[dns-operations] Question regarding DNS query logging

Crist Clark Crist.Clark at globalstar.com
Mon Mar 14 23:30:59 UTC 2011

>>> On 3/14/2011 at 12:41 PM, Michael Skurka <Michael.Skurka at LCRA.ORG> wrote:
> I'm an Information Security Analyst for an energy company here in central 
> Texas.  To date, we've not logged any of our DNS queries.  We're interested 
> in "opening the fire hose" to do some analysis (pretty graphs for management 
> and looking for potential threats, i.e. malware trying to "phone home").
> We have about 2500 internal workstations and servers that hit our internal 
> DNS servers.  Our external-facing DNS is done off-site and we aren't concerned 
> with them at the moment.
> Does anyone in a similar sized company have any estimates (a rough ballpark 
> is fine) how much data we'd be looking at collecting on a weekly or monthly 
> basis?

Most of the suggestions so far seem to be query logging at
the DNS server itself.

I'd just say to consider packet captures as a viable option.
Just running tcpdump or snoop on the DNS server itself will
probably have less impact than query logging and running it
on another system has no impact.

The thing about query logging is that it does save the queries,
but you generally don't see the responses, and that can be of
the upmost importance if you are doing forensics.

As far as storage space for all of this, Storage Is Cheap(tm)
(except when it isn't). Second, you'll probably save space on
logging the actual queries, but the fact you get responses,
which tend to be bigger, occasionally much, much bigger, may
mean more space overall.

There are also special tools to reduce and/or analyze DNS
network captures. I personally don't have experience with
many, but searching list archives should turn these up. They
have been discussed recently.

Crist Clark
Network Security Specialist, Information Systems
408 933 4387

More information about the dns-operations mailing list