Thursday, October 13, 2016

Real-time domain name lookups

Reverse DNS requests request the domain name associated with an IP address, for example providing the name google-public-dns-a.google.com for IP address 8.8.8.8.  This article demonstrates how the sFlow-RT engine incorporates domain name lookups in real-time flow analytics.

First, use the dns.servers System Property is used to specify one or more DNS servers to handle the reverse lookup requests. For example, the following command uses Docker to run sFlow-RT with DNS lookups directed to server 10.0.0.1:
docker run -e "RTPROP=-Ddns.servers=10.0.0.1" \
-p 8008:8008 -p 6343:6343/udp -d sflow/sflow-rt
The following Python script dnspair.py uses the sFlow-RT REST API to define a flow and log the resulting flow records:
#!/usr/bin/env python
import requests
import json

flow = {'keys':'dns:ipsource,dns:ipdestination',
 'value':'bytes','activeTimeout':10,'log':True}
requests.put('http://localhost:8008/flow/dnspair/json',data=json.dumps(flow))
flowurl = 'http://localhost:8008/flows/json?name=dnspair&maxFlows=10&timeout=60'
flowID = -1
while 1 == 1:
  r = requests.get(flowurl + "&flowID=" + str(flowID))
  if r.status_code != 200: break
  flows = r.json()
  if len(flows) == 0: continue

  flowID = flows[0]["flowID"]
  flows.reverse()
  for f in flows:
    print json.dumps(f,indent=1)
Running the script generates the following output:
$ ./dnspair.py
{
 "value": 233370.92322668363, 
 "end": 1476234478177, 
 "name": "dnspair", 
 "flowID": 1523, 
 "agent": "10.0.0.20", 
 "start": 1476234466195, 
 "dataSource": "10", 
 "flowKeys": "xenvm11.sf.inmon.com.,dhcp20.sf.inmon.com."
}
{
 "value": 39692.88754760739, 
 "end": 1476234478177, 
 "name": "dnspair", 
 "flowID": 1524, 
 "agent": "10.0.0.20", 
 "start": 1476234466195, 
 "dataSource": "10", 
 "flowKeys": "xenvm11.sf.inmon.com.,switch.sf.inmon.com."
}
The token dns:ipsource in the flow definition is an example of a Key Function. Functions can be combined to define flow keys or in filters.
or:[dns:ipsource]:ipsource
Returns a dns name if available, otherwise the original IP address is returned
suffix:[dns:ipsource]:.:3
Returns the last 2 parts of the DNS name, e.g. xenvm11.sf.inmon.com. becomes inmon.com.

DNS results are cached by the dns: function in order to provide real-time lookups and reduce the load on the backend name server(s). Cache size and timeout settings are tune-able using System Properties.

9 comments:

  1. Excuse me why my top flow value is very large and is actually wrong

    ReplyDelete
    Replies
    1. This suggests a problem with the sFlow agent (if it reports incorrect sampling rates and/or sample pool counts). What is the source of your sFlow?

      Delete
    2. SFlow agent is configured on the switch (HUAWEI), and the interface is Gigabit interface, in accordance with 1 Gbit/s 1-in-1000 20 seconds

      Delete
    3. How large is your top flow? How do you know the correct value (are you using a tool like iperf)?

      Try running the sFlow Test application. It will flag a number of common problems.

      Delete
  2. The 20 top flows values are as high as several Tbps,in sflow test application interphase , values also up to Tbps. Actually, at our exit, it's just Mbps,Do I need to make any changes to sflow-rt? thanks a lot!(info column --->min=-24,543,086,515,155 max=2,520,524,777,803)

    ReplyDelete
    Replies
    1. The sFlow interface counters and packet sample data should match. The sFlow Test application is flagging the fact that they don't match.

      It sounds like the sFlow exported by the Huawei switch is defective. If you query the sFlow-RT /agents/json page, what errors are being reported?

      Delete
  3. Please have a look, any erro being reported below?
    {
    "10.255.254.2": {
    "sFlowDatagramsLost": 4462783,
    "sFlowDatagramSource": ["10.255.254.2"],
    "firstSeen": 209098441,
    "sFlowFlowDuplicateSamples": 0,
    "sFlowDatagramsReceived": 4681014,
    "sFlowCounterDatasources": 42,
    "sFlowFlowOutOfOrderSamples": 0,
    "sFlowFlowSamples": 578879,
    "sFlowDatagramsOutOfOrder": 29706,
    "uptime": 2819708435,
    "sFlowCounterDuplicateSamples": 0,
    "lastSeen": 23,
    "sFlowDatagramsDuplicates": 0,
    "sFlowFlowDrops": 0,
    "sFlowFlowLostSamples": 9,
    "sFlowCounterSamples": 23486,
    "sFlowCounterLostSamples": 2,
    "sFlowFlowDatasources": 36,
    "sFlowCounterOutOfOrderSamples": 0
    }
    }

    ReplyDelete
    Replies
    1. The sFlowDatagramsOfOrder number indicates that the sequence numbers are incorrect. You could explore this further using sflowtool to examine individual datagrams. sflowtool will flag any malformed sFlow structures and you can look at the sequence of of sequence numbers reported by the agent.

      Delete
  4. Thank you for your answers a lot!

    ReplyDelete