DNS logging and tools
Keep the data forever. Seriously, storage space is cheap – whether you use tape, HD, or a cloud provider. DNS logs (and, in fact, all logs) can be a lifesaver if you end up having to deal with a large-scale incident or an incident that spans weeks or months.
Right now, for example, various law enforcement agencies are publishing IP addresses of known bad DNS servers associated with various malware. Adding these to your RPZ blocking rules is great, but what about systems that have already been infected? If you have the logs, you can simply search them for the IP address and rapidly determine which systems may be infected. So, unless you have a compelling legal or business reason not to, I strongly advise keeping the log data forever.
For reference, I personally average about 1MB of DNS query logs per day and several megabytes of replies – so, 2GB per year, per heavy user. I spend a lot of time on Reddit, so Chrome does a lot of DNS lookups.
If I had known how easy this process was and how useful the information could be, I would have done it years ago. Although you are potentially looking at a few gigabytes per user per year to store all of the data, you should remember that these records will compress very efficiently. For example, a good 10 percent of my logs consist of my VOIP phone making the same query for its SIP server every five minutes.
Kurt Seifried is an Information Security Consultant specializing in Linux and networks since 1996. He often wonders how it is that technology works on a large scale but often fails on a small scale.
- "DNS Security" by Kurt Seifried: http://www.linux-magazine.com/Issues/2014/161/Security-Lessons-DNS-Security
- How to capture network packets to MySQL: http://stackoverflow.com/questions/7407070/how-to-capture-network-packets-to-mysql
Buy this article as PDF
New tool will look like GParted but support a wider range of storage technologies.
New public key pinning feature will help prevent man-in-the-middle attacks.
Carnegie Mellon researchers say 3 million pages could fall down the phishing hole in the next year.
The US government rolls new best-practice rules for protecting SSH.
Klaus Knopper announces the latest version of his iconic Live Linux system.
All websites that use these popular CMS tools could be vulnerable to denial of service attacks if users don't install the updates.
According to a report, many potential victims of the Heartbleed attack have patched their systems, but few have cleaned up the crime scene to protect themselves from the effects of a previous intrusion.
DARPA and NICTA release the code for the ultra-secure microkernel system used in aerial drones.
Should you trust an online service to store your online passwords?
New B+ board lets you build cool things without the complication of a powered USB hub.