|
|
# Hardware-Accelerated DNS Monitoring Platform
|
|
|
|
|
|
The aim of this effort is to develop a hardware-accelerated DNS collector capable of processing DNS traffic at 10 Gbps wire speed.
|
|
|
The aim of this project is to develop a hardware-accelerated DNS collector capable of processing DNS traffic at 10 Gbps wire speed.
|
|
|
|
|
|
## Hardware Setup
|
|
|
|
|
|
The following diagram shows a typical deployment in which hardware-accelerated monitoring resides in a host machine that also runs an authoritative DNS server.
|
|
|
|
|
|
![schema](img/hw.png)
|
|
|
|
|
|
The host machine has two cards connected to Express PCI:
|
|
|
|
|
|
* a programmable hardware card with an FPGA chip and a network processor (NXP)
|
|
|
|
|
|
* standard two-port 10GE card (Intel).
|
|
|
|
|
|
The FPGA/NXP card has three 10GE interfaces: one external (denoted as E), and two internal (A and B).
|
|
|
|
|
|
Alternatively, the FPGA/NXP card can also be deployed alone in a dedicated monitoring machine (without the DNS server) that receives traffic via an optical splitter or mirroring port. The internal ports A and B are then irrelevant, and the host machine serves basically only as a power supply for the FPGA/NXP card.
|
|
|
|
|
|
## Hardware-Accelerated Monitoring Functions
|
|
|
|
|
|
The FPGA/NXP card shall detect UDP packets containing DNS queries (UDP/53) in the incoming traffic received through the external interface E. These packets shall be (1) sent to one of the internal interfaces, say A, but also (2) passed to additional hardware processing. Other packets will be sent directly to the other internal interface B.
|
|
|
|
|
|
The DNS server running on the host machine shall listen on both interfaces of the Intel card and route all responses back to the interface connected to the internal interface A. The FPGA/NXP card shall (1) send each response out of the external interface E, and (2) pass it to hardware processing.
|
|
|
|
|
|
The hardware processing of UDP/53 queries and their responses shall comprise the following steps and functions:
|
|
|
|
|
|
* Assign a precise timestamp to every packet.
|
|
|
* Extract all relevant data from the DNS query and store them.
|
|
|
* When the corresponding response is received from the DNS server, the relevant response data are extracted from it and paired with the cached query data. The combined timestamps/query/response data are then serialized in a desired format (CSV) and prepared for export.
|
|
|
|
|
|
## Advantages
|
|
|
|
|
|
Compared to the software DNS collector, the hardware-accelerated collector provides the following benefits:
|
|
|
|
|
|
1. Performance – it should be able to process DNS traffic at 10 Gbps wire speed.
|
|
|
2. When deployed together with a DNS server, the collector does not compete for computing resources with the DNS server. This is important especially in extreme-load situations, such as during DOS attacks.
|
|
|
3. The timestamps associated with DNS queries and responses are precise and reliable. In contrast, timestamps assigned by the software collector are affected by process scheduling in the host operating system, which leads to artefacts such as bogus packet accumulation.
|
|
|
|
|
|
## Further Possibilities
|
|
|
|
|
|
In addition to the monitoring functions, he FPGA/NXP card can also be programmed to protect the DNS service running in the host machine. Specifically, it can implement packet filtering analogical to Linux netfilter, apply packet sampling to selected traffic etc. |