The Need for DNS Query Logs

DNS is a known threat vector for malware

DNS is a known critical exploit path for malware, ransomware and data exfiltration.  In fact, malware command and control (C&C) is the number one threat vector for crimeware (Verizon Data Breach Investigations Report, 2016).  Further, 91% of malware uses DNS to carry out malicious campaigns (Cisco Annual Security Report, 2016).  According to a recent study, this can cost companies more than $500 per minute of downtime caused by DDoS attacks (Ponemon Institute, Cost of Data Breach Study, 2016).  Yet, 70% of survey respondents in another report (Ponemon Institute, Second Annual Study on Exchange Cyber Threat Intelligence, 2015), felt that their threat intel was not timely enough for defense and mitigation.

You are sitting on a wealth of threat mitigation data, a.k.a., your DNS query logs.

Surprisingly, many Security teams are often blind to the value of threat mitigation data available through their core network.

If network conflicts, performance issues or outages occur, teams need access to the raw data found in network log files for fast root cause resolution.  Raw data can be used by Security teams for investigations and forensics to uncover a detailed query history of infected clients.  It can further be used by Security and Audit teams for access logging to gain visibility into which clients queried which domains and which domains were queried by which clients for a given date and time range.  Query logging can also aid Compliance and audit efforts by providing historical records of device and domain queries.  To have this information on-demand through a few keystrokes up to two years back reduces the stress of an on-demand audit and provides significant peace-of-mind and high value when it comes to root cause discovery, analysis and resolution.

But, there are significant challenges to use DNS query logs without impacting DNS performance

Unfortunately, access to readily consumable DNS query logging is a lot more difficult than just turning up the logging feature of your DNS services.   Infoblox Reporting and Analytics with Query Logging moves these functions out of the critical path while minimizing the impact on the DNS infrastructure.

Here are the top three obstacles teams face:

1. Resource Strain. Windows event logs or Unix Syslogs are two operating system-level logging facilities often used for query logging.  In environments with high DNS query volumes, these facilities can overload server resources, impacting and degrading DNS core and hosted service availability and performance.  This occurs because system logging facilities aren’t designed to manage hundreds, thousands or more messages per second.  Resources needed to log and format messages along with the underlying metadata places heavy compute demands on the CPU and storage utilization.

2. Data Management. The next challenge is how to efficiently organize and store data in a searchable format and ensure the needed redundancy to keep data accessible. Even a couple of hundred queries per second can easily require gigabytes of storage each day, snowballing into significant memory requirements over weeks, months and years.  It can take months to years to get a system designed, vetted, approved and deployed to manage extensive data redundancy on disk, accommodate successful disaster recovery, yet support searchability for forensic security investigations, compliance, and audit.

3. Data Access Delays. Even with a well-designed platform and suitable infrastructure, log data must still be parsed, and search/visualization tools must be engaged to view and manage the data.  Depending on the amount of data and cross-functional team dynamics, even many enterprise-grade tools can take days to deliver search results.

Once you have an integrated, scalable platform in place, you still have to create the reports and visualizations to simplify the potentially enormous amounts of data into timely, actionable intelligence within CapEx and OpEx constraints.  This can take months to plan, budget and build out, but the threats are active now–and you can’t afford a data breach, so the need is more immediate.

Efficient Query Logging with Infoblox Reporting & Analytics in 20 Minutes

If this describes your situation, the Infoblox solution warrants serious consideration.  It streamlines architecting and deploying an efficient query logging infrastructure that can be turned-up in as little as 20 minutes.

Infoblox Reporting & Analytics with Query Logging is a complete solution that solves data access, visibility challenges and more.  Powered by a Splunk reporting and visualization engine, it includes an appliance that simply plugs into the Infoblox Grid Master to provide visibility and access to the breadth of network data from a single convenient platform.

It efficiently collects DNS query data and enables clustering of multiple appliances for High Availability (HA), Disaster Recovery (DR) and scalability to accommodate virtually whatever amount of data needed.

Better Performance through Connected Data

Part of the Infoblox solution is a free component called the Infoblox Data Connector VM.  It’s a cool utility running on a virtual appliance that reduces bandwidth and DDI performance impacts when dealing with large, highly-active grids, syslog data, and DNS query and response logging.  It works by collecting DNS query and response data, offloading resource-impacting DNS/DHCP processing and applying user-defined filtering to reduce data quantity.  It then formats and sends the data for report generation, ingestion by the Infoblox ActiveTrust cloud or to third-party Splunk Indexers using an SCP protocol via HTTP requests.  It’s the central point of network data collection that improves performance by reducing the impact of data exchange across the network.  Further, it runs on VMware ESXi servers and is easily installed and registered on the Infoblox Grid (running NIOS 7.3 and later) in a matter of minutes.

Converting Raw Data to Actionable Insights

Accessing raw network data is one thing, seeing it is another, but it takes planning, data selection, organization, formatting, and distribution to make it truly actionable—and this takes time.  Fortunately, Infoblox offers over 120 engineered, pre-built and customizable reports available through a single, unified console dashboard, so teams can get instant access to data without the time, expense and hassle of spinning-up a DIY project.  Infoblox documents many of these reports in a Sample Report Guide which includes dashboards, audit logs, device, DNS, DHCP, ecosystem, internal, Global Server Load Balancing (GSLB), security, system/appliance reports and other categories.  Further, since Infoblox uses the Splunk reporting and visualization engine, users with Splunk programming ability can customize any of the pre-built reports to better meet their needs.  Reports are integrated with the Microsoft server environment for even greater visibility.  Run individual ad-hoc reports or automate regular distribution across teams.  Further, there is a Reporting Experts Community Forum that shares newly developed reports, enables participants to exchange information, resolves problems and discusses best practices.

Infoblox Reporting & Analytics with Query Logging provides uncompromised visibility now across the network, instant access to current data, enables customized views, streamlines and automates operations, saves time and money, and delivers fast actionable insights enabling you to be a better manager of the network and resources in your care.

To Learn More:

• Join the Infoblox Reporting & Analytics Technical Demo Series to continue the discussion in the free webinar on 6/19, 2018, 10A PDT, 1P EDT, 6P BST. Register
• As an existing Infoblox DDI customer, you can deploy a virtual Infoblox Reporting & Analytics appliance free of charge — no strings attached. Download and try the Reporting & Analytics Free Tier today.