go-dnscollector icon indicating copy to clipboard operation
go-dnscollector copied to clipboard

Published 20 hours ago verified publisher icon dmachard

Include subnet information for: dnscollector_requesters_top_total

Open KVInventoR opened this issue 3 years ago • 5 comments

It's also will be useful to have some additional statistics to analyze number queries from similar subnets. Example:

dnscollector_requesters_top_total{stream="beta-vm01",ip="172.253.206.36"} 38 
dnscollector_requesters_top_total{stream="beta-vm01",ip="178.20.157.236"} 35
dnscollector_requesters_top_total{stream="beta-vm01",ip="172.253.255.35"} 34
dnscollector_requesters_top_total{stream="beta-vm01",ip="178.20.156.245"} 33
dnscollector_requesters_top_total{stream="beta-vm01",ip="148.66.138.87"} 33
dnscollector_requesters_top_total{stream="beta-vm01",ip="114.119.176.141"} 31
dnscollector_requesters_top_total{stream="beta-vm01",ip="165.227.94.23"} 31
dnscollector_requesters_top_total{stream="beta-vm01",ip="172.253.1.133"} 30
dnscollector_requesters_top_total{stream="beta-vm01",ip="172.253.255.37"} 30
dnscollector_requesters_top_total{stream="beta-vm01",ip="172.253.1.132"} 30
dnscollector_requesters_top_total{stream="beta-vm01",ip="172.253.255.33"} 26
dnscollector_requesters_top_total{stream="beta-vm01",ip="172.253.206.33"} 26
dnscollector_requesters_top_total{stream="beta-vm01",ip="172.253.206.37"} 25

I am pretty sure: 172.253.206.36, 172.253.206.33, 172.253.206.37 it's same subnet range

If geoip module for AS information enabled, is it possible to add additional label, like as: subnet_range after that, I will be able over grafana calculate number of queries from same subnet range.

probably, same feature can be useful for another metrics.

what is the goal? I just would like to have some system, which will give possibility to recognize attack to our DNS infrastructure.

KVInventoR avatar Dec 28 '21 09:12 KVInventoR

@KVInventoR Before to add more features, I need to have some feedback regarding performance (cpu and memory). I don't want to decrease the performance of the collector.

dmachard avatar Dec 29 '21 06:12 dmachard

Hi @dmachard of course, I can try to connect another out dns servers to push dnstap messages and check performance but everything, which related to geoip can break performance

and it's the best to split one big application to small different applications which can scale

KVInventoR avatar Dec 30 '21 16:12 KVInventoR

also, probably you saw, but I found it's really useful: https://www.youtube.com/watch?v=M8nYWBpbwWg

KVInventoR avatar Dec 30 '21 16:12 KVInventoR

Can you give how to find the network with GeoIP ?

dmachard avatar Nov 14 '22 17:11 dmachard

This could be an arbitrary configurable subnet mask as an easy solution. At a minimum, the global BGP table space typically only recognizes /24 and /48 as the "smallest" networks, so that usually aggregates /32 and /128 addresses into much more manage-able sizes, and makes stats more meaningful.

johnhtodd avatar Oct 02 '23 16:10 johnhtodd