I have been running my own Domain Name Server for several years. Some people argue the merits of doing such a thing when you can just put it in the “cloud”, but I enjoy managing DNS with all the flexibility and enrichment it brings.
I run Bind version 9 in a FreeBSD Jail and it serves as the authoritative nameserver for about six different domains. I use Hurricane Electric and BuddyNS as secondaries.
Naturally, I have DNS logging turned on:
logging {
channel my_syslog {
syslog daemon;
severity info;
};
channel my_file {
file "/usr/local/etc/namedb/log/named.log" versions 200 size 20m;
severity dynamic;
print-time yes;
print-category yes;
print-severity yes;
};
category default { default_syslog; my_file; };
category queries { my_file; };
I definitely recommend turning on query logging. It will generate a lot of logs, however the data will be invaluable especially if you decide to use Elasticsearch, ELSA, ArcSight or splunk to ingest and analyse your DNS data.
Here is a glimpse of a splunk dashboard I created for bind query logs:
Over the years I have noticed numerous attempts to assess my DNS posture. For instance, just take a look at some of my log excerpts below:
Version Scanning:
45.20.17.160#10088 (version.bind): query: version.bind CH 80.82.77.33#15780 (VERSION.BIND): query: VERSION.BIND CH 192.241.168.215#48427 (version.bind): query: version.bind CH 196.52.43.88#6712 (VERSION.BIND): query: VERSION.BIND CH 188.166.34.51#56790 (version.bind): query: version.bind CH 45.56.78.169#45669 (version.bind): query: version.bind CH 172.104.20.44#43131 (version.bind): query: version.bind CH
Enumeration:
query: beaufort.smashthestack.org IN ANY -E (72.20.33.89) query: harvard.smashthestack.org IN ANY -E (72.20.33.89) query: welland.smashthestack.org IN ANY -E (72.20.33.89) query: troscom.smashthestack.org IN ANY -E (72.20.33.89) query: eichstaett.smashthestack.org IN ANY -E (72.20.33.89) query: gilbert.smashthestack.org IN ANY -E (72.20.33.89) query: stealth.smashthestack.org IN ANY -E (72.20.33.89)
Zone Transfers:
120.192.250.30#47392 zone transfer 'smashthestack.org/AXFR/IN' denied 13.113.28.177#40016 zone transfer 'smashthestack.org/AXFR/IN' denied 141.212.122.144#35358 zone transfer 'smashthestack.org/AXFR/IN' denied 141.212.122.96#35524 zone transfer 'smashthestack.org/AXFR/IN' denied 145.220.24.151#36824 zone transfer 'sawbox.org/AXFR/IN' denied 145.220.24.151#42180 zone transfer 'smashthestack.org/AXFR/IN' denied 52.68.42.211#47925 zone transfer 'sawbox.net/AXFR/IN' denied
Recursion Requests:
198.20.70.114#43780 query (cache) 'direct.shodan.io/A/IN' denied 95.215.62.189#41156 (.): query (cache) './ANY/IN' denied 191.96.249.61#32333 (d5l.ru): query (cache) 'd5l.ru/ANY/IN' denied 191.96.249.61#32333 (pay.gov): query (cache) 'pay.gov/ANY/IN' denied 52.91.131.184#3197 query (cache) 'www.yahoo.com/A/IN' denied
If you are like me you then you are all about the quick wins, data analytics, and data visualization.
Here is a quick and dirty command line quick win to grab the top queries from your DNS logs:
root@dns1(log):# grep -i query named.log* > dns_queries root@dns1(log):# cat dns_queries | cut -d" " -f11 | sort | uniq -c | sort -nr 244970 A 101516 AAAA 10153 ANY 9030 PTR 3694 MX 3178 NS 2325 SOA 1940 TXT 728 denied 292 SRV 263 CAA 256 CNAME 204 DNSKEY 142 AXFR 113 SPF 66 A6 59 RRSIG 56 TLSA 50 NAPTR 47 LOC 6 EID 5 DS 2 HINFO
So you see, there is plenty to keep you busy. I am still enjoying the ride. Thanks for reading.