[Pdns-users] Efficient query logging

Brian Candler b.candler at pobox.com
Mon Apr 2 10:06:38 UTC 2018


I'm investigating how to monitor DNS queries as a source of security 
information for breach detection.  In the case of client machines, we 
can check the queries against a blacklist of known C&C or malware 
domains; in the case of servers, we know they should only be making 
outbound connections to a very limited set of domains, so we can 
highlight any queries outside of a restricted whitelist.

I notice that pdns-recursor has a log-dns-queries option, but the manual 
warns: "Only enable for debugging!"

I therefore wonder what approaches other people have taken to this 
problem.  Is it possible to do this efficiently within pdns itself, e.g. 
using LUA [^1]?  Should I put dnsdist in front [^2]? Or should I be 
passively sniffing the DNS query packets?

I am happy for a degree of local aggregation to be done: e.g. if the 
same client queries the same domain 100 times in a minute, then a single 
aggregate record rather than 100 separate logs is fine (probably 
preferable in fact).

On searching I came across these projects:

https://github.com/DNS-OARC/dsc
https://github.com/DNS-OARC/PacketQ
https://github.com/JustinAzoff/bro-pdns

Does anyone here have experience doing something similar, and what 
worked well?

Thanks,

Brian Candler.

[^1] https://doc.powerdns.com/recursor/lua-config/protobuf.html

[^2] I found these:

https://dnsdist.org/reference/protobuf.html
https://dnsdist.org/reference/dnstap.html



More information about the Pdns-users mailing list