Enable DNS Logs
Domain Name System (DNS) logs are a series of recorded queries and responses handled by a network. These logs capture details such as the domain names queried, the IP addresses returned, timestamps of the queries, and the devices making the requests. These logs can help ientify suspicious activities, such as attempts to access malicious domains or unusual spikes in DNS traffic; they can also help assist in diagnosing network issues by providing insight into DNS resolution problems, helping to identify whether domain resolution failures are due to network issues. Utilizing these logs as a part of your moitoring routing gives you the advatage when it comes to performance and efficiency of DNS queries, helping to optimize network performance and reduce latency.
AWS: Enable DNS Logs
If you provided a S3 bucket during the stack creation from the CloudFormation template in the previous section, a S3 bucket is created by the template that acts as the destination for the route53 Query Logs. The VPCs that are monitored for the DNS query logs must be added manually.
Procedure
Step 1 |
In AWS Console go to the Route53Query Logging . |
Step 2 |
Select the Query Logger created by the template. Locate the logger with the prefix name provided in the template. |
Step 3 |
Select all the VPCs for which you want to get the traffic insights and click Add.
|
GCP: Enable DNS Logs
To enable GCP DNS query logs, follow the steps below.
Procedure
Step 1 |
Navigate to VPC network in GCP console. |
||
Step 2 |
Open Google cloud shell and execute this command: gcloud dns policies create POLICY_NAME --networks=NETWORK --enable-logging |
||
Step 3 |
Navigate to Cloud Storage section and create a storage bucket. You can leave everything as default when creating storage bucket.
|
||
Step 4 |
Navigate to Logs Route section. |
||
Step 5 |
Click on Create Sink. |
||
Step 6 |
Provide a sink name. |
||
Step 7 |
Select "Cloud Storage bucket" for sink service. |
||
Step 8 |
Select the cloud storage bucket that was created above. |
||
Step 9 |
In "Choose logs to include in sink" section, put in this string: The following steps are the same as mentioned in the VPC flow log for GCP. If you are sharing cloud storage bucket, you only need to perform below steps once. |
||
Step 10 |
Click Create Sink. |
||
Step 11 |
Navigate to . |
||
Step 12 |
Create a custom role with this permission: storage.buckets.list. |
||
Step 13 |
Create another custom role with following permission: storage.buckets.get storage.objects.get storage.objects.list. |
||
Step 14 |
Add both custom role to the service account created for Multicloud Defense Controller. When adding the second custom role, put this condition:
|
||
Step 15 |
Navigate to Pub/Subs. |
||
Step 16 |
Click on Create Topic. |
||
Step 17 |
Provide a Topic name and click create. |
||
Step 18 |
Click on Subscriptions. You will find that there is a subscription created for the topic that was just created. |
||
Step 19 |
Edit the subscription. |
||
Step 20 |
Change Delivery type as Push. |
||
Step 21 |
Once Push is selected, enter in the endpoint URL: |
||
Step 22 |
Click Update. |
||
Step 23 |
Create a cloud storage notification by opening a Google cloud shell and execute this command: |
Azure: DNS Logs
Azure currently does not expose DNS log queries. Multicloud Defense Controller cannot enable logs for this cloud service provider.