Query Logging and Reporting
This article discusses the significance and difference between query logging and reporting. In short, query logging is one of the major ways for a DNS system to produce raw data on what questions are asked, while reporting is the organization and transformation of that raw data into humanly readable formats.
Although this may sound like a boring topic, it is actually an essential part of providing a secure computing environment, as we will discuss below.
Query and Response Logging
As a DNS server sends queries (“What is the AAAA record of www.example.com?”) to other DNS servers, it can keep a copy of these queries. Retaining queries in this manner can be useful when troubleshooting DNS-related issues. In addition, the information can be processed later to generate reports with information such as “What was the most queried domain name in the last hour?”. System log or syslog is typically the mechanism to record this query information, a process known as query logging.
Similarly, as a DNS server receives answers (“IPv6 address of www.example.com is 2606:2800:220:1:248:1893:25c8:1946”), in addition to sending the answers back to the client, that server could also keep a copy of the answer for later analysis or to aid in troubleshooting. It can use the same mechanism as query logging by storing this information in logs, which is known as response logging.
While query and response logging provide additional information that may be useful for troubleshooting and analytics, both processes add significantly more I/O (Input/Output) load to the DNS servers and are typically disabled by default in operational environments. In the case of query logging, every outbound query sent by the DNS server translates to (eventually) another write-operation to the disk. This load is even heavier when response logging is enabled, since the responses could be very large in size (see examples in Is DNS TCP or UDP). This additional load can be hard to bear for I/O resource-limited hosts, such as a virtual machine.
There are other types of DNS logging categories, such as RPZ logging, DNSSEC logging, zone transfer logging, and load-balancing logging. Some of these options are vendor-dependent, but they all have the same performance penalty as query and response logging.
Analytics and Reporting
After enabling logging, that information doesn’t provide much value just sitting on the DNS server itself in syslog. For administrators to take advantage of the information, it must be collected and analyzed centrally, to correlate with logging information from other DNS servers. Syslog is one of the most popular ways to record and transport this information to a central location.
Once the information has been collected and stored centrally, it essentially becomes a database that can be used as the source to form various reports. There are products that can parse the log messages and perform syntax analysis to form reports, Splunk is a popular commercial product that can do this, though there are many others. Some products may convert the raw log messages into actual entries in a relational database for easier management and searching.
Good reporting is essential to system monitoring and maintenance. For example, having two (2) reports side-by-side – one showing the number of outbound DNS queries, one showing the CPU usage on the DNS server – could be very useful in helping a system administrator to determine whether or not the DNS server has sufficient computing resources allocated. Similarly, administrators can generate historical usage reports, such as “Show DNS daily average in the last 12 months,” and spot whether or not there has been a steady increase in the volume of traffic. Such information would be very valuable in cases where an organization was considering a system upgrade.
A good reporting engine should allow users the flexibility to custom-define new parameters to generate new reports easily, such as “What is the most queried domain name between last Tuesday and Wednesday?” Or “What are the top 10 DNS query-generating devices?”
Why Is Reporting Important?
Analytics and reporting are essential to security, and even seemingly boring data like DNS queries can be a very good indicator of the security threats that lurk inside of your network. Reporting might reveal easily recognized symptoms, such as “one laptop is making excessive amounts of DNS queries?”. But reporting’s true power is revealed when DNS is hooked up to RPZ in the backend. RPZ enables DNS to stop answering for known malicious domains or IP addresses. When this information is made available in reporting, one can answer questions such as: “Which devices queried for known malware domains yesterday?” and take action on that information. Better yet, take action faster through security automation.