DNS logging and tools
Keep the data forever. Seriously, storage space is cheap – whether you use tape, HD, or a cloud provider. DNS logs (and, in fact, all logs) can be a lifesaver if you end up having to deal with a large-scale incident or an incident that spans weeks or months.
Right now, for example, various law enforcement agencies are publishing IP addresses of known bad DNS servers associated with various malware. Adding these to your RPZ blocking rules is great, but what about systems that have already been infected? If you have the logs, you can simply search them for the IP address and rapidly determine which systems may be infected. So, unless you have a compelling legal or business reason not to, I strongly advise keeping the log data forever.
For reference, I personally average about 1MB of DNS query logs per day and several megabytes of replies – so, 2GB per year, per heavy user. I spend a lot of time on Reddit, so Chrome does a lot of DNS lookups.
If I had known how easy this process was and how useful the information could be, I would have done it years ago. Although you are potentially looking at a few gigabytes per user per year to store all of the data, you should remember that these records will compress very efficiently. For example, a good 10 percent of my logs consist of my VOIP phone making the same query for its SIP server every five minutes.
Kurt Seifried is an Information Security Consultant specializing in Linux and networks since 1996. He often wonders how it is that technology works on a large scale but often fails on a small scale.
- "DNS Security" by Kurt Seifried: http://www.linux-magazine.com/Issues/2014/161/Security-Lessons-DNS-Security
- How to capture network packets to MySQL: http://stackoverflow.com/questions/7407070/how-to-capture-network-packets-to-mysql
Buy this article as PDF
Should you trust an online service to store your online passwords?
New B+ board lets you build cool things without the complication of a powered USB hub.
Redmond rushes in to root out alleged malware haven.
New initiative will bring futuristic virtual reality effects to the web surfing experience.
Dyreza malware launches a man-in-the-middle attack that compromises SSL.
New cloud combines worldwide access with local attention to data security.
A first cousin of the recent Heartbleed attack affects EAP-based wireless and peer-to-peer authentication.
FOSS community acts to protect freedom of choice for laptop devices.
Quintessential open source browser shores up its market share with a step toward the proprietary dark side.
Authorities in 16 countries take action against users of the imfamous BlackShades malware tool.