[dns-operations] DNS Hosting and Logging

Paul Vixie paul at redbarn.org
Mon Oct 12 16:39:25 UTC 2015

Fred Morris wrote:
> On Mon, 12 Oct 2015, Ray Van Dolson wrote:
>> For those of you in the Enterprise space, do you find value in having
>> at least partial visibility into detailed information on external
>> queries?
> Anybody who's really serious about threat indicators should be watching
> DNS for anomalies ("full stack": not just what queries are we making, but
> where are those queries being directed).
> Having access to DNS logs is part of this: although one ought to be able
> to achieve a lot of it via DPI, it's often more efficient to be able to
> have the resolver logging this.

this is the essence of passive dns, and i agree, but i think there's
been an implicit thread fork.

for authority dns (such as was asked about up-thread), query logs show
inbound cache misses concerning the enterprise's own domain names. logs
for this are available from some "secondary dns" providers but not all.

for recursive dns (such as you are discussing here), query logs show
both inbound queries from your stub clients (all your local
file/web/other servers; all your local
smartphone/tablet/labtop/desktop), and also outbound cache miss queries
whenever a local stub wants something your local recursive server
doesn't already know. this is "passive dns" as described first by
florian weimer in his uni-stutgart thesis, "passive dns replication",
and now a common practice in the internet security industry.

Paul Vixie

More information about the dns-operations mailing list