DNS query logs reveal critical security information — malware command-and-control traffic, data exfiltration via DNS tunneling, unauthorized network activity, and policy violations. Monitoring DNS queries is one of the most effective security monitoring techniques because virtually all network activity involves DNS resolution. This guide covers enabling DNS logging, analysis techniques, and detection patterns.
Enabling DNS Logging
BIND Query Logging
# /etc/bind/named.conf
logging {
channel query_log {
file "/var/log/bind/queries.log" versions 7 size 100m;
severity info;
print-time yes;
print-severity yes;
};
category queries { query_log; };
};Unbound Logging
# /etc/unbound/unbound.conf
server:
log-queries: yes
logfile: "/var/log/unbound/queries.log"
log-time-ascii: yes
verbosity: 1dnsmasq Logging
# /etc/dnsmasq.conf
log-queries
log-facility=/var/log/dnsmasq-queries.logLog Analysis Patterns
Detect DNS Tunneling
# DNS tunneling uses very long subdomain labels to encode data
# Look for queries with labels longer than 50 characters
# Using awk
awk '{ for(i=1;i63) print $0 }' /var/log/bind/queries.log
# Using grep for encoded-looking queries
grep -E '[a-zA-Z0-9]{30,}\.example\.com' /var/log/bind/queries.log
# High query volume to single domain
awk '{print $NF}' /var/log/bind/queries.log | sort | uniq -c | sort -rn | head -20
# TXT record queries (often used for tunneling)
grep " TXT " /var/log/bind/queries.log | awk '{print $NF}' | sort | uniq -c | sort -rnDetect Malware C2 Domains
# Look for high-entropy domain names (randomly generated)
# These often indicate DGA (Domain Generation Algorithm) malware
python3 = 2:
sld = labels[-2] # Second-level domain
if len(sld) > 8 and entropy(sld) > 3.5:
print(f"Suspicious: {domain} (entropy: {entropy(sld):.2f})")
EOFDetect Data Exfiltration
# Unusually high query volume from a single host
awk '{print $6}' /var/log/bind/queries.log | sort | uniq -c | sort -rn | head -20
# If one client has 10x more queries than others, investigate
# Large DNS responses (potential data exfiltration via TXT records)
grep " TXT " /var/log/bind/queries.log | wc -lCentralized DNS Log Analysis
# Send DNS logs to a SIEM or log aggregator
# Rsyslog forwarding
# /etc/rsyslog.d/bind.conf
$InputFileName /var/log/bind/queries.log
$InputFileTag bind-query:
$InputFileStateFile stat-bind-query
$InputFileSeverity info
$InputFileFacility local6
$InputRunFileMonitor
local6.* @logserver:514
# Or use Filebeat → Elasticsearch
# /etc/filebeat/filebeat.yml
filebeat.inputs:
- type: log
paths:
- /var/log/bind/queries.log
fields:
log_type: dns_queryAlerting Rules
# Example alert conditions:
# 1. DNS query to known malware domain (use threat intel feeds)
# 2. More than 1000 queries/minute from a single client
# 3. Queries for TXT records to unusual domains
# 4. Domain names with high entropy (DGA detection)
# 5. DNS queries to recently registered domains (< 30 days old)
# 6. NXDOMAIN response rate > 50% from a client (scanning/DGA)
# 7. Query for a domain on a blocklistDNS Blocklists
# Block known malicious domains at the DNS level
# Using dnsmasq
address=/malware-domain.com/0.0.0.0
# Or use a blocklist file
addn-hosts=/etc/dnsmasq-blocklist.txt
# Using BIND RPZ (Response Policy Zone)
zone "rpz" {
type master;
file "/etc/bind/rpz.zone";
};
# rpz.zone
malware-domain.com CNAME . ; Block (NXDOMAIN)
phishing-site.com A 0.0.0.0 ; SinkholeBest Practices
- Enable DNS query logging on all internal DNS resolvers — it is one of the most valuable security data sources
- Rotate logs to prevent disk space issues (7-30 days retention typical)
- Send DNS logs to a centralized SIEM for correlation with other security events
- Monitor for high-entropy domain names, excessive NXDOMAIN responses, and unusual TXT queries
- Use DNS blocklists to prevent access to known malicious domains
- Alert on abnormal query patterns — sudden volume spikes often indicate compromise