There are few things more important to the operation of the Internet than DNS. We rely on DNS to translate enigmatic, numeric IP addresses into easy-to-remember website names, to make navigating the Internet possible. Although DNS is a very mature technology — having been an invaluable Internet service since 1985 — it still has some vulnerabilities. DNS was designed during an era when cyberattacks were unheard of, and, consequently, network security was of little or no concern.

In today’s connected world, network-ready, DNS-dependent devices are ubiquitous. The attacks that are mounted against them are equally ubiquitous. Attackers frequently use DNS for data theft, denial-of-service, and other malicious activity. Without DNS logging, some security breaches could go completely undetected, until the — potentially irreparable — consequences of such a breach are felt days or weeks later.

Security advantages of DNS logging

Collecting and analyzing DNS logs can provide more visibility on the use of this common technology, thus helping to increase the security of an organization's network. Some advantages of collecting DNS logs are:

  • Network administrators can quickly detect and respond to cyberattacks by proactively monitoring DNS audit logs.
  • Forwarding DNS logs to a SIEM allows breaches to be quickly detected, thus reducing the response time needed for mending security holes and deploying countermeasures.
  • With an effective log strategy that forwards quality event data to a SIEM, the brunt of intrusion detection can be automated. Security operations center (SOC) personnel have more time to analyze suspicious alerts and proactively work on security tasks.

Advantages of aggregating DNS logs

Aggregating DNS logs using a centralized log collection strategy, while filtering out low-quality events, can significantly boost threat detection efficiency. Some benefits of this approach are:

  • The cost of storage and processing is reduced since filtering drops the majority of events that are of little or no security interest.
  • Understanding and contextualizing events is much easier when streams of events are sent to a centralized logging location.
  • GDPR and other compliance obligations are more easily fulfilled. Filter and securely forward specific events — necessary for compliance — to a secure storage location for archival.

How NXLog Enterprise Edition can help with DNS monitoring

NXLog Enterprise Edition provides several unique features for collecting, aggregating, and processing DNS logs:

Log collection infrastructure with NXLog

NXLog offers seamless integration with a wide variety of log sources and output formats used by popular log analysis solutions.

DNS log collection and forwarding to SIEMs and LMs

Whether the goal is threat detection or threat intelligence, expanding your organization’s log collection footprint and capabilities will improve your metrics in these areas.
Instead of relying on two Beats (Filebeat and Winlogbeat), use just one NXLog configuration instance as the log collector for both Linux and Windows DNS Servers.
NXLog can be configured as a collector for Graylog, by acting as a forwarding agent on the client machine and sending messages to a Graylog node.
Collect and forward DNS logs to IBM Security QRadar SIEM and utilize their analytics, correlation rules, and dashboard features. See the IBM PartnerWorld Global Solutions page.
NXLog is a Technology Alliance partner with Splunk. Collect DNS logs from Windows and Linux, and forward them to Splunk products, including Splunk Enterprise and Splunk Cloud.
Normalize DNS logs to CEF. A Partner Product of choice with RSA NetWitness, NXLog is part of the RSA Ready Technology Partner network. See the RSA Integrations page.
Use NXLog to collect DNS logs for Microsoft DNS and other raw logs, such as BIND 9 logs, and forward them to Rapid7 InsightIDR.
Part of the McAfee Security Innovation Alliance Partner Directory. Set up centralized DNS log collection for processing with the McAfee Enterprise Security Manager SIEM Suite.
Generate and parse data in the Common Event Format (CEF) used by ArcSight products, including Enterprise Security Manager (ESM).
FireEye Threat Analytics Platform integration with NXLog allows correlating indicators against FireEye Threat Intelligence.
Securonix is a provider of SIEM and EUBA solutions for cyber-threat detection. Part of the Securonix Fusion Partners Directory.
For more on NXLog schedule a personal meeting with one of our professionals

NXLog Ltd. develops multi-platform log collection tools that support many different log sources, formats, transports, and integrations. The tools help administrators collect, parse, and forward logs so they can more easily respond to security issues, investigate operational problems, and analyze event data. NXLog distributes the free and open source NXLog Community Edition and offers additional features and support with the NXLog Enterprise Edition.

This document is provided for informational purposes only and is subject to change without notice. Trademarks are the properties of their respective owners.