Output with a FQDN as host value make a DNS lookup with every event

fluent-plugins-nursery / fluent-plugin-remote_syslog

Fluentd plugin for output to remote syslog serivce (e.g. Papertrail)

https://github.com/dlackty/fluent-plugin-remote_syslog

MIT License

68 stars 53 forks source link

Output with a FQDN as host value make a DNS lookup with every event #13

Closed derjohn closed 1 year ago

derjohn commented 7 years ago

Hello, I suspect that this plugin does not cache DNS and does a lookup with each output event.

If used like this:

type remote_syslog
  host "some.cool.host.com"
  ...

Ii will make tons of tons of tons of DNS lookups in the nameserver of that host ("Self-DDoS-ing").

Workaround: Set an IP address as value, it will not make lookups:

type remote_syslog
  host "127.0.0.1"
  ....

How about a expire_dns_cache like the fluentd "forward Output Plugin" has?

rgds, j

ghost commented 7 years ago

yfoelling commented 7 years ago

@derjohn @dlackty The remote syslog module used looks up the hostname on every execution.

https://github.com/papertrail/remote_syslog_logger/blob/master/lib/remote_syslog_logger/udp_sender.rb#L14

troy commented 7 years ago

(I'm not the author, but can try to clarify how this works)

@derjohn: are you referring to the local system's hostname (set optionally with hostname param) or the remote destination server's hostname (set with host param)? Your example used the host param, and that's what I suspect you're referring to, but @yfoelling linked to how the local system hostname is determined.

@yfoelling: that LoC is obtaining the local hostname, not resolving the remote server hostname. It should not need to consult DNS. It's an entirely local call.

derjohn commented 7 years ago

@troy : I am talking about the name/adress of the remote syslog server (host foo.bar.com). I inserted 127.0.0.1 to mask my real IP Adress of the server. I should have taken 192.168.x.y. instead, to be clearer ;)

The thing is, you do a UdpSender.new(@host, .... in the emit(). That is probably causing the DNS lookup on each emit?

troy commented 7 years ago

@derjohn Thanks for clarifying, that makes sense :)

emit calls UDPSocket.send, which seems to do a DNS request as part of its call to rsock_addrinfo. That said, I'm not an expert about this, I haven't done a detailed review, and the implementation may depend on the VM and version.

If this is all accurate, another likely workaround would be to add an entry to the hosts file.

derjohn commented 7 years ago

@troy I made a proposal via PR https://github.com/dlackty/fluent-plugin-remote_syslog/pull/14

The Travis CI fail for ruby2.0.0, due to "serverengine-2.0.0 requires ruby version >= 2.1.0". I didnt' touch serverengine, though.

rgds, j

derjohn commented 7 years ago

An example for an even better approach that implements a cache with expire can be found in fluentd output forwarder: https://github.com/fluent/fluentd/blob/master/lib/fluent/plugin/out_forward.rb look for the 'def resolved_host' ...