I'm investigating how to monitor DNS queries as a source of security
information for breach detection. In the case of client machines, we
can check the queries against a blacklist of known C&C or malware
domains; in the case of servers, we know they should only be making
outbound connections to a very limited set of domains, so we can
highlight any queries outside of a restricted whitelist.
I notice that pdns-recursor has a log-dns-queries option, but the manual
warns: "Only enable for debugging!"
I therefore wonder what approaches other people have taken to this
problem. Is it possible to do this efficiently within pdns itself, e.g.
using LUA [^1]? Should I put dnsdist in front [^2]? Or should I be
passively sniffing the DNS query packets?
I am happy for a degree of local aggregation to be done: e.g. if the
same client queries the same domain 100 times in a minute, then a single
aggregate record rather than 100 separate logs is fine (probably
preferable in fact).
On searching I came across these projects:
https://github.com/DNS-OARC/dsc
https://github.com/DNS-OARC/PacketQ
https://github.com/JustinAzoff/bro-pdns
Does anyone here have experience doing something similar, and what
worked well?
Thanks,
Brian Candler.
[^1] https://doc.powerdns.com/recursor/lua-config/protobuf.html
[^2] I found these:
https://dnsdist.org/reference/protobuf.html
https://dnsdist.org/reference/dnstap.html
_______________________________________________
Pdns-users mailing list
[email protected]
https://mailman.powerdns.com/mailman/listinfo/pdns-users
