There are few things more important to the operation of the Internet than DNS. We rely on DNS for translating easy-to-remember website names into the cryptic , numeric IP addresses needed to make such navigation possible. Although DNS is a very mature technology — it has been an invaluable Internet service since 1985 — it still has some vulnerabilities. DNS was designed during an era when cyberattacks were unheard of, and consequently, network security was of little or no concern.

In today’s world, network-ready, DNS-dependent devices are ubiquitous as well as the attacks that are mounted on them. Attackers frequently use DNS for data theft , denial-of-service, and other malicious activity. Without DNS logging, some types of security breaches would go completely undetected until the consequences of such a breach reveal some irreparable damage, only to be noticed days or weeks later.

Security advantages of DNS logging:

  • By proactively monitoring DNS audit logs, network administrators can quickly detect and respond to cyberattacks.
  • Forwarding DNS logs to a SIEM allows breaches to be quickly detected thus reducing the response time needed for mending security holes and deploying countermeasures.
  • With an effective logging strategy responsible for forwarding quality events to a SIEM, the brunt of intrusion detection can be automated, giving security operations center (SOC) personnel more time for analyzing suspicious alerts and working on security tasks of a more proactive nature.
  • Aggregating DNS logs using a centralized log collection strategy while filtering out low-quality events can significantly boost threat detection efficiency. Some fringe benefits of this approach are:
  • The cost of storage and processing are reduced since filtering drops the majority of events which are of little or no security interest.
  • Event correlation is much easier to realize with streams of events being sent to a centralized logging server where they are aggregated.
  • GDPR and other compliance obligations are more easily fulfilled when combined with this centralized architecture and the ability to filter and securely forward specific events needed for compliance to a secure storage location for archival.

How NXLog Enterprise Edition can help with DNS monitoring

NXLog Enterprise Edition provides several unique features for collecting and processing DNS logs:

Log collection infrastructure with NXLog

NXLog offers seamless integration between a wide variety of log sources and various output streams commonly used by popular solutions for ingesting and analyzing security events.

DNS log collection and forwarding to SIEMs and LMs

Whether the goal is threat detection or threat intelligence, expanding your organization’s log collection footprint and capabilities can only improve your metrics in these areas.
Instead of relying on two Beats (Filebeat and Winlogbeat), use just one NXLog configuration instance as the log collector for both Linux and Windows DNS Servers.
NXLog can be configured as a collector for Graylog, by acting as a forwarding agent on the client machine and sending messages to a Graylog node.
Collect and forward DNS logs to IBM Security QRadar SIEM and utilize their analytics, correlation rules and dashboard features. See the IBM PartnerWorld Global Solutions page.
NXLog is a Technology Alliance partner with Splunk. Collect DNS logs from Windows and Linux, and forward to Splunk products including Splunk Enterprise and Splunk Cloud.
Normalize DNS logs to CEF. A Partner Product of choice with RSA NetWitness, NXLog is part of the RSA Ready Technology Partner network. See the RSA Integrations page.
Use NXLog to collect DNS logs for Microsoft DNS, and other raw logs such as BIND 9 logs, and forward to Rapid7 InsightIDR.
Part of the McAfee Security Innovation Alliance Partner Directory. Set up centralized DNS log collection for processing with the McAfee Enterprise Security Manager SIEM Suite.
Generate and parse data in the Common Event Format (CEF) used by ArcSight products including Enterprise Security Manager (ESM).
FireEye Threat Analytics Platform integration with NXLog allows to correlate indicators against FireEye Threat Intelligence.
Securonix is a provider of SIEM and EUBA solutions for cyber-threat detection. Part of the Securonix Fusion Partners Directory.
For more on NXLog schedule a personal meeting with one of our professionals

NXLog Ltd. develops multi-platform log collection tools that support many different log sources, formats, transports, and integrations. The tools help administrators collect, parse, and forward logs so they can more easily respond to security issues, investigate operational problems, and analyze event data. NXLog distributes the free and open source NXLog Community Edition and offers additional features and support with the NXLog Enterprise Edition.

This document is provided for informational purposes only and is subject to change without notice. Trademarks are the properties of their respective owners.