本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
使用 Route 53 全球解析器了解 DNS 活动
Route 53 Global Resolver 提供全面的 DNS 查询记录功能,用于监控客户端设备活动并识别安全威胁。在 Route 53 Global Resolver 中启用 DNS 查询日志,以查看客户端设备访问了哪些网站,识别潜在的安全威胁并分析 DNS 解析模式。日志会捕获有关每个查询的全面信息,包括应用了哪些安全策略。
DNS 日志中捕获了哪些信息
每个 DNS 查询日志条目都提供有关客户端设备活动和安全策略实施的详细信息:
-
查询信息-使用的域名、查询类型、查询类别和协议
-
客户端设备信息-源 IP 地址、DNS 视图和身份验证方法
-
响应信息-响应码、答案记录和响应时间
-
安全操作-防火墙规则匹配项、威胁检测结果和采取的措施
-
元数据-时间戳、全球解析器 ID、区域和跟踪信息
用于安全集成的 OCSF 格式
DNS 查询日志使用开放网络安全架构框架 (OCSF),该框架为安全事件数据提供了标准化格式。这种格式允许:
-
标准化分析-跨不同安全工具的架构一致
-
提高了互操作性-可轻松与 SIEM 和分析平台集成
-
增强关联性-能够将 DNS 事件与其他安全数据关联
-
未来兼容性-Support 支持不断变化的安全分析需求
OCSF 日志格式示例
Route 53 Global Resolver DNS 查询日志遵循 OCSF 架构结构,提供有关每个 DNS 查询、响应和安全操作的详细信息。以下示例显示了允许和拒绝的查询的日志格式。
Route 53 全球解析器 DNS 日志——允许访问示例
此示例显示了允许通过防火墙规则进行的 DNS 查询。该日志包括查询详情、响应信息以及带有 Route 53 全球解析器专用标识符的丰富数据。
{ "action_id": 1, "action_name": "Allowed", "activity_id": 6, "activity_name": "Traffic", "category_name": "Network Activity", "category_uid": 4, "class_name": "DNS Activity", "class_uid": 4003, "cloud": { "provider": "AWS", "region": "us-east-1", "account": { "uid": "123456789012" } }, "connection_info": { "direction": "Inbound", "direction_id": 1, "protocol_name": "udp", "protocol_num": 17, "protocol_ver": "", "uid": "db21d1739ddb423a" }, "duration": 1, "end_time": 1761358379996, "answers": [{ "rdata": "3.3.3.3", "type": "A", "class": "IN", "ttl": 300 }, { "rdata": "3.3.3.4", "type": "A", "class": "IN", "ttl": 300 }], "src_endpoint": { "ip": "3.3.3.1", "port": 56576 }, "enrichments": [{ "name": "global-resolver", "value": "gr-a1b2c3d4fexample", "data": { "dns_view_id": "dnsv-a1b2c3d4fexample", "firewall_rule_id": "fr-a1b2c3d4fexample", "token_id": "t-a1b2c3d4fexample", "token_name": "device-123456", "token_expiration": "1789419206", } }], "message": "", "metadata": { "version": "1.2.0", "product": { "name": "Global Resolver", "vendor_name": "AWS", "feature": { "name": "DNS" } } }, "query": { "hostname": "example.com.", "class": "IN", "type": "A", "opcode": "Query", "opcode_id": 0 }, "query_time": 1761358379995, "rcode": "NOERROR", "rcode_id": 0, "response_time": 1761358379995, "severity": "Informational", "severity_id": 1, "src_endpoint": { "ip": "3.3.3.3", "port": 28276 }, "start_time": 1761358379995, "status": "Success", "status_id": 1, "time": 1761358379995, "type_name": "DNS Activity: Traffic", "type_uid": 400306 }
Route 53 全球解析器 DNS 日志——访问被拒绝示例
此示例显示了被防火墙规则阻止的 DNS 查询。该日志包括拒绝操作、空答案数组和表示查询未处理的拒绝响应代码。
{ "action_id": 2, "action_name": "Denied", "activity_id": 6, "activity_name": "Traffic", "category_name": "Network Activity", "category_uid": 4, "class_name": "DNS Activity", "class_uid": 4003, "cloud": { "provider": "AWS", "region": "us-west-2", "account": { "uid": "123456789012" } }, "connection_info": { "direction": "Inbound", "direction_id": 1, "protocol_name": "tcp", "protocol_num": 6, "protocol_ver_id": 4, "uid": "9fdc6fbc09794d5e" }, "duration": 1, "end_time": 1761358379996, "answers": [], "src_endpoint": { "ip": "3.3.3.3", "port": 28276 }, "enrichments": [ { "name": "global-resolver", "value": "gr-a1b2c3d4fexample", "data": { "dns_view_id": "dnsv-a1b2c3d4fexample", "firewall_rule_id": "fr-a1b2c3d4fexample", "token_id": "t-a1b2c3d4fexample", "token_name": "device-123456", "token_expiration": "1789419206", } } ], "message": "", "metadata": { "version": "1.2.0", "product": { "name": "Global Resolver", "vendor_name": "AWS", "feature": { "name": "DNS" } } }, "query": { "hostname": "example.com.", "class": "IN", "type": "A", "opcode": "Query", "opcode_id": 0 }, "query_time": 1761358379995, "rcode": "REFUSED", "rcode_id": 5, "response_time": 1761358379995, "severity": "Informational", "severity_id": 1, "start_time": 1761358379995, "status": "Failure", "status_id": 1, "time": 1761358379995, "type_name": "DNS Activity: Traffic", "type_uid": 400306 }
