News and blog
NXLog main page
  • Products
    NXLog Platform
    Log collection
    Log management and analytics
    Log storage
    NXLog Community Edition
    Integrations
    Professional Services
  • Solutions
    Use cases
    Specific OS support
    SCADA/ICS
    Windows event log
    DNS logging
    MacOS logging
    Solutions by industry
    Financial Services
    Government & Education
    Entertainment & Gambling
    Telecommunications
    Medical & Healthcare
    Military & Defense
    Law Firms & Legal Counsel
    Industrial & Manufacturing
  • Plans
  • Partners
    Find a Reseller
    Partner Program
  • Resources
    Documentation
    Blog
    White papers
    Videos
    Webinars
    Case Studies
    Community Program
    Community Forum
  • About
    Company
    Careers
  • Support
    Support portals
    Contact us

NXLog Platform
Log collection
Log management and analytics
Log storage
NXLog Community Edition
Integrations
Professional Services

Use Cases
Specific OS support
SCADA/ICS
Windows event log
DNS logging
MacOS logging
Solutions by industry
Financial Services
Government & Education
Entertainment & Gambling
Telecommunications
Medical & Healthcare
Military & Defense
Law Firms & Legal Counsel
Industrial & Manufacturing


Find a Reseller
Partner Program

Documentation
Blog
White papers
Videos
Webinars
Case Studies
Community Program
Community Forum

Company
Careers

Support portals
Contact us
Let's Talk Start free
NXLog search
  • Loading...
Let's Talk Start free
May 31, 2020 dnssecurity

DNS Log Collection and Parsing

By Tamás Burtics

Share
ALL SIEM STRATEGY SECURITY ANNOUNCEMENT DEPLOYMENT COMPLIANCE COMPARISON RSS

DNS Log Collection and Parsing

DNS log collection and parsing should be part of the log collection strategy of every modern IT infrastructure. There are numerous reasons why you should be concerned enough to collect as well as parse the DNS logs collected, some of which include:

Operations and Support

Parsing DNS server logs can be used to track active DNS clients, while parsing complex and noisy logs can be helpful in troubleshooting support issues.

Performance

Collecting all DNS logs and all the metadata they contain could pose major resource utilization concerns. The collection should be based on parsing logic and rules to only collect what is really needed, therefore minimizing the required resources.

Security

By parsing the logs, you can drill down and find the right data for security issues such as finding signs of an intrusion or an attack, or tracking the source of an attack. It also helps to detect malware from lookups on recently registered, esoteric domain names as well as consistent lookup failures.

Monitoring

Parsing the collected logs could reveal unknown devices that appear on the network and identify critical devices that have not issued any queries within a predefined time span.

For more information on this topic see, The Importance of DNS Logging in Enterprise Security white paper.

Challenges and Opportunities

Hardening IT security through DNS log collection can be challenging due to the following reasons:

  • The sheer number of DNS logs generated by both DNS servers and DNS clients.

  • The diversity of the log sources as well as the formats of DNS logs.

  • The privacy issues associated with metadata since it can contain personally identifiable information.

  • The resources needed to collect and parse logs from numerous endpoints.

Despite these obstacles, there are good security trade-offs that can be made by collecting DNS logs. The benefits associated with DNS parsing include:

  • Finding compromise indicators like any unauthorized changes made to the DNS server.

  • Finding attack indicators to identify a live attack on a system calling to a C2 server, or methods like DNS hijacking.

  • Finding indicators of post-exploitation—​while not a live attack on a system, it can discover cases like DNS spoofing.

Security and DNS Log Parsing

Parsing DNS server logs can provide additional security insights. For instance, known malicious domain lists are available for filtering log files for signs of the presence of such domains. Other use cases include finding requests to C2 servers, detecting potential DoS attacks, DNS hijacking attacks, as well as attacks using DGA (Domain generation algorithm) which generate more opportunities for C2 rendezvous points.

Example: Parsing DNS Logs for NXDOMAIN Responses

An administrator used the dig command which showed a seemingly harmless NXDOMAIN related result:

;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 16694
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

Detection techniques for the above example include reactionary detection which relies on finding contextual metadata in the DNS logs. One such indicator is the parsing of the DNS logs to locate network NXDOMAIN responses generated for cases when there are errors in the request, such as the domain not being registered. It can either be benign, such as an application using DNS anti-spoofing mechanism, or it can be a sign of something more malicious.

DNS Log Collection and Parsing in Practice

Excessive DNS logging can be resource intensive. It can slow down production systems by negatively affecting local storage. Therefore, consolidating DNS logs on a centralized logging server should be considered, while keeping in mind restrictions on logging rates, such as maximum EPS (events per second).

Failing to place adequate measures on parsing could result in an excessive amount of logs that may prove difficult to manage. It might also present the additional challenge of log standardization which is essential to the proper correlation of data.

The following are tips to consider when planning DNS logging:

Architecture

Logs either need to be forwarded to a centralized log server before log enrichment, or log enrichment could happen earlier in the stage of a log collection cycle.

Standardization

DNS logs as such, as they are generated from various sources, need to be standardized. The default log fields may need to be rewritten to be consumed and processed by a SIEM or any other system for event correlation.

Data Protection

DNS logs can contain personally identifiable information. Depending on the industry or jurisdiction, log rollover and archiving policies may need to be implemented. Ideally such compliance concerns should be addressed as part of a cross-team effort with other departments.

DNS Log Monitoring Considerations

Planning the monitoring and collection of DNS logs might not seem straightforward at first sight given all the considerations that must be addressed, but the rewards can be substantial: reducing operating costs, more effectively securing sensitive data, and greater ease in meeting regulatory compliance requirements, just to mention a few.

In many cases, having to collect and process multiple log formats from multiple types of log sources is a daunting task requiring multiple tools running on multiple operating systems. Increased complexity normally equates to an increased budget for the additional resources required.

Implementing the following two strategies is pivotal for effectively monitoring DNS Logs.

Monitor changes to important assets

Administrators need to implement monitoring for changes made to critical DNS configuration files. FIM (File Integrity Monitoring) on files that hold DNS related data must be implemented. Additionally, to preserve the integrity of DNS logs, they too need to be monitored for changes. Furthermore changes to Registry hives on Windows should be supervised as well.

Collect events generated by the DNS servers

Security Administrators need to be able to collect important DNS-related events on Windows using both the Windows Event Log API as well as ETW, which includes Analytical and Debug channels if they are enabled. DNS Audit Logs from Linux DNS servers need to be collected too.

Ideally, once all the requisite DNS events and logs have been collected, they need to be parsed, enriched, and forwarded to a centralized logging server where they can be easily accessed and audited by security analysts.

Next in this series

Now that some of the benefits, challenges, and goals of DNS log collection in general have been established, the next two parts, Part 2 and Part3 of this series will address the various DNS log sources and some approaches for effectively collecting them from different DNS server environments on Windows and Linux systems respectively.

  • log collection
  • dns
  • dns logs
Share

Facebook Twitter LinkedIn Reddit Mail
Related Posts

DNS Log Collection on Windows
8 minutes | May 28, 2020
DNS Log Collection on Linux
8 minutes | May 14, 2020
Making the most of Windows Event Forwarding for centralized log collection
6 minutes | December 17, 2018

Stay connected:

Sign up

Keep up to date with our monthly digest of articles.

By clicking singing up, I agree to the use of my personal data in accordance with NXLog Privacy Policy.

Featured posts

Announcing NXLog Platform 1.6
April 22, 2025
Announcing NXLog Platform 1.5
February 27, 2025
Announcing NXLog Platform 1.4
December 20, 2024
NXLog redefines log management for the digital age
December 19, 2024
2024 and NXLog - a review
December 19, 2024
Announcing NXLog Platform 1.3
October 25, 2024
NXLog redefines the market with the launch of NXLog Platform: a new centralized log management solution
September 24, 2024
Welcome to the future of log management with NXLog Platform
August 28, 2024
Announcing NXLog Enterprise Edition 5.11
June 20, 2024
Raijin announces release of version 2.1
May 31, 2024
Ingesting log data from Debian UFW to Loki and Grafana
May 21, 2024
Announcing NXLog Enterprise Edition 6.3
May 13, 2024
Raijin announces release of version 2.0
March 14, 2024
NXLog Enterprise Edition on Submarines
March 11, 2024
The evolution of event logging: from clay tablets to Taylor Swift
February 6, 2024
Migrate to NXLog Enterprise Edition 6 for our best ever log collection experience
February 2, 2024
Raijin announces release of version 1.5
January 26, 2024
2023 and NXLog - a review
December 22, 2023
Announcing NXLog Enterprise Edition 5.10
December 21, 2023
Raijin announces release of version 1.4
December 12, 2023
Announcing NXLog Enterprise Edition 6.2
December 4, 2023
Announcing NXLog Manager 5.7
November 3, 2023
Announcing NXLog Enterprise Edition 6.1
October 20, 2023
Raijin announces release of version 1.3
October 6, 2023
Upgrading from NXLog Enterprise Edition 5 to NXLog Enterprise Edition 6
September 11, 2023
Announcing NXLog Enterprise Edition 6.0
September 11, 2023
The cybersecurity challenges of modern aviation systems
September 8, 2023
Raijin announces release of version 1.2
August 11, 2023
The Sarbanes-Oxley (SOX) Act and security observability
August 9, 2023
Log Management and PCI DSS 4.0 compliance
August 2, 2023
Detect threats using NXLog and Sigma
July 27, 2023
HIPAA compliance logging requirements
July 19, 2023
Announcing NXLog Enterprise Edition 5.9
June 20, 2023
Industrial cybersecurity - The facts
June 8, 2023
Raijin announces release of version 1.1
May 30, 2023
CISO starter pack - Security Policy
May 2, 2023
Announcing NXLog Enterprise Edition 5.8
April 24, 2023
CISO starter pack - Log collection fundamentals
April 3, 2023
Raijin announces release of version 1.0
March 9, 2023
Avoid vendor lock-in and declare SIEM independence
February 13, 2023
Announcing NXLog Enterprise Edition 5.7
January 20, 2023
NXLog - 2022 in review
December 22, 2022
Need to replace syslog-ng? Changing to NXLog is easier than you think
November 23, 2022
The EU's response to cyberwarfare
November 22, 2022
Looking beyond Cybersecurity Awareness Month
November 8, 2022
GDPR compliance and log data
September 23, 2022
NXLog in an industrial control security context
August 10, 2022
Raijin vs Elasticsearch
August 9, 2022
NXLog provides native support for Google Chronicle
May 11, 2022
Aggregating macOS logs for SIEM systems
February 17, 2022
How a centralized log collection tool can help your SIEM solutions
April 1, 2020

Categories

  • SIEM
  • STRATEGY
  • SECURITY
  • ANNOUNCEMENT
  • DEPLOYMENT
  • COMPLIANCE
  • COMPARISON
logo

Subscribe to our newsletter to get the latest updates, news, and products releases. 

© Copyright 2024 NXLog FZE.

Privacy Policy. General Terms of Use

Follow us

  • Product
  • NXLog Platform 
  • Log collection
  • Log management and analysis
  • Log storage
  • Integration
  • Professional Services
  • Plans
  • Resources
  • Documentation
  • Blog
  • White papers
  • Videos
  • Webinars
  • Case studies
  • Community Program
  • Community forum
  • Support
  • Getting started guide
  • Support portals
  • About NXLog
  • About us
  • Careers
  • Find a reseller
  • Partner program
  • Contact us