

Log Audit Service is a logging application in Simple Log Service. In addition to the capabilities of SLS, Log Audit Service provides powerful multi-account management and cross-region log collection. You can use resource directories to organize and unify the management and storage of cloud service logs from multiple accounts.

2. Enable collection of Private DNS logs in Log Audit Service

Log on to the Log Audit Service console.
On the Global Configurations page, select a region from the Region of Central Project drop-down list such as cn-hangzhou and enable the Intranet Private DNS Log. For more information, see Enable log collection.

3. Regions that support log audit service for Private DNS

Log Audit Service for Private DNS are available in the following regions: China (Shanghai), China (Beijing), China (Guangzhou), China (Shenzhen), China (Hangzhou), China (Qingdao), China (Zhangjiakou), Singapore, China (Hongkong), and China South 1 Finance. If you want to use Log Audit Service for Private DNSs in other regions, submit a ticket to the R&D center. The R&D center will determine whether to release the feature to more regions after a comprehensive evaluation.

Multi-account configurations

Log Audit Service provides powerful cross-account log collection capabilities that you can use to collect Private DNS logs of member accounts and store them in a central project of an Alibaba Cloud account. This facilitates centralized log management. Log Audit Service supports two modes for multi-account log collection and management:

Resource directory mode
Custom authentication mode

For more information, see Collect cloud service logs from multiple accounts.

Log collection configuration based on Terraform

Terraform provides an easy-to-use command-line interface (CLI) that allows you to deploy configuration files on the workloads of Alibaba Cloud services or third-party cloud services, and manage the versions of the configuration files. For more information about how to use Terraform to configure log collection in Log Audit Service, see Use Terraform to configure Log Audit Service.

The following sample code provides an example on how to use Terraform to collect Private DNS logs:

resource "alicloud_log_audit" "dns_example" {
	display_name = "tf-audit-test-dns"
	aliuid       = "1480************"  // The Alibaba Cloud account to which the central project for log storage belongs.
	variable_map = {
		"dns_intranet_enabled" = "true", // Enable the collection of Private DNS logs.
		"dns_sync_enabled" = "true", // Enable synchronization of logs from the regional project to the central project.
		"dns_intranet_ttl" = "3", // Specify that logs are stored in the regional project for three days.
		"dns_sync_ttl" = "185"					 // Specify that logs are stored in the central project for 185 days.
		"dns_intranet_collection_policy" = "accept tag.env == \\\"test\\\"\\ndrop \\\"*\\\"" // Specify that only Private DNS logs related to VPCs that have a tag value of prod for the env tag key.
	  }  
	multi_account = ["1039************"] // Set multi-account configurations.
  }

Log collection policies

Log Audit Service allows you to implement fine-grained collection and management on Private DNS logs. The smallest granularity of Private DNS log collection is VPCs.

You can manage and configure collection policies in the Log Audit Service console. The following figure shows a log collection policy that enables the collection of Private DNS logs for all VPCs that have a tag value of prod for the env tag key. You can configure collection policies to implement fine-grained collection management and reduce unnecessary log collection.

Best practices for log query and analysis

This section provides common scenarios of Private DNS log query and analysis. You can use custom query and analysis statements to meet your business requirements. You can also add SQL query results to the dashboard, save query statements as saved searches, and save results as alerts to facilitate subsequent query and analysis operations.

1. DNS resolution results

Query the distribution of DNS requests for domain names on a VPC within a specific period of time.

* and vpc_id: vpc-2ze9dducyc3t6p8aeksb3 |select count(*) as total_req, query_name group by  query_name

2. RTT data of DNS resolution

Query the round-trip time (RTT) data of a specific query type of DNS requests for a domain name from a VPC within a specific period of time.

* and vpc_id: vpc-2ze9dducyc3t6p8aeksb3 and query_name: "metrichub-cn-beijing.aliyun.com." and query_type: A | select stddev(__time__) as RT, dns_msg_id GROUP  by dns_msg_id