Collecting DNS logs from different and distributed sources is very difficult. Although Companies spend time and effort to achieve this, a tiny part of them is successful.
First, Some malicious activities can only be seen as a result of DNS Log analysis because infected clients are trying to connect to domains that do not have IP addresses. For example, DGA domains.
Another Example of the importance of collecting DNS logs is DNS Tunnelling. This attack cannot be detected with a Firewall or Proxy because they are designed to work in the application layer (Layer 7). DLP technologies (Data Loss Prevention) are designed to monitor the protocols to which files can be attached, such as HTTP, FTP, IM, Telnet, TCP/IP, SMTP, POP3, and IMAP; however, it does not analyze the DNS logs, and it does not examine the Network layer.
Lastly but not least, collecting the DNS log can be a necessity for regulations and laws.
The average number of instant DNS queries can reach 15 thousand in a typical enterprise network with 10 thousand users. This high number is due to a variety of factors. For example, approximately 70-100 DNS queries are made when a regular news web page is requested. In addition, even when devices are not in use, the services running in the background continue to generate DNS queries. Mail servers also perform numerous DNS queries during a simple e-mail transmission. In this manner, every device on a network constantly performs a DNS query to provide or receive Internet services. This creates a massive number of data.
In addition, DNS logs contain a large amount of raw data that doesn’t make much sense if not processed. The logs have the Client’s IP address and the requested domain, which is not helpful for security analysis. While logging this useless data, your company does not meet the requirements of different regulations and laws. DNS logs should be enriched with other sources.
The third reason is; that DNS logs are not standard. Every DNS produce a different log. Parsing them is a nightmare because of the various standards and data types.
By courtesy of Roksit DNSEye product, logs can be collected hassle free from different types and models of DNS servers distributed over a broad spectrum. By doing so, the DNS logs are centralized.
Moreover, enriching DNS logs with valuable data such as machine name, user name, and MAC address is made easy. To accomplish this, DHCP, DNS, and AD Security logs are correlated by “DNSEye”. As a result, the SOC teams will have ready access to information such as which client IP address belongs to which user, Mac address, and Hostname on the specified day and date, along with their DNS quarries.
After being introduced to DNS log sources, our DNSEye product shows infected devices constantly trying to connect to the command centre. These are suspicious activities that need to be analyzed by SOC teams carefully.
DNSEye also can block the DNS Tunnelling attack even before it starts.
In conclusion, Collecting DNS logs from different and distributed sources is very easy with Roksit.