Application scenarios
Enterprises store and analyze network logs to meet their business compliance and security requirements. Intranet DNS logs provide clear insight into DNS queries for internal domain names, which empowers enterprises to efficiently audit user behavior on internal networks and to identify potential security risks at the earliest opportunity.
What are intranet DNS logs?
Intranet DNS logs record DNS queries sent from terminals that reside in all virtual private clouds (VPCs) for an Alibaba Cloud account, and responses returned by DNS servers. The collected information includes the region from which the DNS request is sent, VPC ID, source IP address, destination IP address (address of the DNS server), queried domain name, record type, and response. Domain names queried by terminals can be internal authoritative domain names configured in Alibaba Cloud DNS PrivateZone and public domain names. Log Service allows you to integrate intranet DNS logs into Log Audit Service. You can enable the intranet DNS log feature to quickly and easily collect, manage, query, and analyze intranet DNS logs across accounts and regions in a centralized manner.
Intranet DNS logs record VPC DNS queries for the following types of domain names and responses returned by DNS servers:
1. Internal authoritative domain names configured in Alibaba Cloud DNS PrivateZone
Alibaba Cloud DNS PrivateZone is a private domain name resolution and management service based on VPC. You can use Alibaba Cloud DNS PrivateZone to map private domain names to IP addresses in one or more VPCs. Alibaba Cloud DNS PrivateZone allows you to access Alibaba Cloud resources including Elastic Compute Service (ECS) instances, Server Load Balancer (SLB) instances, and Object Storage Service (OSS) buckets by using private domain names. However, you cannot use the private domain names outside VPCs. You can also connect your VPC to on-premises data centers over Express Connect circuits or VPN gateways. This way, you can share resources between on-premises data centers and VPCs by using a private domain name.
2. Domain names of cloud service instances configured on the DNS of the Apsara system
All domain names of Alibaba Cloud service instances are resolved by using the DNS of the Apsara system.
3. External domain names for which queries are forwarded to your internal DNS server
In most cases, your internal DNS server is the DNS server on your internal network in your data center. When the Alibaba Cloud DNS PrivateZone resolver receives a VPC DNS query for a domain name that is configured to be forwarded to your internal DNS server, the resolver forwards the DNS query to your internal DNS server. This way, ECS instances in an Alibaba Cloud VPC can access the domain names of applications in your data center.
4. Public domain names on authoritative DNS servers
A public authoritative DNS server is a DNS server that is configured at a domain name registry or domain name registrar for specific public domain names, such as example.com. A public authoritative DNS server manages and resolves authoritative information about root domain names, top-level domain names, and other levels of domain names. A public authoritative DNS server resolves only domain names configured on the DNS server and rejects queries for domain names not configured on the DNS server.
The following table describes fields in the intranet DNS logs of DNS queries and responses. Logs of DNS requests and responses are separately stored.
1. Fields of DNS query logs
Log field | Description | Example |
user_id | The ID of the Alibaba Cloud account | xxxxxxxxxxxxxxxx |
region_id | The region ID | cn-shanghai |
vpc_id | The ID of the instance deployed in the VPC | vpc-xxxxxxxxxxxxxxxxxxxxx |
src_addr | The source IP address | 192.168.0.1 |
dst_addr | The destination IP address | 100.100.2.136 |
src_port | The source port | 12345 |
dst_port | The destination port | 53 |
transport | The transmission protocol | UDP |
dns_msg_id | The ID of the DNS message | 23456 |
dns_msg_flags | The flags in the message | QR |
query_name | The queried domain name | www.example.com. |
query_type | The query type | A |
rcode | The response code | |
answer_rrset | The resource records in the response | |
authority_rrset | The resource records in the authority section | |
additional_rrset | Additional resource records |
2. Fields of DNS response logs
Log field | Description | Example |
user_id | The ID of the Alibaba Cloud account | xxxxxxxxxxxxxxxx |
region_id | The region ID | cn-shanghai |
vpc_id | The ID of the instance deployed in the VPC | vpc-xxxxxxxxxxxxxxxxxxxxx |
src_addr | The source IP address | 100.100.2.136 |
dst_addr | The destination IP address | 192.168.0.1 |
src_port | The source port | 53 |
dst_port | The destination port | 12345 |
transport | The transmission protocol | UDP |
dns_msg_id | The ID of the DNS message | 23456 |
dns_msg_flags | The flags in the message | QR RD AA |
query_name | The queried domain name | www.example.com. |
query_type | The query type | A |
rcode | The response code | 0 |
answer_rrset | The resource records in the response | Json array: ["www.example.com. 600 A 192.168.1.1", "www.example.com 600 A 192.168.1.2", ] |
authority_rrset | The resource records in the authority section | Json array: ["example.com. 600 SOA ns1.example.com. hostmaster.example.com. 2023010101 3600 1200 3600 360" ] |
additional_rrset | Additional resource records | Json array: ["ns1.example.com. 600 A 100.100.2.136"] |
Log Audit Service
What is Log Audit Service?
Log Audit Service is a logging application in Log Service. In addition to the capabilities of Log Service, Log Audit Service provides powerful multi-account management and cross-region log collection. You can use resource directories to organize and unify the management and storage of cloud service logs from multiple accounts.
Enable collection of intranet DNS logs in Log Audit Service
You can enable collection of intranet DNS logs in the Log Service console by choosing Log Application > Audit & Security > Log Audit Service. You can specify a storage duration for logs and configure hot and cold-tiered storage. For more information, see Enable log collection.
Log Audit Service supports collection of intranet DNS logs only in China (Shanghai) and China (Beijing). If you want to collect intranet DNS logs in other regions, submit a ticket to Alibaba Cloud DNS technical support.
Multi-account configurations
Log Audit Service provides powerful cross-account log collection capabilities that you can use to collect intranet DNS logs of member accounts and store them in a central project of an Alibaba Cloud account. This facilitates centralized log management. Log Audit Service supports two modes for multi-account log collection and management: resource directory and custom authentication. For more information, see Configure multi-account collection.
Log collection configuration based on Terraform
Terraform provides an easy-to-use command-line interface (CLI) that allows you to deploy configuration files on the workloads of Alibaba Cloud services or third-party cloud services, and manage the versions of the configuration files. For more information about how to use Terraform to configure log collection in Log Audit Service, see Use Terraform to configure Log Audit Service.
The following sample code provides an example on how to use Terraform to collect intranet DNS logs:
resource "alicloud_log_audit" "dns_example" {
display_name = "tf-audit-test-dns"
aliuid = "1480************" // The Alibaba Cloud account to which the central project for log storage belongs.
variable_map = {
"dns_intranet_enabled" = "true", // Enable the collection of intranet DNS logs.
"dns_sync_enabled" = "true", // Enable synchronization of logs from the regional project to the central project.
"dns_intranet_ttl" = "3", // Specify that logs are stored in the regional project for three days.
"dns_sync_ttl" = "185" // Specify that logs are stored in the central project for 185 days.
"dns_intranet_collection_policy" = "accept tag.env == \\\"test\\\"\\ndrop \\\"*\\\"" // Specify that only intranet DNS logs related to VPCs that have a tag value of prod for the env tag key.
}
multi_account = ["1039************"] // Set multi-account configurations.
}Log collection policies
Log collection policies provide fine-grained log collection management and allows you to exclude unwanted logs from log collection. For more information, see Configure log collection policies. The smallest granularity of intranet DNS log collection is VPCs.
Configure log collection policies in the Log Audit Service console
You can manage and configure collection policies in the Log Audit Service console.
Best practices for log query and analysis
This section provides common scenarios of intranet DNS log query and analysis. You can use custom query and analysis statements to meet your specific business requirements. You can also add SQL query results to the dashboard, save query statements as saved searches, and save results as alerts to facilitate subsequent query and analysis operations.
1. DNS resolution results
Query the complete responses to queries for a domain name from an ECS instance within a specific period of time.
* and query_name: "metrichub-cn-beijing.aliyun.com." and dst_addr: "10.0.2.48" and answer_rrset
not null |select user_id, vpc_id, query_type, answer_rrsetQuery the distribution of DNS queries for domain names on a VPC within a specific period of time.
* and vpc_id: vpc-2ze9dducyc3t6p8aeksb3 |select count(*) as total_req, query_name group by query_name2. DNS resolution RT
Query the RT data of a specific type of DNS query for a domain name from a VPC within a specific period of time.
* and vpc_id: vpc-2ze9dducyc3t6p8aeksb3 and query_name: "metrichub-cn-beijing.aliyun.com." and query_type: A | select stddev(__time__) as RT, dns_msg_id GROUP by dns_msg_id