Collect Your DNS Log With Ease
Problem
Collecting DNS logs from different and distributed sources is very difficult. Although companies put in much time and effort into achieving this, a tiny fraction of them become successful.
Why is collecting DNS log important?
The first reason is, certain malicious activities can only be detected by DNS log analysis as infected clients try to connect to domains that do not have IP addresses, e.g. DGA domains.
Another reason behind the importance of collecting DNS logs is DNS Tunnelling. These types of attack cannot be detected with a firewall or proxy as they are designed to run in the application layer (Layer 7). Data Loss Prevention (DLP) technologies are designed to monitor protocols onto which files can be attached, such as HTTP, FTP, IM, Telnet, TCP/IP, SMTP, POP3, and IMAP; however, they do not analyse DNS logs or examine the network layer.
Last but not least, collecting DNS logs may be a regulatory or legal necessity.
Why is collecting DNS log complex?
The average number of instant DNS queries can reach 15 thousand in a typical enterprise network with 10 thousand users. Such a high number is due to a variety of factors. For example, approximately 70-100 DNS queries are made when a typical news web page is requested. In addition, even when devices are not in use, the services running in the background continue to generate DNS queries. Mail servers also make numerous DNS queries during a simple e-mail transmission. In this manner, every device on a network constantly performs a DNS query to provide or receive internet services, creating a massive amount of data.
In addition, DNS logs contain a large amount of raw data that cannot be made sense of if not processed properly. The logs include the client’s IP address and the requested domain, which are not helpful for security analysis. What’s more, logging this useless data may put your company at the risk of violating different regulations and laws. All in all, DNS logs should be enriched with other data.
The third reason behind the complexity of collecting DNS logs is lack of a standard format for them. Each DNS query produces a different log, making DNS parsing a nightmare given their various standards and data types.
DNSSense’s Solution
Thanks to DNSSense’s DNSEye solution, logs can now be collected hassle-free from different types and models of DNS servers distributed over a broad spectrum, allowing centralisation of DNS logs.
Moreover, DNSEye has made it easy to enrich DNS logs with valuable data such as machine name, user name, and MAC address by correlating DHCP, DNS, and AD logs. As a result, SOC teams will have ready access to information such as which client IP address belongs to which user, MAC address, and hostname at a specified time and date, along with their DNS queries.
After being introduced to DNS log sources, our DNSEye product shows infected devices constantly trying to connect to the command centre. These are suspicious activities that need to be analysed by SOC teams carefully.
DNSEye can also block DNS tunnelling attacks before they start.
In conclusion, DNSSense makes collecting DNS logs from different and distributed sources very easy.
