Add a minimum TTL to auditbeat reverse DNS resolution #18709
Comments
botelastic
bot
added
the
needs_team
|
Pinging @elastic/siem (Team:SIEM) |
botelastic
bot
removed
the
needs_team
andrewkroh
added
:Processors
enhancement
libbeat
good first issue
|
It's probably a pretty simple enhancement to make if anyone is interested in contributing. It would involve adding a new configuration option to the success cache then update the code to set a minimum bound on the cache TTL value. It would need a test case and docs update too. beats/libbeat/processors/dns/config.go Lines 84 to 88 in bfe773e beats/libbeat/processors/dns/cache.go Line 52 in bfe773e |
|
@andrewkroh I attempted to make the necessary changes, but not sure how to test them so I am not sure if they are actually working. I have previously been using the dns processor with the auditbeat system socket module that doesn't seem to be open sourced. I have signed the CLA, so feel free to take this commit and complete it: |
|
hey @ansell, can you please open a PR with that patch? I can take a look at it and try to push in some unit tests to go with it. |
|
@andrewkroh PR is at #18986 . I have enabled "Maintainer push access" to the branch. |
Signed-off-by: Peter Ansell <[email protected]>
Signed-off-by: Peter Ansell <[email protected]>
An enhancement to add a minimum alternative cache TTL to the libbeat dns processor for successful DNS responses. This ensures that TTL=0 successful reverse DNS responses can be cached to avoid sending the same reverse DNS request again within a short period of time. The libbeat dns processor is used as a reverse DNS annotator for auditbeat events. Some of these IP addresses respond to reverse DNS requests with TTL=0 in the responses. These were causing load issues for my systems when I had the reverse DNS processor enabled for auditbeat. The new settings is `success_cache.min_ttl`. Closes #18709 Signed-off-by: Peter Ansell <[email protected]> Co-authored-by: Marc Guasch <[email protected]>
An enhancement to add a minimum alternative cache TTL to the libbeat dns processor for successful DNS responses. This ensures that TTL=0 successful reverse DNS responses can be cached to avoid sending the same reverse DNS request again within a short period of time. The libbeat dns processor is used as a reverse DNS annotator for auditbeat events. Some of these IP addresses respond to reverse DNS requests with TTL=0 in the responses. These were causing load issues for my systems when I had the reverse DNS processor enabled for auditbeat. The new settings is `success_cache.min_ttl`. Closes elastic#18709 Signed-off-by: Peter Ansell <[email protected]> Co-authored-by: Marc Guasch <[email protected]> (cherry picked from commit 72da5a6)
…esponses (#20525) * Add success cache minimum TTL for DNS responses (#18986) An enhancement to add a minimum alternative cache TTL to the libbeat dns processor for successful DNS responses. This ensures that TTL=0 successful reverse DNS responses can be cached to avoid sending the same reverse DNS request again within a short period of time. The libbeat dns processor is used as a reverse DNS annotator for auditbeat events. Some of these IP addresses respond to reverse DNS requests with TTL=0 in the responses. These were causing load issues for my systems when I had the reverse DNS processor enabled for auditbeat. The new settings is `success_cache.min_ttl`. Closes #18709 Signed-off-by: Peter Ansell <[email protected]> Co-authored-by: Marc Guasch <[email protected]> (cherry picked from commit 72da5a6) * Update CHANGELOG.next.asciidoc Co-authored-by: Peter Ansell <[email protected]>
An enhancement to add a minimum alternative cache TTL to the libbeat dns processor for successful DNS responses. This ensures that TTL=0 successful reverse DNS responses can be cached to avoid sending the same reverse DNS request again within a short period of time. The libbeat dns processor is used as a reverse DNS annotator for auditbeat events. Some of these IP addresses respond to reverse DNS requests with TTL=0 in the responses. These were causing load issues for my systems when I had the reverse DNS processor enabled for auditbeat. The new settings is `success_cache.min_ttl`. Closes elastic#18709 Signed-off-by: Peter Ansell <[email protected]> Co-authored-by: Marc Guasch <[email protected]>
Describe the enhancement:
I am having an issue with auditbeat performing reverse DNS resolution too often. However, it doesn't look like a bug, as the responses seem to have
TTL: 0, and based on the documentation it appears as though that response value is honoured and the responses are never cached by design:https://www.elastic.co/guide/en/beats/auditbeat/master/processor-dns.html
Describe a specific use case for the enhancement or feature:
It would be very useful for me to be able to configure a minimum TTL for caching successful auditbeat reverse DNS resolutions to allow
TTL: 0responses to be cached for the minimum configured time rather than never cached.Reverse DNS requests are generally out-of-system requests, so there is also the potential for DoS if malicious users are aware of the use of auditbeat reverse DNS resolution and this issue.
The text was updated successfully, but these errors were encountered: