57. DNS Monitoring
Monitoring and proactively analyzing Domain Name Server (DNS) queries and responses has become a standard security practice for networks of all sizes. Many types of malware rely on DNS traffic to communicate with command-and-control servers, inject ads, redirect traffic, or transport data.
Among other things, DNS traffic analysis is commonly used to:
-
discover unknown devices that appear on the network;
-
monitor critical devices that have not issued a query within a predefined time window;
-
detect malware from young/esoteric domain lookups or consistent lookup failures; and
-
analyze host, subnet, or user behavioral patterns.
|
Tip
|
DNS traffic can quickly become overwhelming. To save resources, consider discarding any fields that will not be required for analysis. |
According to RFC 7626 there are no specific privacy laws for DNS data collection, in any country. However it is not clear if data protection directive 95/46/EC of the European Union includes DNS traffic collection.
-
BIND 9 – Collecting BIND 9 logs
-
Windows DNS Server – Collecting analytical logs from Windows DNS Server