You can configure log storage only for regions and VPCs where network traffic analysis is enabled. By default, network traffic analysis is enabled for the log storage service. If you disable network traffic analysis, the log storage service does not receive any log data. For more information, see Enable or disable network traffic analysis.
Scenarios
For compliance and security purposes, companies often need to store and analyze network logs. Private zone logs provide a clear view of how internal domain names are used. This helps you audit user behavior and promptly identify potential security risks.
What are private zone resolution logs
Private zone resolution logs record DNS resolution requests and responses from endpoints in all VPCs under a specified Alibaba Cloud UID. These logs include details such as the request region, request VPC ID, source IP address, destination IP address (DNS endpoint), queried domain name, record type, and response result. The requested domain names include both authoritative domain names configured in PrivateZone and external public domain names. To help you quickly collect, manage, and centrally analyze private zone logs across multiple accounts and regions, Alibaba Cloud DNS and Simple Log Service (SLS) offer a one-click feature. You can enable this feature in the SLS Log Audit application.
Private zone logs record domain name resolution requests and responses from internal endpoints. The requested domain names primarily come from the following four categories:
1. Built-in authoritative domain names
Private zone resolution is a private DNS service based on the Alibaba Cloud virtual private cloud (VPC) environment. This service lets you map custom private domain names to IP addresses in one or more VPCs. You can use these custom private domain names to manage Alibaba Cloud resources within your VPC, such as ECS hostnames, SLB instances, and OSS buckets. These private domain names are not accessible from outside the VPC. You can also connect your VPC to a traditional data center using a leased line or VPN. This enables resource sharing between your data center and VPC through private domain names.
2. Cloud product instance domain names configured on the Apsara platform DNS (cloud infrastructure DNS)
The cloud infrastructure DNS is the internal DNS of the Alibaba Cloud Apsara platform. All instance domain names provided by Alibaba Cloud products are resolved by this DNS.
3. External domain names forwarded to an external DNS server
An external DNS server typically refers to the internal DNS system in your data center. The forwarding feature allows domain name resolution requests from a VPC to be forwarded to your data center's DNS system. This enables ECS hosts in an Alibaba Cloud VPC to access application domain names in your data center.
4. Public domain names recursively resolved by an external public authoritative DNS server
A public authoritative DNS server is a DNS server configured for a specific public domain name, such as "example.com", at a domain name registry or domain name registrar. These servers provide management and resolution services for the authoritative data of root domains, top-level domains, and other domain levels. A public authoritative DNS server resolves only the domain names that it manages and denies access to requests for other domain names.
Private zone resolution log fields
1. Request log example
Log field | Description | Example (for format reference only) |
dns_msg_flags | DNS message flags:
| RD |
dns_msg_id | The DNS message ID. This is the unique identifier for the DNS query. | 30914 |
dst_addr | The destination IP address. | 100.100.2.136 |
dst_port | The destination port. | 53 |
ecs_hostname | The ECS hostname. | iZbp1b1mx9fhe34k***** |
ecs_id | The ECS instance ID. | i-bp1b1mx9fhe34kh**** |
module_type | The module log type. Request logs are always global logs.
| GLOBAL |
query_name | The queried domain name. | www.example.com. |
query_type | The record type of the query, such as A, AAAA, CNAME, TXT, or MX. | A |
region_id | The region. | cn-shanghai |
src_addr | The source IP address. | 192.168.0.1 |
src_port | The source port. | 42071 |
transport | The transport protocol. | UDP |
user_id | The Alibaba Cloud account ID. | 139749398683**** |
vpc_id | The VPC-connected instance ID. | vpc-bp1eyy43516itw78**** |
edns | The extension mechanisms for DNS (EDNS). This field may be included in query or response logs. | "flags: DO udp: 1408 CLIENT-SUBNET: 1.1.XX.XX/32/24" |
2. Global response log example
Log field | Description | Example (for format reference only) |
answer_rrset | The answer resource record set. | Json array: ["www.example.com. 600 A 192.168.1.1", "www.example.com 600 A 192.168.1.2", ] |
authority_rrset | The authority resource record set. | Json array: ["example.com. 600 SOA ns1.example.com. hostmaster.example.com. 2023010101 3600 1200 3600 360" ] |
additional_rrset | The additional resource record set. | Json array: ["ns1.example.com. 600 A 100.100.2.136"] |
dns_msg_flags |
| QR |
dns_msg_id | The DNS message ID. This is the unique identifier for the DNS query. | 30914 |
dst_addr | The destination IP address. | 192.168.0.1 |
dst_port | The destination port. | 42071 |
ecs_hostname | The ECS hostname. | iZbp1b1mx9fhe34k***** |
ecs_id | The ECS instance ID. | i-bp1b1mx9fhe34kh**** |
module_type | The module log type:
| GLOBAL |
query_name | The queried domain name. | www.example.com. |
query_type | The record type of the query, such as A, AAAA, CNAME, TXT, or MX. | A |
rcode | The response status code:
| 0 |
region_id | The region. | cn-shanghai |
resolve_path | The resolution path. This field appears only in global response logs. The path is a comma-separated string of five values. Each value corresponds to a module: authoritative acceleration zone, authoritative normal zone, cache module, forwarding module, and recursion module. A `1` means the query passed through the module. A `0` means the module was skipped. For multi-level CNAME lookups, multiple values can be `1`. | 1,0,0,0,0 |
rt | Response time (RT):
| 10 ms |
src_addr | The source IP address. | 100.100.2.136 |
src_port | The source port. | 53 |
transport | The transport protocol. | UDP |
user_id | The Alibaba Cloud account ID. | 139749398683**** |
vpc_id | The VPC-connected instance ID. | vpc-bp1eyy43516itw78**** |
edns | The extension mechanisms for DNS (EDNS). This field may be included in query or response logs. | "flags: DO udp: 1408 CLIENT-SUBNET: 1.1.XX.XX/32/24" |
3. Module response log example
Log field | Description | Example (for format reference only) |
answer_rrset | The answer resource record set. | Json array: ["www.example.com. 600 A 192.168.1.1", "www.example.com 600 A 192.168.1.2", ] |
authority_rrset | The authority resource record set. | Json array: ["example.com. 600 SOA ns1.example.com. hostmaster.example.com. 2023010101 3600 1200 3600 360" ] |
additional_rrset | The additional resource record set. | Json array: ["ns1.example.com. 600 A 100.100.2.136"] |
dns_msg_id | The DNS message ID. This is the unique identifier for the DNS query. | 30914 |
dst_addr | The destination IP address. | 100.100.2.136 |
dst_port | The destination port. | 53 |
ecs_hostname | The ECS hostname. | iZbp1b1mx9fhe34k***** |
ecs_id | The ECS instance ID. | i-bp1b1mx9fhe34kh**** |
module_type | The module log type:
| AUTH_FAST |
query_name | The queried domain name. | www.example.com. |
query_type | The record type of the query, such as A, AAAA, CNAME, TXT, or MX. | A |
rcode | The response status code:
| 0 |
region_id | The region. | cn-shanghai |
rt | Response time (RT):
| 1 ms |
src_addr | The source IP address. | 192.168.0.1 |
src_port | The source port. | 42071 |
transport | The transport protocol. | UDP |
user_id | The Alibaba Cloud account ID. | 139749398683**** |
vpc_id | The VPC-connected instance ID. | vpc-bp1eyy43516itw78**** |
edns | The extension mechanisms for DNS (EDNS). This field may be included in query or response logs. | "flags: DO udp: 1408 CLIENT-SUBNET: 1.1.XX.XX/32/24" |
Private Zone log audit
1. What is log audit
Log Audit Service is an application on the Alibaba Cloud Simple Log Service (SLS) platform. It inherits all the features of SLS and provides powerful capabilities for multi-account management and cross-region log collection from various Alibaba Cloud products. It also supports using a resource directory to centrally manage and record log information from cloud product instances across multiple accounts.
2. Enable Private Zone log audit
The internal DNS log audit feature is currently available in the China (Shanghai), China (Beijing), China (Guangzhou), China (Shenzhen), China (Hangzhou), China (Qingdao), China (Zhangjiakou), Singapore, China (Hong Kong), and China (Shenzhen) Finance Cloud regions. If you need this feature in other regions, you can provide feedback to our product team by submitting a ticket. The product team will evaluate your request and decide whether to add support for the region.
Log on to the Log Audit Service console.
On the Global Configurations page, turn on the switch for private zone log auditing and select the Region of Central Project, such as cn-hangzhou. For more information, see Enable log collection.
3. Other features
Multi-account configuration
The powerful cross-account collection capability of Log Audit Service lets you collect private zone logs from member accounts into a central management account. Log Audit Service supports two modes for multi-account management:
Resource directory mode
Custom authorization mode
For more information, see Collect logs from cloud resources across Alibaba Cloud accounts.
Terraform configuration
Terraform is an open source tool. Its command-line interface (CLI) provides a simple method to deploy and version configuration files on Alibaba Cloud or any other supported cloud. For more information about how to configure log collection for cloud products using Log Audit Service and Terraform, see Configure Log Audit Service using Terraform.
The following code provides an example of how to configure private zone log collection using Terraform:
resource "alicloud_log_audit" "dns_example" {
display_name = "tf-audit-test-dns"
aliuid = "1480************" // The management account.
variable_map = {
"dns_intranet_enabled" = "true", // Enable the collection of private zone logs.
"dns_sync_enabled" = "true", // Enable synchronization of regional logs to the central project.
"dns_intranet_ttl" = "3", // Regional log storage duration: 3 days.
"dns_sync_ttl" = "185" // Central log storage duration: 185 days.
"dns_intranet_collection_policy" = "accept tag.env == \\\"test\\\"\\ndrop \\\"*\\\"" // Collect private zone logs only from VPC instances with the tag key env and tag value prod.
}
multi_account = ["1039************"] // Configure member accounts.
}Collection policy
You can manage private zone log collection at a fine-grained level. The minimum collection granularity is the VPC-connected instance. This lets you control DNS log collection based on VPC-connected instance information.
You can configure collection policies in the Log Audit Service console. The following figure shows an example policy. This policy collects private zone logs only from VPC instances with the tag key `env` and tag value `prod`. By configuring collection policies, you can achieve fine-grained collection management and reduce unnecessary log collection.
Best practices for log analysis
This section provides examples of common query and analysis scenarios for private zone logs. You can also write custom analytic statements for your specific needs. In addition, you can add the results of SQL statements to a dashboard, save them as a saved search, or create an alert for further processing.
1. DNS resolution results
Analyze the distribution of DNS requests for different queried domain names in a specified VPC over a period of time.
* and vpc_id: vpc-2ze9dducyc3t6p8aeksb3 |select count(*) as total_req, query_name group by query_name
2. DNS resolution RT
Perform a statistical analysis of DNS resolution RT for a specified VPC, domain name, and query type over a period of time.
* and vpc_id: vpc-2ze9dducyc3t6p8aeksb3 and query_name: "metrichub-cn-beijing.aliyun.com." and query_type: A | select stddev(__time__) as RT, dns_msg_id GROUP by dns_msg_id
3. Analysis of resolution exceptions
If your Alibaba Cloud ECS server experiences domain name resolution exceptions, you can enable private zone resolution logs and store them in SLS to analyze the cause. SLS logs can contain three types of log entries: request logs, global response logs, and module response logs.
The analysis procedure is as follows:
Use the
src_portanddns_msg_idparameters to identify and filter all log entries for a single resolution request.Use the following fields to distinguish the three log types:
A request log has an empty
rtfield.A module response log has an empty
resolve_pathfield.The global acknowledgement log is not empty.
Example of an abnormal result
Based on the preceding rules, the first entry is a request log, the second is a module response log, and the third is a global response log.
The client initiates a DNS resolution request and expects a recursive query.
A request is sent to the recursion module, but the module fails to resolve the domain name.
The server at 100.100.2.136 returns a failure result to the client.
Example of a normal result
The client initiates a DNS resolution request and expects a recursive query.
A request is sent to the recursion module, and the module successfully resolves the domain name.
The server at 100.100.2.136 returns the resolution result to the client.