Announcement

Collapse
No announcement yet.

Keeping DNS Logs

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Keeping DNS Logs

    Hi

    After reading a recent Petri newsletter I was considering enabling monitoring of our DNS servers through the Log files. I've never enabled this before and was wondering what other people's experience of this was.

    In particular I would like to know if these logs can become unweildy (we have 4 servers and 35 clients - most of the clients use the net a fair amount). By this I mean do they increase in size very quickly so should I set a high maximum log size in the DNS Properties box and will including 'Details' be excessive?



    Thanks
    A recent poll suggests that 6 out of 7 dwarfs are not happy

  • #2
    Re: Keeping DNS Logs

    I wonder why you would enable it, other then for troubleshooting?
    Marcel
    Technical Consultant
    Netherlands
    http://www.phetios.com
    http://blog.nessus.nl

    MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
    "No matter how secure, there is always the human factor."

    "Enjoy life today, tomorrow may never come."
    "If you're going through hell, keep going. ~Winston Churchill"

    Comment


    • #3
      Re: Keeping DNS Logs

      Yes - that is true. I'm just curious at the moment and my time is limited so I was hoping for a little feedback from those in the know
      A recent poll suggests that 6 out of 7 dwarfs are not happy

      Comment


      • #4
        Re: Keeping DNS Logs

        Originally posted by Blood View Post
        Yes - that is true. I'm just curious at the moment and my time is limited so I was hoping for a little feedback from those in the know
        I only enable for troubleshooting and reset when i'm done.

        Comment


        • #5
          Re: Keeping DNS Logs

          I can think of a couple reasons why enabling persistent logging for DNS would be desirable... Security for one and instrumentation for another - who looks up what and how often is valuable information.

          I wouldn't use the diagnostic logging for this though. Windows DNS doesn't lend itself to decent logging for anything other than diagnostics/troubleshooting. The log files can quickly become unwieldy and a few hosts with malware can cause all sorts of traffic which will quickly fill a disk unless you cap the log size - at which point you kinda defeat the purpose of logging traffic...

          *my $.02

          There are third party tools out there that do this and log to a db or loghost.
          Rules of life:
          1. Never do anything that requires thinking after 2:30 PM
          2. Simplicity is godliness
          3. Scale with extreme prejudice


          I occasionally post using a savantphone, so please don't laugh too hard at the typos...

          Comment


          • #6
            Re: Keeping DNS Logs

            Thanks - that was the sort of info I was after. My experience with Windows Events logs is that if you cap the size and set them to overwrite all it takes is some application spamming the logs and you lose loads of info. I have no idea how much information the Windows DNS logs compile so writing to an external DB seems like a good idea.

            As you point out, and as the Petri newsletter said, getting an idea of 'normal' usage is valuable if you do need to troubleshoot so that you can identify 'aberrations'.

            Any recommedations for a 3rd party tool that logs DNS data?
            A recent poll suggests that 6 out of 7 dwarfs are not happy

            Comment


            • #7
              Re: Keeping DNS Logs

              Originally posted by Blood View Post
              Thanks - that was the sort of info I was after. My experience with Windows Events logs is that if you cap the size and set them to overwrite all it takes is some application spamming the logs and you lose loads of info. I have no idea how much information the Windows DNS logs compile so writing to an external DB seems like a good idea.

              As you point out, and as the Petri newsletter said, getting an idea of 'normal' usage is valuable if you do need to troubleshoot so that you can identify 'aberrations'.

              Any recommedations for a 3rd party tool that logs DNS data?


              No, sorry... I dont have first-hand experience with any of the third-party tools available.
              Rules of life:
              1. Never do anything that requires thinking after 2:30 PM
              2. Simplicity is godliness
              3. Scale with extreme prejudice


              I occasionally post using a savantphone, so please don't laugh too hard at the typos...

              Comment


              • #8
                Re: Keeping DNS Logs

                Still IMHO those Log files are meant for debugging, it's even in the description mentioned it's purpose is for debugging: "To assist with debugging" And it also states "Debug logging is disabled by default", probably for a reason. Debug logging can be really resource intensive so I would be really careful with it.
                Also this is what you can select, so make sure you really enable only what you really seems to need: http://technet.microsoft.com/en-us/l...(v=ws.10).aspx


                However, if you insist using this logging checkout Splunk.
                http://stratumsecurity.com/2012/07/03/splunk-security/
                Marcel
                Technical Consultant
                Netherlands
                http://www.phetios.com
                http://blog.nessus.nl

                MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
                "No matter how secure, there is always the human factor."

                "Enjoy life today, tomorrow may never come."
                "If you're going through hell, keep going. ~Winston Churchill"

                Comment


                • #9
                  Re: Keeping DNS Logs

                  Thanks a lot. That's very useful
                  A recent poll suggests that 6 out of 7 dwarfs are not happy

                  Comment


                  • #10
                    Re: Keeping DNS Logs

                    I think we all agree the builtin logging capabilities are best avoided for long-term monitoring of Windows DNS activity, but that doesn't diminish the usefulness of capturing this data. Unfortunately this leaves us with expensive third party packages or solutions we engineer ourselves.

                    Splunk is very cool and we use it to capture security logs and trigger alarms on events. I'd love to use it for DNS, but in my environment, I can capture a 50MB DNS log in a matter of 20-30 minutes, depending on where the DC is located... This makes splunk costly since their licensing is based on aggregated data volumes. This may not be true for smaller environments where traffic is reasonable and if thats the case, maybe scripting a solution which uses netmon/pcap/spunk would be something you want to do... I'm not sure how much time you have to spend on it, but this article might be a good jumping off point if you want to follow the path of building something yourself:

                    http://blogs.technet.com/b/netmon/ar...px?PageIndex=2

                    Scaling a solution like that will be a challenge and not knowing your environment, I couldnt even begin to say if this is something you might want to pursue. I would think for <10 or so DCs and a few thousand clients it shouldnt be any problem... Above that, it might take a deal of effort to set up and carry a significant technical debt.


                    @dumber: I dont mean to sound contrary, but monitoring DNS traffic should be a fairly high priority for any engineer/admin/itsec_thug
                    Rules of life:
                    1. Never do anything that requires thinking after 2:30 PM
                    2. Simplicity is godliness
                    3. Scale with extreme prejudice


                    I occasionally post using a savantphone, so please don't laugh too hard at the typos...

                    Comment


                    • #11
                      Re: Keeping DNS Logs

                      I work with a very small network: 2 DC's, 2 member servers and 35 clients.

                      Thanks again for the useful insights.
                      A recent poll suggests that 6 out of 7 dwarfs are not happy

                      Comment

                      Working...
                      X