Unlock DNS Log Insights: Detect Threats, Optimize Performance, and Master Cloud‑Native Auditing

DNS (Domain Name System) [1] is the foundation of any network activity. It translates human‑readable domain names to machine‑understandable IP addresses. Monitoring DNS services helps users identify network activity and keep systems secure. For compliance and security, companies usually store and analyze network logs, and DNS logs provide clear visibility into domain resolution usage, configuration errors, and potential security issues.

DNS Parsing Process

DNS query results are usually cached in the local name server; if a cache exists, the lookup steps are skipped and the result is returned quickly. The following example outlines the steps required when the local name server has no cache.

DNS Record Types

DNS contains many record types, each with a specific purpose. The most common types are:

These basic DNS record types play important roles in everyday network and domain resolution.

Log Audit Service

Log audit service [2] is an application under Alibaba Cloud Log Service (SLS) [3]. In addition to inheriting all SLS functions, it provides powerful multi‑account management and cross‑region collection of logs from various Alibaba Cloud products, and supports unified management of logs via Resource Directory [4].

How to Enable DNS Log Collection

Log in to the SLS product console [5].

In the Log Application section, select the Audit & Security tab, then click Log Audit service.

On the Global Configuration page, turn on the DNS log‑audit switch and select the region of the central project (e.g., cn‑hangzhou). See the detailed steps in the "Enable Log Collection" guide [6].

The audit now supports three log types: internal DNS logs, public DNS resolution logs, and global traffic management logs, which can be enabled as needed.

DNS Request Log

Example: querying the IP address of Alibaba Cloud Log Service console (sls.console.aliyun.com).

dig sls.console.aliyun.com +short

The request log shows a session ID (e.g., 50999) that is reused in subsequent module‑response logs. The request originates from an ECS instance in the cn‑hangzhou region, with VPC ID vpc‑bp********9fj, ECS ID i‑bp19********d7, and hostname iZbp********d7Z.

DNS Request Log Fields

query_name : Fully qualified domain name (FQDN). If the domain appears in a malicious‑domain list, the log can serve as evidence of a security threat. Excessive repeated queries may indicate a DoS attack.

query_type : Record type (e.g., A, AAAA, CNAME, TXT). TXT records are often used in C2 or DNS‑tunnel attacks.

rt : Request‑response time. For GLOBAL queries it represents the total latency; for module logs it represents internal module latency. Abnormally high values may signal network issues.

rcode : Response status code (0 = NOERROR, 1 = FORMERR, 2 = SERVFAIL, 3 = NXDOMAIN, etc.). SERVFAIL often indicates internal errors or timeouts; NXDOMAIN means the domain does not exist.

answer_rrset : Returned IP address set, useful for detecting DNS hijacking.

dns_msg_flags : Flags such as QR, RD, AA, TC, AD, CD that provide context about recursion, authority, and DNSSEC validation.

DNS Response Log

Example: querying the IP address of sls.console.aliyun.com.

dig sls.console.aliyun.com +short

The response log shows a recursive module response that obtains a CNAME record for sls.console.aliyun.com, followed by several cache module responses until the final A record (e.g., 47.97.242.13) is resolved.

Global Response Log

The final global response log contains the complete answer, confirming the IP address of the queried domain.

Public Resolution Log Example

Configure public DNS traffic analysis in the DNS console, add the domain, and enable the DNS traffic analysis feature.

View Public Authoritative Resolution Log

dig   y*****.online  @dns27.hichina.com

The response contains a SOA record that provides authoritative zone information such as primary name server, administrator email, and TTL.

Global Traffic Management Log Example

After purchasing a Global Traffic Management instance and creating an associated domain, the logs record the full resolution path across regions.

Analyzing DNS Log Signals

query_name : Detect malicious domains or abnormal query spikes (possible DoS).

query_type : Identify suspicious TXT records used in C2 or tunneling.

rt : High latency may indicate network problems or attacks.

rcode : SERVFAIL or NXDOMAIN help pinpoint resolution failures.

answer_rrset : Compare returned IPs against known malicious IP lists.

dns_msg_flags : Flags reveal recursion, authority, and DNSSEC status.

Practical Cases

Resolution Path Hijacking – Direct Response

We set up a BIND DNS server (IP 172.16.0.186) with an A record aaa A 172.16.0.189, point the local resolver to this server, and observe that dig aaa.y*****.online returns the forged IP without contacting the authoritative server, demonstrating a direct‑response hijack.

dig aaa.y*****.online

PrivateZone Domain Forwarding

For scenarios requiring secure internal access, PrivateZone can forward specific domains from public to VPC‑internal addresses. DNS logs verify whether the forwarding is correctly configured.

Detecting Anomalies

Resolution Failures

When rcode = 2 (SERVFAIL) or rcode = 3 (NXDOMAIN), combine the log with user ID, ECS ID, and VPC information to quickly locate the problematic service.

rcode :3 and GLOBAL | select distinct(query_name), ecs_hostname, region_id, vpc_id, user_id

Abnormal Query Volume

Sudden spikes in query_name count may indicate a DoS attack. Use SLS queries to aggregate request counts per minute and set alerts for unusually high traffic.

* and vpc_id: vpc-j6cd*****mgkrt6 and (region_id : cn-hongkong) and GLOBAL and rcode:0 | select count(*) as total_req, query_name group by query_name

Response Time Anomalies

Monitor the rt field in global response logs. A sudden increase may point to network congestion or an ongoing attack.

* and vpc_id: vpc-j6cd*****mgkrt6 and (region_id : cn-hongkong) and GLOBAL and rcode:0 | select date_trunc('minute', __time__) as t, query_name, avg(rt) as avg_rt where rt>=60 group by t, query_name

Appendix – DNS Log Fields

Field

Description / Example

__topic__

Log type (e.g., dns_intranet_log, dns_resolve_log, dns_gtm_log)

user_id

Alibaba Cloud account ID (e.g., 17387********105)

region_id

Region of the VPC (intranet) or collection machine (public)

vpc_id

VPC ID (intranet logs only)

ecs_id

ECS instance ID (e.g., i-2******************94)

ecs_hostname

ECS hostname (e.g., Y*****-c***-d**-02)

module_type

Parsing module (AUTH_FAST, AUTH_SLOW, FORWARD, CACHE, RECURSION, GLOBAL)

resolve_path

Comma‑separated path flags (only in global response logs)

src_addr / dst_addr

Source and destination IP addresses

src_port / dst_port

Source and destination ports

transport

Protocol (UDP or TCP)

dns_msg_id

Unique DNS message identifier

dns_msg_flags

Flags such as QR, RD, AA, TC, AD, CD

query_name

Fully qualified domain name (FQDN)

query_type

Record type (A, AAAA, CNAME, TXT, etc.)

rcode

Response code (0 = NOERROR, 1 = FORMERR, 2 = SERVFAIL, 3 = NXDOMAIN, …)

answer_rrset

Answer resource record set

authority_rrset

Authority resource record set

additional_rrset

Additional resource record set

edns

EDNS information (e.g., flags, client subnet)

rt

Response time in ms (global or module specific)

view_name

Line name hit by the DNS request

z_name / wild_len / value / subnet

Fields specific to public resolution and GTM logs

For further details on each field, refer to the appendix section of this document.