DNS logging and tools
Keep the data forever. Seriously, storage space is cheap – whether you use tape, HD, or a cloud provider. DNS logs (and, in fact, all logs) can be a lifesaver if you end up having to deal with a large-scale incident or an incident that spans weeks or months.
Right now, for example, various law enforcement agencies are publishing IP addresses of known bad DNS servers associated with various malware. Adding these to your RPZ blocking rules is great, but what about systems that have already been infected? If you have the logs, you can simply search them for the IP address and rapidly determine which systems may be infected. So, unless you have a compelling legal or business reason not to, I strongly advise keeping the log data forever.
For reference, I personally average about 1MB of DNS query logs per day and several megabytes of replies – so, 2GB per year, per heavy user. I spend a lot of time on Reddit, so Chrome does a lot of DNS lookups.
If I had known how easy this process was and how useful the information could be, I would have done it years ago. Although you are potentially looking at a few gigabytes per user per year to store all of the data, you should remember that these records will compress very efficiently. For example, a good 10 percent of my logs consist of my VOIP phone making the same query for its SIP server every five minutes.
Kurt Seifried is an Information Security Consultant specializing in Linux and networks since 1996. He often wonders how it is that technology works on a large scale but often fails on a small scale.
- "DNS Security" by Kurt Seifried: http://www.linux-magazine.com/Issues/2014/161/Security-Lessons-DNS-Security
- How to capture network packets to MySQL: http://stackoverflow.com/questions/7407070/how-to-capture-network-packets-to-mysql
Buy this article as PDF
Spammers go low-volume, and 90% of IE browsers are unpatched.
Adobe scrambles to release patches for vulnerable Flash Player.
Four-inch-long computer on a stick lets you boot a full Linux system from any HDMI display device.
New statute would require companies to report break-ins to consumers.
Weird data transfer technique avoids all standard security measures.
FIDO alliance declares the beginning of the end for old-style login authentication.
The Linux New Media Awards have honored the most significant products, projects, people, and organizations for open source/Linux every year since 2000.
Legendary Uber-distro splits over the systemd controversy.
New LTS version offers many refinements for the Cinnamon and Mate desktops and significant improvement under the hood.
One of CeBIT’s most successful forums returns in 2015.