RA1106: Access External Dns Logs

Summary

ID	RA1106
Brief Description	Make sure you have access to external communication DNS logs
Author	@atc_project
Creation Date	2020/05/06
Requirements	MS_dns_server DN_zeek_dns_log
References	https://github.com/gamelinux/passivedns https://drive.google.com/drive/u/0/folders/0B5BuM3k0_mF3LXpnYVUtU091Vjg
Response Stage	Preparation

Description

Make sure that there is a collection of DNS logs for external communication (from corporate assets to the Internet) configured. If there is no option to configure it on a network device/DNS Server, you can install a special software on each endpoint and collect it from them.

Warning:

• Make sure that there are both DNS query and answer logs collected. It's quite hard to configure such a collection on MS Windows DNS server and ISC BIND. Sometimes it much easier to use 3rd party solutions to fulfill this requirement.
• Make sure that DNS traffic to the external (public) DNS servers is blocked by the Border Firewall. This way, corporate DNS servers is the only place assets can resolve the domain names.