DNS server query graphic report
Dear my Friend, here I will show you how to organize online monitoring system for DNS queries.
Most time in Telecom Domain business is necessary to measuring the DNS traffic and to check the performance of the service: how many queries has been successfully, how many faulty, what kind of queries the customers sending over different time. Also its necessary to check the type of DNS queries for security purpose to restrict free traffic using over dns-tunneling schemes. I will show how to optimize and turn DNS system to be using only for DNS service and send all required query logs to remote SYSLOG server into Corporate network behind Firewall. By default the DNS query log output is not configured in most systems as it required extra storage space, cause the log file can be growing very fast and it depend from DNS service capacity value – the amount of customer which is using it for Internet address resolving.
In my example of system configuration I will use common name for dns servers: DNS1 and DNS 2 are located in the city A, DNS3 and DNS 4 are located in the city B, DNS 5 and DNS6 are located in the city C. All 6 DNS servers are located in 3 geographical different sites with internet public IP address. All this servers running only dedicated specific build of DNS server for Solaris OS and this servers not allow to run nothing else on it to avoid unnecessary systems performance leakage. We have one management gateway server with SSH access to each of DNS server from Corporate network and this getaway server have connection to internal WEB server in DMZ network over SSH service too.
This is brief schema how the monitoring system is configured:
This is detailed schema of DNS query logging downstream process from Internet public DNS server into Web server in Corporate DMZ network:
Now I will give all details steps with full technical information:
1) The DNS server is installed from specific package which is developed for particular platform with extended system tweaks for performance improvement.
All required details you can find in this article “DNS servers for solaris 10 os i386/spac platform“
2) The configuration of DNS server include option for query logging into the SYSLOG daemon
3) The Syslog daemon on each DNS server have next configuration:
4) The SYSLOG daemon should NOT listening on UDP 514 port.
Do next steps:
5) Translation DNS query messages to remote SYSLOG host:
To translate all DNS query messages to remote SYSLOG host through virtual “localhost” using UDP port 514 is necessary to route UDP packages into TCP socket:
You can download SOCAT package for SPARC64 and SOCAT x86_64 Platforms.
# lsof -i udp:514
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
socat 2843 root 3u IPv4 0x301575068c0 0t0 UDP *:syslog
6) All encapsulated UDP packages inside TCP packages are going to be forwarded into localhost port 9000.
You can check if TCP/9000 port is open and listening on DNS server:
# netstat -naP tcp|grep “.9000″|grep LISTEN
*.9000 *.* 0 0 400000 0 LISTEN
You can check if this TCP/9000 port is in use by SSH daemon or not:
# lsof -i tcp:9000|grep LISTEN|grep IPv4
sshd 27249 proxy 11u IPv4 0x30099260e00 0t0 TCP *:9000 (LISTEN)
As you can see the sshd process running with PID 27249. This is correct !
7) SSH Tunnels initiator.
To create tunneling links – run below commands:
8) SYSLOG TCP -> UDP package translator
You can download SOCAT package for SPARC64 and x86_64 Platforms.
9) The configuration of SYSLOG daemon on host server
10) SYSLOG to RRDtool data file translator
11) RRDtools data graphics report cgi-bin script.
12) WEB Server inside Corporate Network.
This web server is located inside Corporate network behind the firewall for information security purpose.
You need VPN connection to see online statistics in time when you not in the office network.
# zfs list -r zpool1/DNSREPORT
NAME MOUNTPOINT
zpool1/DNSREPORT none
zpool1/DNSREPORT/htdocs /var/DNSREPORT/web/htdocs
zpool1/DNSREPORT/httpd-etc /var/DNSREPORT/web/etc
zpool1/DNSREPORT/DNS3 none
zpool1/DNSREPORT/DNS3/bin /var/DNSREPORT/DNS3/bin
zpool1/DNSREPORT/DNS3/cgi-bin /var/DNSREPORT/DNS3/cgi-bin
zpool1/DNSREPORT/DNS3/log /var/DNSREPORT/DNS3/log
zpool1/DNSREPORT/DNS1 none
zpool1/DNSREPORT/DNS1/bin /var/DNSREPORT/DNS1/bin
zpool1/DNSREPORT/DNS1/cgi-bin /var/DNSREPORT/DNS1/cgi-bin
zpool1/DNSREPORT/DNS1/log /var/DNSREPORT/DNS1/log
zpool1/DNSREPORT/DNS5 none
zpool1/DNSREPORT/DNS5/bin /var/DNSREPORT/DNS5/bin
zpool1/DNSREPORT/DNS5/cgi-bin /var/DNSREPORT/DNS5/cgi-bin
zpool1/DNSREPORT/DNS5/log /var/DNSREPORT/DNS5/log
zpool1/DNSREPORT/DNS4 none
zpool1/DNSREPORT/DNS4/bin /var/DNSREPORT/DNS4/bin
zpool1/DNSREPORT/DNS4/cgi-bin /var/DNSREPORT/DNS4/cgi-bin
zpool1/DNSREPORT/DNS4/log /var/DNSREPORT/DNS4/log
zpool1/DNSREPORT/DNS2 none
zpool1/DNSREPORT/DNS2/bin /var/DNSREPORT/DNS2/bin
zpool1/DNSREPORT/DNS2/cgi-bin /var/DNSREPORT/DNS2/cgi-bin
zpool1/DNSREPORT/DNS2/log /var/DNSREPORT/DNS2/log
zpool1/DNSREPORT/DNS6 none
zpool1/DNSREPORT/DNS6/bin /var/DNSREPORT/DNS6/bin
zpool1/DNSREPORT/DNS6/cgi-bin /var/DNSREPORT/DNS6/cgi-bin
zpool1/DNSREPORT/DNS6/log /var/DNSREPORT/DNS6/log
PidFile /var/DNSREPORT/web/log/httpd.pid
Timeout 300
KeepAlive On
MaxKeepAliveRequests 100
KeepAliveTimeout 15
StartServers 5
MinSpareServers 5
MaxSpareServers 10
MaxClients 150
MaxRequestsPerChild 0
NumServers 5
StartThreads 5
MinSpareThreads 5
MaxSpareThreads 10
MaxThreadsPerChild 20
MaxRequestsPerChild 0
Listen 4080
LoadModule access_module libexec/mod_access.so
LoadModule include_module libexec/mod_include.so
LoadModule log_config_module libexec/mod_log_config.so
LoadModule log_forensic_module libexec/mod_log_forensic.so
LoadModule env_module libexec/mod_env.so
LoadModule mime_magic_module libexec/mod_mime_magic.so
LoadModule cern_meta_module libexec/mod_cern_meta.so
LoadModule expires_module libexec/mod_expires.so
LoadModule headers_module libexec/mod_headers.so
LoadModule usertrack_module libexec/mod_usertrack.so
LoadModule unique_id_module libexec/mod_unique_id.so
LoadModule setenvif_module libexec/mod_setenvif.so
LoadModule version_module libexec/mod_version.so
LoadModule mime_module libexec/mod_mime.so
LoadModule autoindex_module libexec/mod_autoindex.so
LoadModule info_module libexec/mod_info.so
LoadModule cgi_module libexec/mod_cgi.so
LoadModule vhost_alias_module libexec/mod_vhost_alias.so
LoadModule dir_module libexec/mod_dir.so
LoadModule imap_module libexec/mod_imap.so
LoadModule userdir_module libexec/mod_userdir.so
LoadModule alias_module libexec/mod_alias.so
LoadModule rewrite_module libexec/mod_rewrite.so
User webservd
Group webservd
ServerAdmin eldar@aydayev.com
ServerName ojmgt02.mtn.com.ng
UseCanonicalName Off
DocumentRoot “/var/DNSREPORT/web/htdocs”
Options FollowSymLinks
AllowOverride None
Options Indexes FollowSymLinks
AllowOverride None
Order allow,deny
Allow from all
User webservd
DirectoryIndex index.html index.html.var
AccessFileName .htaccess
Order allow,deny
Deny from all
TypesConfig /etc/apache2/mime.types
DefaultType text/plain
MIMEMagicFile /etc/apache2/magic
HostnameLookups Off
ErrorLog /var/DNSREPORT/web/log/error_log
LogLevel warn
LogFormat “%h %l %u %t \”%r\” %>s %b \”%{Referer}i\” \”%{User-Agent}i\”” combined
LogFormat “%h %l %u %t \”%r\” %>s %b” common
LogFormat “%{Referer}i -> %U” referer
LogFormat “%{User-agent}i” agent
CustomLog /var/DNSREPORT/web/log/access_log common
ServerTokens Full
ServerSignature On
ScriptAlias /cgi-bin/ “/var/apache2/cgi-bin/”
AllowOverride None
Options None
Order allow,deny
Allow from all
IndexOptions FancyIndexing VersionSort
AddIconByEncoding (CMP,/icons/compressed.gif) x-compress x-gzip
AddIconByType (TXT,/icons/text.gif) text/*
AddIconByType (IMG,/icons/image2.gif) image/*
AddIconByType (SND,/icons/sound2.gif) audio/*
AddIconByType (VID,/icons/movie.gif) video/*
ListenBacklog 8192
ServerLimit 2048
MaxClients 2048
#### DNS1 ####
ScriptAlias /DNS1/ “/var/DNSREPORT/DNS1/cgi-bin/”
AllowOverride None
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
#### DNS2 ####
ScriptAlias /DNS2/ “/var/DNSREPORT/DNS2/cgi-bin/”
AllowOverride None
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
#### DNS3 ####
ScriptAlias /DNS3/ “/var/DNSREPORT/DNS3/cgi-bin/”
AllowOverride None
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
#### DNS4 ####
ScriptAlias /DNS4/ “/var/DNSREPORT/DNS4/cgi-bin/”
AllowOverride None
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
#### DNS5 ####
ScriptAlias /DNS5/ “/var/DNSREPORT/DNS5/cgi-bin/”
AllowOverride None
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
#### DNS6 ####
ScriptAlias /DNS6/ “/var/DNSREPORT/DNS6/cgi-bin/”
AllowOverride None
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
LockFile /var/DNSREPORT/web/log/accept.lock
