Monitoring full DNS transaction data
DNS data plays a critical role in troubleshooting and security monitoring. Because of this, DNS query logs are among the most important data types ingested into the Splunk platform.
The typical method for obtaining DNS data in the Splunk platform is by ingesting DNS query logs. While you might already be monitoring DNS queries, these logs usually offer limited information and lack crucial data such as answers (for example, A, AAAA, MX, CNAME, and PTR records), TTL caching values, and latency information.
Obtaining DNS responses for use with the Splunk platform isn’t always straightforward. It usually requires installing additional software and making complex configuration changes. As a result, many people choose to work only with request data, leaving a significant security gap.
Ingesting both DNS request and DNS response data into the Splunk platform provides you with a full view of DNS transactions and helps you to gain deeper insights. Additionally, most of the required fields from the Network Resolution (DNS) Common Information Model can only be filled if response data is also ingested.
The table below illustrates the various DNS fields captured in request and response logs. By understanding which fields are available in requests versus responses, you can better appreciate the additional insights gained from capturing DNS response data.
|
Field |
Requests |
Responses |
Comment |
|---|---|---|---|
|
additional_answer_count |
|
+ | |
|
answer |
+ |
||
|
answer_count |
+ |
||
|
authority_answer_count |
+ |
||
|
dest |
+ |
||
|
dest_port |
+ |
||
|
duration |
+ |
||
|
message_type |
+ |
||
|
query |
+ |
||
|
query_count |
+ |
||
|
query_type |
+ |
||
|
record_type |
+ |
||
|
reply_code |
+ |
NoError, FormErr, ServFail, NXDomain, NotImp, Refused, YXDomain, YXRRSet, NotAuth, NotZone, BADVERS, BADSIG, BADKEY, BADTIME, BADMODE, BADNAME, BADALG, unknown |
|
|
reply_code_id |
+ |
||
|
response_time |
+ |
||
|
src |
+ |
||
|
src_port |
+ |
||
|
transaction_id |
+ |
||
|
transport |
+ |
TCP or UDP |
|
|
ttl |
+ |
||
|
DNS Flags |
+ |
||
|
DNS length |
+ |
Data required
Preparation
When running this procedure, you'll want to make sure that implementing these changes does not disrupt DNS functionality or impact the overall DNS service. To mitigate this, consider leaving the DNS server unchanged and recording network traffic instead. There are several approaches to achieve this:
- Capture data directly on the host system where the DNS server runs.
- Use a network switch with a mirror port or a TAP device.
- Import previously captured DNS data from tools like tcpdump or Wireshark, which is especially useful for ad hoc troubleshooting.
Procedure
There are two approaches you can take to ingest DNS query and response data:
- For a comprehensive solution, you can install Splunk App for Stream.
- For a more lightweight solution, you can use tshark or tcpdump to produce a DNS log suitable for ingestion and use the DNS Insight app. Tcpdump is an open-source tool available for Linux and is typically pre-installed. For Windows, tshark (a command-line tool from the Wireshark package) can be used. Both tools are well-tested and highly performant.
Next steps
If you need further guidance or support, Computacenter can help. Computacenter is a leading independent technology partner, trusted by large corporate and public sector organizations. We help our customers to source, transform and manage their IT infrastructure to deliver digital transformation, enabling people and their business.
Computacenter offers a scalable Splunk service that supports the entire project cycle - from strategy, consulting and design to development, integration and lifecycle services and the operation of a Splunk environment. In the Strategy & Consulting division, consultants contribute their comprehensive expertise from various industries such as banking and finance, chemical/pharmacy, automotive and domains such as security, datacenter, software development and cloud, and combine this with special knowledge from the Splunk, SIEM, SOAR, analytics, and Cyber Defence sectors. The Centre of Excellence offers all project components from a single source and ensures success for the customer.
The user- and community-generated information, content, data, text, graphics, images, videos, documents and other materials made available on Splunk Lantern is Community Content as provided in the terms and conditions of the Splunk Website Terms of Use, and it should not be implied that Splunk warrants, recommends, endorses or approves of any of the Community Content, nor is Splunk responsible for the availability or accuracy of such. Splunk specifically disclaims any liability and any actions resulting from your use of any information provided on Splunk Lantern.