DNS logging and tools
Keep the data forever. Seriously, storage space is cheap – whether you use tape, HD, or a cloud provider. DNS logs (and, in fact, all logs) can be a lifesaver if you end up having to deal with a large-scale incident or an incident that spans weeks or months.
Right now, for example, various law enforcement agencies are publishing IP addresses of known bad DNS servers associated with various malware. Adding these to your RPZ blocking rules is great, but what about systems that have already been infected? If you have the logs, you can simply search them for the IP address and rapidly determine which systems may be infected. So, unless you have a compelling legal or business reason not to, I strongly advise keeping the log data forever.
For reference, I personally average about 1MB of DNS query logs per day and several megabytes of replies – so, 2GB per year, per heavy user. I spend a lot of time on Reddit, so Chrome does a lot of DNS lookups.
If I had known how easy this process was and how useful the information could be, I would have done it years ago. Although you are potentially looking at a few gigabytes per user per year to store all of the data, you should remember that these records will compress very efficiently. For example, a good 10 percent of my logs consist of my VOIP phone making the same query for its SIP server every five minutes.
Kurt Seifried is an Information Security Consultant specializing in Linux and networks since 1996. He often wonders how it is that technology works on a large scale but often fails on a small scale.
- "DNS Security" by Kurt Seifried: http://www.linux-magazine.com/Issues/2014/161/Security-Lessons-DNS-Security
- How to capture network packets to MySQL: http://stackoverflow.com/questions/7407070/how-to-capture-network-packets-to-mysql
Buy this article as PDF
New release marks the arrival of AMD’s unified driver strategy.
A new study by IDC charts big changes in the big hardware market.
Azure CTO says Redmond has already considered the unthinkable.
Lead developer quells rumors that the Debian version is slated for center stage.
MSBuild is now just another GitHub project as Redmond continues its path to the light.
Malware could pass data and commands between disconnected computers without leaving a trace on the network.
New rules emphasize collegiality in coding.
Upstart lands in the dust bin as a new era begins for Linux.
HP's annual Cyber Risk report offers a bleak look at the state of IT.
But what do the big numbers really mean?