本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
使用 Route 53 Global Resolver 取得 DNS 活動的可見性
Route 53 Global Resolver 提供全方位的 DNS 查詢記錄功能,可監控用戶端裝置活動並識別安全威脅。在 Route 53 Global Resolver 中啟用 DNS 查詢記錄,以查看用戶端裝置存取哪些網站、識別潛在的安全威脅,以及分析 DNS 解析模式。日誌會擷取每個查詢的完整資訊,包括套用了哪些安全政策。
DNS 日誌中擷取哪些資訊
每個 DNS 查詢日誌項目都提供有關用戶端裝置活動和安全政策強制執行的詳細資訊:
-
查詢資訊 - 網域名稱、查詢類型、查詢類別和使用的通訊協定
-
用戶端裝置資訊 - 來源 IP 地址、DNS 檢視和身分驗證方法
-
回應資訊 - 回應代碼、回答記錄和回應時間
-
安全動作 - 防火牆規則比對、威脅偵測結果和採取的動作
-
中繼資料 - 時間戳記、全域解析程式 ID、區域和追蹤資訊
用於安全整合的 OCSF 格式
DNS 查詢日誌使用開放網路安全結構描述架構 (OCSF),為安全事件資料提供標準化格式。此格式可啟用:
-
標準化分析 - 跨不同安全工具的一致結構描述
-
改善互通性 - 輕鬆整合 SIEM 和分析平台
-
增強相互關聯 - 能夠將 DNS 事件與其他安全資料相互關聯
-
未來相容性 - 支援不斷發展的安全分析需求
OCSF 日誌格式範例
Route 53 全域解析程式 DNS 查詢日誌遵循 OCSF 結構描述結構,提供每個 DNS 查詢、回應和安全性動作的詳細資訊。下列範例顯示允許和拒絕查詢的日誌格式。
Route 53 全域解析程式 DNS 日誌 - 允許存取的範例
此範例顯示透過防火牆規則允許的 DNS 查詢。日誌包含查詢詳細資訊、回應資訊和具有 Route 53 Global Resolver 特定識別符的擴充資料。
{ "action_id": 1, "action_name": "Allowed", "activity_id": 6, "activity_name": "Traffic", "category_name": "Network Activity", "category_uid": 4, "class_name": "DNS Activity", "class_uid": 4003, "cloud": { "provider": "AWS", "region": "us-east-1", "account": { "uid": "123456789012" } }, "connection_info": { "direction": "Inbound", "direction_id": 1, "protocol_name": "udp", "protocol_num": 17, "protocol_ver": "", "uid": "db21d1739ddb423a" }, "duration": 1, "end_time": 1761358379996, "answers": [{ "rdata": "3.3.3.3", "type": "A", "class": "IN", "ttl": 300 }, { "rdata": "3.3.3.4", "type": "A", "class": "IN", "ttl": 300 }], "src_endpoint": { "ip": "3.3.3.1", "port": 56576 }, "enrichments": [{ "name": "global-resolver", "value": "gr-a1b2c3d4fexample", "data": { "dns_view_id": "dnsv-a1b2c3d4fexample", "firewall_rule_id": "fr-a1b2c3d4fexample", "token_id": "t-a1b2c3d4fexample", "token_name": "device-123456", "token_expiration": "1789419206", } }], "message": "", "metadata": { "version": "1.2.0", "product": { "name": "Global Resolver", "vendor_name": "AWS", "feature": { "name": "DNS" } } }, "query": { "hostname": "example.com.", "class": "IN", "type": "A", "opcode": "Query", "opcode_id": 0 }, "query_time": 1761358379995, "rcode": "NOERROR", "rcode_id": 0, "response_time": 1761358379995, "severity": "Informational", "severity_id": 1, "src_endpoint": { "ip": "3.3.3.3", "port": 28276 }, "start_time": 1761358379995, "status": "Success", "status_id": 1, "time": 1761358379995, "type_name": "DNS Activity: Traffic", "type_uid": 400306 }
Route 53 全域解析程式 DNS 日誌 - 存取遭拒範例
此範例顯示防火牆規則封鎖的 DNS 查詢。日誌包含拒絕動作、空的答案陣列,以及指出未處理查詢的 REFUSED 回應碼。
{ "action_id": 2, "action_name": "Denied", "activity_id": 6, "activity_name": "Traffic", "category_name": "Network Activity", "category_uid": 4, "class_name": "DNS Activity", "class_uid": 4003, "cloud": { "provider": "AWS", "region": "us-west-2", "account": { "uid": "123456789012" } }, "connection_info": { "direction": "Inbound", "direction_id": 1, "protocol_name": "tcp", "protocol_num": 6, "protocol_ver_id": 4, "uid": "9fdc6fbc09794d5e" }, "duration": 1, "end_time": 1761358379996, "answers": [], "src_endpoint": { "ip": "3.3.3.3", "port": 28276 }, "enrichments": [ { "name": "global-resolver", "value": "gr-a1b2c3d4fexample", "data": { "dns_view_id": "dnsv-a1b2c3d4fexample", "firewall_rule_id": "fr-a1b2c3d4fexample", "token_id": "t-a1b2c3d4fexample", "token_name": "device-123456", "token_expiration": "1789419206", } } ], "message": "", "metadata": { "version": "1.2.0", "product": { "name": "Global Resolver", "vendor_name": "AWS", "feature": { "name": "DNS" } } }, "query": { "hostname": "example.com.", "class": "IN", "type": "A", "opcode": "Query", "opcode_id": 0 }, "query_time": 1761358379995, "rcode": "REFUSED", "rcode_id": 5, "response_time": 1761358379995, "severity": "Informational", "severity_id": 1, "start_time": 1761358379995, "status": "Failure", "status_id": 1, "time": 1761358379995, "type_name": "DNS Activity: Traffic", "type_uid": 400306 }
