[dns-operations] Question regarding DNS query logging

Michael Skurka Michael.Skurka at LCRA.ORG
Mon Mar 14 23:51:20 UTC 2011

Excellent points!

I would love to turn on tcpdump/snoop and capture the queries _and_ responses.  And storage space isn't the big obstacle for me.  Unfortunately, to capture queries/responses would involve purchasing hardware to monitor several switched network segments.  Why?  Due to security requirements, I/we can't implement a single host with multiple NICs to do the capturing.  That solution will have to wait until we have some sort of budget.

At the moment, I'm having to battle management to get any visibility into our DNS servers.  Turning on query logging is the least-cost overall at the moment (CPU, network, storage, admin resources).

Thanks for the ideas.  I will keep pushing for a better solution.

Michael Skurka
Information Security Analyst Sr
Lower Colorado River Authority, Austin TX
Orwell was an optimist!

-----Original Message-----
From: Crist Clark [mailto:Crist.Clark at globalstar.com]
Sent: Monday, March 14, 2011 6:31 PM
To: Michael Skurka; dns-operations at mail.dns-oarc.net
Subject: Re: [dns-operations] Question regarding DNS query logging

>>> On 3/14/2011 at 12:41 PM, Michael Skurka <Michael.Skurka at LCRA.ORG> wrote:
> I'm an Information Security Analyst for an energy company here in central
> Texas.  To date, we've not logged any of our DNS queries.  We're interested
> in "opening the fire hose" to do some analysis (pretty graphs for management
> and looking for potential threats, i.e. malware trying to "phone home").
> We have about 2500 internal workstations and servers that hit our internal
> DNS servers.  Our external-facing DNS is done off-site and we aren't concerned
> with them at the moment.
> Does anyone in a similar sized company have any estimates (a rough ballpark
> is fine) how much data we'd be looking at collecting on a weekly or monthly
> basis?

Most of the suggestions so far seem to be query logging at
the DNS server itself.

I'd just say to consider packet captures as a viable option.
Just running tcpdump or snoop on the DNS server itself will
probably have less impact than query logging and running it
on another system has no impact.

The thing about query logging is that it does save the queries,
but you generally don't see the responses, and that can be of
the upmost importance if you are doing forensics.

As far as storage space for all of this, Storage Is Cheap(tm)
(except when it isn't). Second, you'll probably save space on
logging the actual queries, but the fact you get responses,
which tend to be bigger, occasionally much, much bigger, may
mean more space overall.

There are also special tools to reduce and/or analyze DNS
network captures. I personally don't have experience with
many, but searching list archives should turn these up. They
have been discussed recently.

Crist Clark
Network Security Specialist, Information Systems
408 933 4387

More information about the dns-operations mailing list