[Pdns-users] Efficient query logging
Chris Stradtman
chris.stradtman at geo.network
Mon Apr 2 10:13:31 UTC 2018
It's not powerdns specific, but we have been using packetbeat for that sort
of work.
Chris Stradtman
On Mon, Apr 2, 2018 at 6:06 AM, Brian Candler <b.candler at pobox.com> wrote:
> I'm investigating how to monitor DNS queries as a source of security
> information for breach detection. In the case of client machines, we can
> check the queries against a blacklist of known C&C or malware domains; in
> the case of servers, we know they should only be making outbound
> connections to a very limited set of domains, so we can highlight any
> queries outside of a restricted whitelist.
>
> I notice that pdns-recursor has a log-dns-queries option, but the manual
> warns: "Only enable for debugging!"
>
> I therefore wonder what approaches other people have taken to this
> problem. Is it possible to do this efficiently within pdns itself, e.g.
> using LUA [^1]? Should I put dnsdist in front [^2]? Or should I be
> passively sniffing the DNS query packets?
>
> I am happy for a degree of local aggregation to be done: e.g. if the same
> client queries the same domain 100 times in a minute, then a single
> aggregate record rather than 100 separate logs is fine (probably preferable
> in fact).
>
> On searching I came across these projects:
>
> https://github.com/DNS-OARC/dsc
> https://github.com/DNS-OARC/PacketQ
> https://github.com/JustinAzoff/bro-pdns
>
> Does anyone here have experience doing something similar, and what worked
> well?
>
> Thanks,
>
> Brian Candler.
>
> [^1] https://doc.powerdns.com/recursor/lua-config/protobuf.html
>
> [^2] I found these:
>
> https://dnsdist.org/reference/protobuf.html
> https://dnsdist.org/reference/dnstap.html
>
> _______________________________________________
> Pdns-users mailing list
> Pdns-users at mailman.powerdns.com
> https://mailman.powerdns.com/mailman/listinfo/pdns-users
>
--
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20180402/79f07fcd/attachment.html>
More information about the Pdns-users
mailing list