- Introduction
- Deployment
- Configuration
- OS Support
- Integration
- 42. Amazon Web Services (AWS)
- 43. Apache HTTP Server
- 44. Apache NiFi
- 45. Apache Tomcat
- 46. APC Automatic Transfer Switch
- 47. Apple macOS kernel
- 48. ArcSight Common Event Format (CEF)
- 49. Box
- 50. Brocade switches
- 51. Browser History Logs
- 52. Check Point
- 53. Cisco ACS
- 54. Cisco ASA
- 55. Cisco FireSIGHT
- 56. Cisco IPS
- 57. Cloud Instance Metadata
- 58. Common Event Expression (CEE)
- 59. Dell EqualLogic
- 60. Dell iDRAC
- 61. Dell PowerVault MD series
- 62. Devo
- 63. DHCP logs
- 64. DNS Monitoring
- 65. Docker
- 66. Elastic Common Schema (ECS)
- 67. Elasticsearch and Kibana
- 68. F5 BIG-IP
- 69. File Integrity Monitoring
- 70. FreeRADIUS
- 71. Google Chronicle
- 72. Graylog
- 73. HP ProCurve
- 74. IBM QRadar SIEM
- 75. Industrial Control Systems
- 76. Kubernetes
- 77. Linux Audit System
- 78. Linux system logs
- 79. Log Event Extended Format (LEEF)
- 80. LogPoint
- 81. Logstash
- 82. McAfee Enterprise Security Manager (ESM)
- 83. McAfee ePolicy Orchestrator
- 84. Microsoft Active Directory Domain Controller
- 85. Microsoft Azure
- 86. Microsoft Azure Event Hubs
- 87. Microsoft Azure Sentinel
- 88. Microsoft Exchange
- 89. Microsoft IIS
- 90. Microsoft SharePoint
- 91. Microsoft SQL Server
- 92. Microsoft System Center Endpoint Protection
- 93. Microsoft System Center Configuration Manager
- 94. Microsoft System Center Operations Manager
- 95. MongoDB
- 96. Nagios Log Server
- 97. Nessus Vulnerability Scanner
- 98. NetApp
- 99. .NET application logs
- 100. Nginx
- 101. Okta
- 102. Oracle Database
- 103. Osquery
- 104. Postfix
- 105. Promise
- 106. Raijin Database Engine
- 107. Rapid7 InsightIDR SIEM
- 108. RSA NetWitness
- 109. SafeNet KeySecure
- 110. Salesforce
- 111. Snare
- 112. Snort
- 113. Solarwinds Loggly
- 114. Splunk
- 115. Sumo Logic
- 116. Symantec Endpoint Protection
- 117. Synology DiskStation
- 118. Syslog
- 119. Sysmon
- 120. Ubiquiti UniFi
- 121. VMware vCenter
- 122. Windows AppLocker
- 123. Windows Command Line Auditing
- 124. Windows Event Log
- 125. Windows Firewall
- 126. Windows Group Policy
- 127. Windows Management Instrumentation (WMI)
- 128. Windows PowerShell
- 129. Microsoft Windows Update
- 130. Windows USB auditing
- 131. Zeek (formerly Bro) Network Security Monitor
- Troubleshooting
- Enterprise Edition Reference Manual
- NXLog Manager
- NXLog Add-Ons
64.1. DNS logging and monitoring
DNS traffic analysis is commonly used to:
-
discover unknown devices that appear on the network;
-
monitor critical devices that have not issued a query within a predefined time window;
-
detect malware from young/esoteric domain lookups or consistent lookup failures; and
-
analyze host, subnet, or user behavioral patterns.
|
Tip
|
DNS traffic can quickly become overwhelming. To save resources, consider discarding any fields that will not be required for analysis. |
According to RFC 7626 there are no specific privacy laws for DNS data collection, in any country. However, it is not clear if data protection directive 95/46/EC of the European Union includes DNS traffic collection.
DNS logs are available from a number of sources. DNS queries and responses are commonly sent and received in the form of packets over UDP. These packets and the ability to passively capture them is basically the same across all operating systems.
Another common source is the DNS Server itself as it receives queries from clients, processes them and returns the results. Although the DNS protocol is a common standard, the logging facilities implemented in each DNS Server can vary greatly across different operating systems. Bind 9 generates flat log files while Windows DNS Server employs Event Tracing for Windows (ETW) for managing its DNS events.
DNS audit logging vs DNS analytical logging
Although Windows DNS Server has two event tracing channels named Audit and Analytical, the advantage gained from classifying DNS events into these two categories, and treating them separately, is by no means proprietary and can be applied to other DNS Server environments.
A DNS Server is basically a highly specialized database server, yet it still retains the same low-level CRUD (Create, Read, Update, Delete) functionality of any other database. Analytical logging is focused primarily on client queries, the read operations, while DNS Audit Logging is focused on the remaining CRUD operations: creating, updating, and deleting DNS zone information. These are the most important operations to monitor from a security perspective since unauthorized access to them can lead to interruption of network services, data loss, and outages of other infrastructure services.
The goal of DNS audit logging is to maintain an audit trail of any changes to the DNS Server’s configuration, mainly for security purposes, while providing timely notification and easy access to any high severity events. By logging changes to any of the more than 40 DNS resource record (RR) types in zone files, security analysts will have the forensic information they need, should DNS records be maliciously or accidentally modified.
The realm of DNS analytical logging is completely different. The volume of data collected can be huge and the events being analyzed are typically not time- sensitive. The bulk of these DNS queries can be useful for producing metrics on user and application network traffic to various internal and external sites and services.
In the following two sections, the methods used to collect audit and analytical log data may differ greatly, but the goal of managing them separately remains the same.