Planning the monitoring and collection of DNS logs might not seem
straightforward at first sight given all the considerations that must be
addressed, but the rewards can be substantial: reducing operating costs, more
effectively securing sensitive data, and greater ease in meeting regulatory
compliance requirements, just to mention a few.
In many cases, having to collect and process multiple log formats from multiple
types of log sources is a daunting task requiring multiple tools running on
multiple operating systems. Increased complexity normally equates to an
increased budget for the additional resources required.
Implementing the following two strategies is pivotal for effectively monitoring
- Monitor changes to important assets
Administrators need to implement monitoring for changes made to
critical DNS configuration files. FIM (File Integrity Monitoring) on
files that hold DNS related data must be implemented. Additionally, to preserve
the integrity of DNS logs, they too need to be monitored for changes.
Furthermore changes to Registry hives on Windows should be supervised as well.
- Collect events generated by the DNS servers
Security Administrators need to be able to collect important DNS-related events
on Windows using both the Windows Event Log API as well as ETW, which includes
Analytical and Debug channels if they are enabled. DNS Audit Logs from Linux
DNS servers need to be collected too.
Ideally, once all the requisite DNS events and logs have been collected, they
need to be parsed, enriched, and forwarded to a centralized logging server
where they can be easily accessed and audited by security analysts.