DNS logging and tools
Keep the data forever. Seriously, storage space is cheap – whether you use tape, HD, or a cloud provider. DNS logs (and, in fact, all logs) can be a lifesaver if you end up having to deal with a large-scale incident or an incident that spans weeks or months.
Right now, for example, various law enforcement agencies are publishing IP addresses of known bad DNS servers associated with various malware. Adding these to your RPZ blocking rules is great, but what about systems that have already been infected? If you have the logs, you can simply search them for the IP address and rapidly determine which systems may be infected. So, unless you have a compelling legal or business reason not to, I strongly advise keeping the log data forever.
For reference, I personally average about 1MB of DNS query logs per day and several megabytes of replies – so, 2GB per year, per heavy user. I spend a lot of time on Reddit, so Chrome does a lot of DNS lookups.
If I had known how easy this process was and how useful the information could be, I would have done it years ago. Although you are potentially looking at a few gigabytes per user per year to store all of the data, you should remember that these records will compress very efficiently. For example, a good 10 percent of my logs consist of my VOIP phone making the same query for its SIP server every five minutes.
Kurt Seifried is an Information Security Consultant specializing in Linux and networks since 1996. He often wonders how it is that technology works on a large scale but often fails on a small scale.
- "DNS Security" by Kurt Seifried: http://www.linux-magazine.com/Issues/2014/161/Security-Lessons-DNS-Security
- How to capture network packets to MySQL: http://stackoverflow.com/questions/7407070/how-to-capture-network-packets-to-mysql
Buy this article as PDF
New flaw in an old encryption scheme leaves the experts scrambling to disable SSL 3
Lennart Poettering wants to change the way Linux developers talk to each other.
Enterprise giant frees itself from ink and home PCs (and visa versa).
Mozilla’s product think tank sinks silently into history.
TODO group will focus on open source tools in large-scale environments.
New tool will look like GParted but support a wider range of storage technologies.
New public key pinning feature will help prevent man-in-the-middle attacks.
Carnegie Mellon researchers say 3 million pages could fall down the phishing hole in the next year.
The US government rolls new best-practice rules for protecting SSH.