[dns-operations] Question regarding DNS query logging
warren at kumari.net
Tue Mar 15 02:31:13 UTC 2011
I'm a little surprised no-one has suggested DSC yet...
It doesn't do everything you want, but it will automate the "pretty graphs for management" bit without lots of disk....
Please excuse typing, etc -- This was sent from a device with a tiny keyboard.
On Mar 14, 2011, at 4:51 PM, Michael Skurka <Michael.Skurka at LCRA.ORG> wrote:
> Excellent points!
> I would love to turn on tcpdump/snoop and capture the queries _and_ responses. And storage space isn't the big obstacle for me. Unfortunately, to capture queries/responses would involve purchasing hardware to monitor several switched network segments. Why? Due to security requirements, I/we can't implement a single host with multiple NICs to do the capturing. That solution will have to wait until we have some sort of budget.
> At the moment, I'm having to battle management to get any visibility into our DNS servers. Turning on query logging is the least-cost overall at the moment (CPU, network, storage, admin resources).
> Thanks for the ideas. I will keep pushing for a better solution.
> Michael Skurka
> Information Security Analyst Sr
> Lower Colorado River Authority, Austin TX
> Orwell was an optimist!
> -----Original Message-----
> From: Crist Clark [mailto:Crist.Clark at globalstar.com]
> Sent: Monday, March 14, 2011 6:31 PM
> To: Michael Skurka; dns-operations at mail.dns-oarc.net
> Subject: Re: [dns-operations] Question regarding DNS query logging
>>>> On 3/14/2011 at 12:41 PM, Michael Skurka <Michael.Skurka at LCRA.ORG> wrote:
>> I'm an Information Security Analyst for an energy company here in central
>> Texas. To date, we've not logged any of our DNS queries. We're interested
>> in "opening the fire hose" to do some analysis (pretty graphs for management
>> and looking for potential threats, i.e. malware trying to "phone home").
>> We have about 2500 internal workstations and servers that hit our internal
>> DNS servers. Our external-facing DNS is done off-site and we aren't concerned
>> with them at the moment.
>> Does anyone in a similar sized company have any estimates (a rough ballpark
>> is fine) how much data we'd be looking at collecting on a weekly or monthly
> Most of the suggestions so far seem to be query logging at
> the DNS server itself.
> I'd just say to consider packet captures as a viable option.
> Just running tcpdump or snoop on the DNS server itself will
> probably have less impact than query logging and running it
> on another system has no impact.
> The thing about query logging is that it does save the queries,
> but you generally don't see the responses, and that can be of
> the upmost importance if you are doing forensics.
> As far as storage space for all of this, Storage Is Cheap(tm)
> (except when it isn't). Second, you'll probably save space on
> logging the actual queries, but the fact you get responses,
> which tend to be bigger, occasionally much, much bigger, may
> mean more space overall.
> There are also special tools to reduce and/or analyze DNS
> network captures. I personally don't have experience with
> many, but searching list archives should turn these up. They
> have been discussed recently.
> Crist Clark
> Network Security Specialist, Information Systems
> 408 933 4387
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
More information about the dns-operations