[dns-operations] Question regarding DNS query logging

Warren Kumari warren at kumari.net
Tue Mar 15 02:31:13 UTC 2011


I'm a little surprised no-one has suggested DSC yet...

It doesn't do everything you want, but it will automate the "pretty graphs for management" bit without lots of disk....

Warren Kumari
------
Please excuse typing, etc -- This was sent from a device with a tiny keyboard.

On Mar 14, 2011, at 4:51 PM, Michael Skurka <Michael.Skurka at LCRA.ORG> wrote:

> Excellent points!
> 
> I would love to turn on tcpdump/snoop and capture the queries _and_ responses.  And storage space isn't the big obstacle for me.  Unfortunately, to capture queries/responses would involve purchasing hardware to monitor several switched network segments.  Why?  Due to security requirements, I/we can't implement a single host with multiple NICs to do the capturing.  That solution will have to wait until we have some sort of budget.
> 
> At the moment, I'm having to battle management to get any visibility into our DNS servers.  Turning on query logging is the least-cost overall at the moment (CPU, network, storage, admin resources).
> 
> Thanks for the ideas.  I will keep pushing for a better solution.
> 
> 
> Michael Skurka
> Information Security Analyst Sr
> Lower Colorado River Authority, Austin TX
> 512-498-1643
> Orwell was an optimist!
> 
> 
> -----Original Message-----
> From: Crist Clark [mailto:Crist.Clark at globalstar.com]
> Sent: Monday, March 14, 2011 6:31 PM
> To: Michael Skurka; dns-operations at mail.dns-oarc.net
> Subject: Re: [dns-operations] Question regarding DNS query logging
> 
>>>> On 3/14/2011 at 12:41 PM, Michael Skurka <Michael.Skurka at LCRA.ORG> wrote:
>> I'm an Information Security Analyst for an energy company here in central
>> Texas.  To date, we've not logged any of our DNS queries.  We're interested
>> in "opening the fire hose" to do some analysis (pretty graphs for management
>> and looking for potential threats, i.e. malware trying to "phone home").
>> 
>> We have about 2500 internal workstations and servers that hit our internal
>> DNS servers.  Our external-facing DNS is done off-site and we aren't concerned
>> with them at the moment.
>> 
>> Does anyone in a similar sized company have any estimates (a rough ballpark
>> is fine) how much data we'd be looking at collecting on a weekly or monthly
>> basis?
> 
> Most of the suggestions so far seem to be query logging at
> the DNS server itself.
> 
> I'd just say to consider packet captures as a viable option.
> Just running tcpdump or snoop on the DNS server itself will
> probably have less impact than query logging and running it
> on another system has no impact.
> 
> The thing about query logging is that it does save the queries,
> but you generally don't see the responses, and that can be of
> the upmost importance if you are doing forensics.
> 
> As far as storage space for all of this, Storage Is Cheap(tm)
> (except when it isn't). Second, you'll probably save space on
> logging the actual queries, but the fact you get responses,
> which tend to be bigger, occasionally much, much bigger, may
> mean more space overall.
> 
> There are also special tools to reduce and/or analyze DNS
> network captures. I personally don't have experience with
> many, but searching list archives should turn these up. They
> have been discussed recently.
> --
> 
> Crist Clark
> Network Security Specialist, Information Systems
> Globalstar
> 408 933 4387
> 
> 
> 
> 
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> 



More information about the dns-operations mailing list