Profile Applicability:

Level 1

Description:

Cloud DNS logging captures DNS queries made by resources within your Virtual Private Cloud (VPC) and records them in Google Cloud Logging. These queries may originate from Compute Engine VMs, Google Kubernetes Engine (GKE) containers, or other Google Cloud resources within the VPC.

Rationale:

DNS logs provide valuable insights into the DNS names requested by clients within a VPC, which can be used for:

  • Monitoring anomalous domain name queries.

  • Enhancing security by evaluating DNS queries against threat intelligence feeds.

  • Performing forensic investigations.

Note: For comprehensive DNS monitoring, ensure that outgoing traffic to external DNS resolvers is blocked by firewall rules (e.g., UDP/53 for DNS and TCP/443 for DNS over HTTPS).

Impact:

Enabling Cloud DNS logging may incur additional costs for log storage and analysis. Costs depend on the volume of DNS queries generated by the resources within your VPC.

Default Value:

By default, Cloud DNS logging is disabled for all VPC networks.

Audit Steps:

Using Google Cloud CLI:

  • List all VPC networks in the project:
gcloud compute networks list --format="table[box,title='All VPC Networks'](name:label='VPC Network Name')"
  • Check DNS policies and logging status for each VPC network:
gcloud dns policies list --flatten="networks[]" --format="table[box,title='All DNS Policies By VPC Network'](name:label='Policy Name',enableLogging:label='Logging Enabled':align=center,networks.networkUrl.basename():label='VPC Network Name')"
  • Verify each VPC network has a DNS policy with logging enabled.

Remediation Steps:

Using Google Cloud CLI:

Create a new DNS policy with logging enabled:

gcloud dns policies create enable-dns-logging \
  --enable-logging \
  --description="Enable DNS Logging" \
  --networks=VPC_NETWORK_NAME
  • Replace VPC_NETWORK_NAME with one or more VPC network names separated by commas.

Enable logging for an existing DNS policy:

gcloud dns policies update POLICY_NAME \
  --enable-logging \
  --networks=VPC_NETWORK_NAME

  • Replace POLICY_NAME with the name of the existing policy and VPC_NETWORK_NAME with the appropriate VPC network names.

References:

  1. Cloud DNS Logging Documentation

  2. Firewall Rules for DNS Monitoring

Additional Information:

  • Only DNS queries reaching the Cloud DNS name server are logged. Queries answered from cache or directed to external DNS resolvers outside the VPC are not captured.

CIS Controls:

Control

Description

IG 1

IG 2

IG 3

8.2 Collect Audit Logs

Enable audit logging across enterprise assets.

8.6 Collect DNS Query Logs

Capture DNS query logs to identify potential malicious activity.


8.11 Conduct Audit Log Reviews

Regularly review audit logs for anomalies or potential security threats.


6.2 Activate Audit Logging

Ensure logging is enabled for all systems and networking devices.

6.7 Review Logs Regularly

Periodically review logs to detect abnormal events or potential threats.


8.7 Enable DNS Query Logging

Enable logging for DNS queries to monitor and detect requests for known malicious domains.