[dns-operations] Question regarding DNS query logging

Wayne MacLaurin wayne at dns-oarc.net
Tue Mar 15 04:22:40 UTC 2011


Thanks for the pitch Warren!

   Michael.. you can samples of DSC at http://public.dsc.dns-oarc.net/grapher?plot=qtype&server=f-root    The source is available at http://dns.measurement-factory.com/tools/dsc/source.html

Wayne MacLaurin
Executive Director, DNS-OARC
wayne at dns-oarc.net

On 2011-03-14, at 7:31 PM, Warren Kumari wrote:

> I'm a little surprised no-one has suggested DSC yet...
> 
> It doesn't do everything you want, but it will automate the "pretty graphs for management" bit without lots of disk....
> 
> Warren Kumari
> ------
> Please excuse typing, etc -- This was sent from a device with a tiny keyboard.
> 
> On Mar 14, 2011, at 4:51 PM, Michael Skurka <Michael.Skurka at LCRA.ORG> wrote:
> 
>> Excellent points!
>> 
>> I would love to turn on tcpdump/snoop and capture the queries _and_ responses.  And storage space isn't the big obstacle for me.  Unfortunately, to capture queries/responses would involve purchasing hardware to monitor several switched network segments.  Why?  Due to security requirements, I/we can't implement a single host with multiple NICs to do the capturing.  That solution will have to wait until we have some sort of budget.
>> 
>> At the moment, I'm having to battle management to get any visibility into our DNS servers.  Turning on query logging is the least-cost overall at the moment (CPU, network, storage, admin resources).
>> 
>> Thanks for the ideas.  I will keep pushing for a better solution.
>> 
>> 
>> Michael Skurka
>> Information Security Analyst Sr
>> Lower Colorado River Authority, Austin TX
>> 512-498-1643
>> Orwell was an optimist!
>> 
>> 
>> -----Original Message-----
>> From: Crist Clark [mailto:Crist.Clark at globalstar.com]
>> Sent: Monday, March 14, 2011 6:31 PM
>> To: Michael Skurka; dns-operations at mail.dns-oarc.net
>> Subject: Re: [dns-operations] Question regarding DNS query logging
>> 
>>>>> On 3/14/2011 at 12:41 PM, Michael Skurka <Michael.Skurka at LCRA.ORG> wrote:
>>> I'm an Information Security Analyst for an energy company here in central
>>> Texas.  To date, we've not logged any of our DNS queries.  We're interested
>>> in "opening the fire hose" to do some analysis (pretty graphs for management
>>> and looking for potential threats, i.e. malware trying to "phone home").
>>> 
>>> We have about 2500 internal workstations and servers that hit our internal
>>> DNS servers.  Our external-facing DNS is done off-site and we aren't concerned
>>> with them at the moment.
>>> 
>>> Does anyone in a similar sized company have any estimates (a rough ballpark
>>> is fine) how much data we'd be looking at collecting on a weekly or monthly
>>> basis?
>> 
>> Most of the suggestions so far seem to be query logging at
>> the DNS server itself.
>> 
>> I'd just say to consider packet captures as a viable option.
>> Just running tcpdump or snoop on the DNS server itself will
>> probably have less impact than query logging and running it
>> on another system has no impact.
>> 
>> The thing about query logging is that it does save the queries,
>> but you generally don't see the responses, and that can be of
>> the upmost importance if you are doing forensics.
>> 
>> As far as storage space for all of this, Storage Is Cheap(tm)
>> (except when it isn't). Second, you'll probably save space on
>> logging the actual queries, but the fact you get responses,
>> which tend to be bigger, occasionally much, much bigger, may
>> mean more space overall.
>> 
>> There are also special tools to reduce and/or analyze DNS
>> network captures. I personally don't have experience with
>> many, but searching list archives should turn these up. They
>> have been discussed recently.
>> --
>> 
>> Crist Clark
>> Network Security Specialist, Information Systems
>> Globalstar
>> 408 933 4387
>> 
>> 
>> 
>> 
>> _______________________________________________
>> dns-operations mailing list
>> dns-operations at lists.dns-oarc.net
>> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
>> 
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations










More information about the dns-operations mailing list