[dns-operations] Question regarding DNS query logging

Warren Kumari warren at kumari.net
Tue Mar 15 02:31:13 UTC 2011

I'm a little surprised no-one has suggested DSC yet...

It doesn't do everything you want, but it will automate the "pretty graphs for management" bit without lots of disk....

Warren Kumari
Please excuse typing, etc -- This was sent from a device with a tiny keyboard.

On Mar 14, 2011, at 4:51 PM, Michael Skurka <Michael.Skurka at LCRA.ORG> wrote:

> Excellent points!
> I would love to turn on tcpdump/snoop and capture the queries _and_ responses.  And storage space isn't the big obstacle for me.  Unfortunately, to capture queries/responses would involve purchasing hardware to monitor several switched network segments.  Why?  Due to security requirements, I/we can't implement a single host with multiple NICs to do the capturing.  That solution will have to wait until we have some sort of budget.
> At the moment, I'm having to battle management to get any visibility into our DNS servers.  Turning on query logging is the least-cost overall at the moment (CPU, network, storage, admin resources).
> Thanks for the ideas.  I will keep pushing for a better solution.
> Michael Skurka
> Information Security Analyst Sr
> Lower Colorado River Authority, Austin TX
> 512-498-1643
> Orwell was an optimist!
> -----Original Message-----
> From: Crist Clark [mailto:Crist.Clark at globalstar.com]
> Sent: Monday, March 14, 2011 6:31 PM
> To: Michael Skurka; dns-operations at mail.dns-oarc.net
> Subject: Re: [dns-operations] Question regarding DNS query logging
>>>> On 3/14/2011 at 12:41 PM, Michael Skurka <Michael.Skurka at LCRA.ORG> wrote:
>> I'm an Information Security Analyst for an energy company here in central
>> Texas.  To date, we've not logged any of our DNS queries.  We're interested
>> in "opening the fire hose" to do some analysis (pretty graphs for management
>> and looking for potential threats, i.e. malware trying to "phone home").
>> We have about 2500 internal workstations and servers that hit our internal
>> DNS servers.  Our external-facing DNS is done off-site and we aren't concerned
>> with them at the moment.
>> Does anyone in a similar sized company have any estimates (a rough ballpark
>> is fine) how much data we'd be looking at collecting on a weekly or monthly
>> basis?
> Most of the suggestions so far seem to be query logging at
> the DNS server itself.
> I'd just say to consider packet captures as a viable option.
> Just running tcpdump or snoop on the DNS server itself will
> probably have less impact than query logging and running it
> on another system has no impact.
> The thing about query logging is that it does save the queries,
> but you generally don't see the responses, and that can be of
> the upmost importance if you are doing forensics.
> As far as storage space for all of this, Storage Is Cheap(tm)
> (except when it isn't). Second, you'll probably save space on
> logging the actual queries, but the fact you get responses,
> which tend to be bigger, occasionally much, much bigger, may
> mean more space overall.
> There are also special tools to reduce and/or analyze DNS
> network captures. I personally don't have experience with
> many, but searching list archives should turn these up. They
> have been discussed recently.
> --
> Crist Clark
> Network Security Specialist, Information Systems
> Globalstar
> 408 933 4387
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations

More information about the dns-operations mailing list