Cherry-pick #18986 to 7.x: Add minimum cache TTL for successful DNS responses #20525
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
An enhancement to add a minimum alternative cache TTL to the libbeat dns processor for successful DNS responses. This ensures that TTL=0 successful reverse DNS responses can be cached to avoid sending the same reverse DNS request again within a short period of time. The libbeat dns processor is used as a reverse DNS annotator for auditbeat events. Some of these IP addresses respond to reverse DNS requests with TTL=0 in the responses. These were causing load issues for my systems when I had the reverse DNS processor enabled for auditbeat. The new settings is `success_cache.min_ttl`. Closes elastic#18709 Signed-off-by: Peter Ansell <p_ansell@yahoo.com> Co-authored-by: Marc Guasch <marc.guasch@elastic.co> (cherry picked from commit 72da5a6)
|
Pinging @elastic/siem (Team:SIEM) |
adriansr
approved these changes
Aug 11, 2020
💚 Build Succeeded
Expand to view the summary
Build stats
Test stats 🧪
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Cherry-pick of PR #18986 to 7.x branch. Original message:
What does this PR do?
An enhancement to add a minimum alternative cache TTL to the
libbeatdns processor for successful DNS responses. This ensures thatTTL=0successful reverse DNS responses can be cached to avoid sending the same reverse DNS request again within a short period of time.Why is it important?
The
libbeatdns processor is used as a reverse DNS annotator forauditbeatevents. Some of these IP addresses respond to reverse DNS requests withTTL=0in the responses. These were causing load issues for my systems when I had the reverse DNS processor enabled for auditbeat.Checklist
- [ ] I have commented my code, particularly in hard-to-understand areas- [ ] I have made corresponding change to the default configuration filesCHANGELOG.next.asciidocorCHANGELOG-developer.next.asciidoc.Author's Checklist
How to test this PR locally
The
auditbeatsystem/socketmodule that I had the issue with is not open-sourced, so I have not been able to test its completeness myself. I am submitting this in good faith that it can be completed by someone with access to that module for testing purposes, or who is experienced enough to add the necessary tests here.Related issues
Use cases
This will add a cache for successful DNS responses that will not always correspond to the upstream DNS TTL value. This is acceptable as it avoids a possible denial-of-service for
auditbeatenabled systems, and it is configurable by users.