Monitoring and proactively analyzing Domain Name Server (DNS) queries and responses has become a standard security practice for networks of all sizes. Many types of malware rely on DNS traffic to communicate with command-and-control servers, inject ads, redirect traffic, or transport data.
Among other things, DNS traffic analysis is commonly used to:
discover unknown devices that appear on the network;
monitor critical devices that have not issued a query within a predefined time window;
detect malware from young/esoteric domain lookups or consistent lookup failures; and
analyze host, subnet, or user behavioral patterns.
|DNS traffic can quickly become overwhelming. To save resources, consider discarding any fields that will not be required for analysis.|
According to RFC 7626 there are no specific privacy laws for DNS data collection, in any country. However it is not clear if data protection directive 95/46/EC of the European Union includes DNS traffic collection.