For VPCs with traffic analysis enabled, the system enables DNS log collection by default. Traffic analysis is billed based on the number of log entries generated.
Because module response logs are not final acknowledgement results, the order of source IP address and destination IP address in the logs is not swapped.
Domain name directly resolved to IP address through A or AAAA record types
Cloud terminal initiates 1 DNS query request that hits the built-in authoritative acceleration zone and obtains resolution results
This procedure generates 3 parsing logs: 2 global traffic parsing logs (request and response logs from cloud terminal to 100.100.2.136/100.100.2.138), and 1 built-in authoritative acceleration zone response log (the log records the source IP as the terminal IP and the destination IP as 100.100.2.136/100.100.2.138).
Cloud terminal initiates 1 DNS query request that hits the built-in authoritative normal zone and obtains resolution results
This procedure generates 3 parsing logs: 2 global traffic parsing logs (request and response logs from cloud terminal to 100.100.2.136/100.100.2.138), and 1 built-in authoritative normal zone response log (the log records the source IP as the terminal IP and the destination IP as 100.100.2.136/100.100.2.138).
Cloud terminal initiates 1 DNS query request that hits the cache module and obtains resolution results
This procedure generates 3 parsing logs: 2 global traffic parsing logs (request and response logs from cloud terminal to 100.100.2.136/100.100.2.138), and 1 cache module response log (the log records the source IP as the terminal IP and the destination IP as 100.100.2.136/100.100.2.138).
NoteThe cache module does not distinguish whether the resolution record is obtained from the built-in authoritative normal zone, forwarding, or recursion module and saved in the cache module. Correspondingly, the parsing logs generated when hitting the cache module are also not distinguished.
Cloud terminal initiates 1 DNS query request that hits the forwarding module and obtains resolution results from external DNS
This procedure generates 4 parsing logs: 2 global traffic parsing logs (request and response logs from cloud terminal to 100.100.2.136/100.100.2.138), 1 forwarding module response log (the log records the source IP as the terminal IP and the destination IP as 100.100.2.136/100.100.2.138), and 1 response log from external DNS to the outbound endpoint.
NoteAlthough the internal DNS prints the DNS response logs between the outbound endpoint and external DNS, users cannot view these logs in log transfer scenarios because SLS does not transfer these logs.
Request and response logs between 100.100.2.136/100.100.2.138 and the outbound endpoint are not recorded.
Cloud terminal DNS query request hits the recursion module and obtains resolution results from public DNS
This procedure generates 3 parsing logs: 2 global traffic parsing logs (request and response logs from cloud terminal to 100.100.2.136/100.100.2.138), and 1 recursion module response log (the log records the source IP as the terminal IP and the destination IP as 100.100.2.136/100.100.2.138).
NoteResolution logs between 100.100.2.136/100.100.2.138 and public authoritative DNS are not recorded.
Domain name first resolved to another domain name through CNAME record type, then resolved to IP address
This topic uses a single-level CNAME scenario as an example, such as
www.abc.com IN CNAME www.xyz.com,www.xyz.com IN A 192.168.1.1If the resolution process involves multi-level CNAME queries, each additional level of CNAME query will increase the final module hit logs: if hitting the built-in authoritative acceleration zone, built-in authoritative normal zone, cache, or recursion, the corresponding module logs will increase by 1. If hitting the forwarding module, the forwarding module logs will increase by 2.
Cloud terminal initiates 1 DNS query request, both CNAME and A records hit the built-in authoritative acceleration zone and obtain resolution results
This procedure generates 4 parsing logs: 2 global traffic parsing logs (request and response logs from cloud terminal to 100.100.2.136/100.100.2.138), and 2 built-in authoritative acceleration zone response logs (the logs record the source IP as the terminal IP and the destination IP as 100.100.2.136/100.100.2.138).
Cloud terminal initiates 1 DNS query request, both CNAME and A records hit the built-in authoritative normal zone and obtain resolution results
This procedure generates 4 parsing logs: 2 global traffic parsing logs (request and response logs from cloud terminal to 100.100.2.136/100.100.2.138), and 2 built-in authoritative normal zone response logs (the logs record the source IP as the terminal IP and the destination IP as 100.100.2.136/100.100.2.138).
Cloud terminal initiates 1 DNS query request, both CNAME and A records hit the cache module and obtain resolution results
This procedure generates 4 parsing logs: 2 global traffic parsing logs (request and response logs from cloud terminal to 100.100.2.136/100.100.2.138), and 2 cache module response logs (the logs record the source IP as the terminal IP and the destination IP as 100.100.2.136/100.100.2.138).
NoteThe cache module does not distinguish whether the resolution record is obtained from the built-in authoritative normal zone, forwarding, or recursion module and saved in the cache module. Correspondingly, the parsing logs generated when hitting the cache module are also not distinguished.
Cloud terminal initiates 1 DNS query request, both CNAME and A records hit the forwarding module and obtain resolution results from external DNS
This procedure generates 6 parsing logs: 2 global traffic parsing logs (request and response logs from cloud terminal to 100.100.2.136/100.100.2.138), 2 forwarding module response logs (the logs record the source IP as the terminal IP and the destination IP as 100.100.2.136/100.100.2.138), and 2 response logs from external DNS to the outbound endpoint.
NoteAlthough the internal DNS prints the DNS response logs between the outbound endpoint and external DNS, users cannot view these logs in log transfer scenarios because SLS does not transfer these logs.
Request and response logs between 100.100.2.136/100.100.2.138 and the outbound endpoint are not recorded.
Cloud terminal DNS query request hits the recursion module and obtains resolution results from public DNS
This procedure generates 4 parsing logs: 2 global traffic parsing logs (request and response logs from cloud terminal to 100.100.2.136/100.100.2.138), and 2 recursion module response logs (the logs record the source IP as the terminal IP and the destination IP as 100.100.2.136/100.100.2.138).
NoteResolution logs between 100.100.2.136/100.100.2.138 and public authoritative DNS are not recorded.