Alibaba Cloud DNS:Store private zone resolution logs in SLS

Use cases

For compliance and security reasons, organizations are often required to store and analyze network logs. The private zone resolution log details how domain names are used within your private network. This helps you audit user activity and promptly identify potential security risks.

Private zone resolution logs

A private zone resolution log records DNS query and response activity from endpoints within all VPCs associated with a specific Alibaba Cloud account. Each log entry includes details such as the region, VPC ID, source IP address, destination IP address (DNS server address), queried domain name, record type, and response. The queried domains include both authoritative private domains configured in Private Zone and external public domains. To simplify log collection, management, and analysis in multi-account and multi-region scenarios, Alibaba Cloud DNS and SLS provide a one-click logging feature in the Log Audit application.

A private zone resolution log records domain name queries and responses from internal endpoints. The queried domain names fall into the following four categories:

1. Authoritative zone

Private Zone provides the service in the Alibaba Cloud VPC environment. This service lets you map custom private domain names to IP addresses in one or more VPCs. You can use these custom private domain names to manage Alibaba Cloud resources within your VPC, such as ECS hostnames, SLB instances, and OSS buckets. These private domain names are not accessible from outside the VPC. You can also connect your VPC to a traditional data center with a leased line or VPN. This enables resource sharing between your data center and VPC through private domain names.

2. Cloud product instance domain names

The cloud infrastructure DNS resolves all instance domain names from Alibaba Cloud products.

3. Forwarded external domain names

The forwarding feature forwards domain name resolution requests from a VPC to your data center's DNS system.

4. Recursively resolved public domain names

A public authoritative DNS server is a DNS server configured for a specific public domain name, such as "example.com", at a domain name registry or domain name registrar. These servers manage and resolve authoritative data for root domains, top-level domains, and other domain levels. A public authoritative DNS server resolves only the domain names that it manages and rejects requests for other domain names.

Private zone resolution log fields

1. Request log

2. Global response log

3. Module response log example

Private Zone log audit

1. What is an audit log

Log Audit Service is an application on the Alibaba Cloud Log Service SLS platform. It inherits all the features of Log Service SLS and provides powerful capabilities, such as multi-account management and cross-region collection of logs from various Alibaba Cloud products. The service also allows you to use Resource Directory to centrally and systematically manage and record log information for cloud product instances across multiple accounts.

2. Enabling Private Zone audit logs

1. Log on to the Log Audit application console.

2. On the Global Settings page, turn on the Log Audit switch for Private Zone and select the Central Project region, such as cn-hangzhou. For more information, see Enable log collection.

   

3. Other features

Cross-account collection

The powerful cross-account collection capability of Log Audit allows you to centrally collect Private Zone logs from member accounts into a central account in multi-account scenarios. Log Audit supports two types of multi-account management configurations:

• Resource Directory management mode

• Custom authentication management mode

For detailed configuration steps, see Collect multi-account cloud product logs.

Terraform

Terraform is an open-source tool that provides a command-line interface (CLI) for deploying and version-controlling configuration files on Alibaba Cloud or any other supported cloud. For detailed steps on how to use Terraform to configure log collection for cloud products in Log Audit, see Use Terraform to configure the Log Audit service.

The following example shows how to use Terraform to configure Private Zone log collection:

resource "alicloud_log_audit" "dns_example" {
	display_name = "tf-audit-test-dns"
	aliuid       = "1480************"  // The management account.
	variable_map = {
		"dns_intranet_enabled" = "true", // Enable collection of Private Zone logs.
		"dns_sync_enabled" = "true",     // Enable synchronization of regional logs to the central project.
		"dns_intranet_ttl" = "3",        // Storage period for regional logs: 3 days.
		"dns_sync_ttl" = "185"					 // Storage period for centralized logs: 185 days.
		"dns_intranet_collection_policy" = "accept tag.env == \\\"test\\\"\\ndrop \\\"*\\\"" // Enable Private Zone logs only for VPC instances with the tag env=test.
	  }  
	multi_account = ["1039************"] // Multi-account configuration.
  }

You can manage the collection of Private Zone logs with fine-grained control. The minimum collection granularity is a VPC instance, which allows you to control log collection for each VPC.

You can manage collection policies in the Log Audit console. The following figure shows an example of a policy configured to collect Private Zone logs only from VPC instances that have the tag key env and the tag value prod. By configuring collection policies, you can implement fine-grained collection management and reduce unnecessary log collection.

Log analysis best practices

The following are some common scenarios for querying and analyzing Private Zone logs. You can also create custom query and analysis statements based on your actual requirements. In addition, you can add the SQL query results to a dashboard, save them as a quick query, or create an alert from them for subsequent analysis and processing.

DNS resolution result types

The distribution of DNS requests for different domain names in a specified VPC during a specific time period.

* and vpc_id: vpc-2ze9dducyc3t6p8aeksb3 |select count(*) as total_req, query_name group by query_name

DNS resolution response time issues

Statistical analysis of DNS resolution response time for a specified VPC, domain name, and query type within a specific time period.

* and vpc_id: vpc-2ze9dducyc3t6p8aeksb3 and query_name: "metrichub-cn-beijing.aliyun.com." and query_type: A | select stddev(__time__) as RT, dns_msg_id GROUP by dns_msg_id

Resolution exception analysis

A customer's Alibaba Cloud ECS server experiences resolution anomalies when querying a domain. The customer enables private zone resolution logs and stores the relevant logs in SLS to further analyze the cause of the anomalies. The SLS log records may contain the following three types of logs: request log, global response log, and module response log.

The analysis process is as follows:

1. Use the src_port and dns_msg_id parameters to identify and filter all log entries for a single resolution request.

2. Use the following fields to distinguish between the three log types:

   1. rt: This field is empty for request logs.

   2. resolve_path: This field is empty for module response logs.

   3. This field is not empty for global response logs.

3. Example of an error result

   Based on the rules above, the first entry is a request log, the second is a module response log, and the third is a global response log.

   

   1. A client sends a DNS request for a recursive query.

   2. The request is sent to the recursive module, but resolution fails.

   3. The server at 100.100.2.136 returns a failure result to the client.

4. Example of a successful result

   

   1. A client sends a DNS request for a recursive query.

   2. The request is sent to the recursive module, and resolution succeeds.

   3. The server at 100.100.2.136 returns the resolution result to the client.