Releasing DNS Probe

CZ.NIC Laboratories released the first public version of DNS Probe. It is a high-performance DNS traffic capture tool developed as a part of the ADAM project. Its essential function is to listen on a network interface, capture DNS traffic (both UDP and TCP), pair DNS queries with corresponding responses, and export consolidated records about every single DNS transaction observed on the wire. DNS Probe can be deployed either on the same machine as the DNS server, or on a separate monitoring computer that receives an exact copy of the DNS server’s traffic (e.g. via switch port mirroring).

DNS Probe is expected to gradually replace CZ.NIC’s current method of storing complete DNS packet traces in PCAP disk files and sending them to a central server for further processing. The advantages of using DNS Probe for DNS traffic logging are primarily twofold:

  • efficient representation of exported data
  • extensive configurability and remote management facilities

DNS Probe supports two export formats: Apache Parquet and C-DNS. The former is a generic format used in the Hadoop ecosystem that is often used for storing big DNS data. In contrast, C-DNS is a new RFC standard that was designed specifically for DNS traffic logging. We have demonstrated that with either format it is possible to save as much as 75% in the volume of transferred data compared to PCAP.

DNS Probe also offers a compile-time choice of two packet capture interfaces (backends) that represent a tradeoff between packet processing speed and memory consumption: the classical AF_PACKET sockets and DPDK.

The following graph shows packet processing speed for all four combinations of backends and output formats. It can be seen that in all cases performance scales linearly with the number of CPU threads used for packet processing. More information about performance tests can be obtained from this wiki page.

DNS Probe can be configured and managed remotely using the standard NETCONF protocol. Among other benefits, it allows for monitoring DNS Probe operation in real time, and also reacting to changing traffic conditions. For example, it is possible to temporarily reduce the selection of data fields in C-DNS records and thus continue logging DNS traffic even under a DDoS attack.

The version number of this release is 0.5.0, which means essentially two things:

  1. DNS Probe is not yet ready for critical deployments, as the amount of testing perfomed so far has been limited.
  2. The configuration interface is usable but far from user friendly. It will be improved in a future version.

Nevertheless, we believe that the current version is sufficiently stable and functional, and encourage volunteers interested in DNS traffic logging to help us with testing. Discovered bugs or feature requests may be reported at the project’s issue page.

Author:

Leave a comment

All fields are required. Email won't be shown.