Hey everyone! I'm looking to log DNS queries that are processed by our Active Directory DNS servers and forward those logs to our Security Operations Center (SOC) and SIEM. The ultimate aim is for the SOC to spot any suspicious or malware-related domain queries using threat intelligence. If anyone has tips or suggestions on how to handle this effectively, they would be greatly appreciated!
4 Answers
What kind of SIEM solution are you using? That can make a difference in how you approach logging DNS queries.
It would be helpful to know more about your environment. Are most users on-site or remote? Do remote users VPN in? Are you dealing mainly with Windows endpoints or other types of devices too? If users aren't consistently connected to a domain controller, you'll probably need to set up filtering on endpoints, in addition to your DNS servers. DNS Filter might be a solid option to consider. Also, keep in mind that forwarding DNS data to your SIEM can generate lots of traffic, so be prepared for that.
I think the challenge here is that savvy attackers can easily tunnel DNS queries to an unmanaged DNS server to slip under the radar. To tackle this, consider blocking all DNS requests to untrusted servers using your client XDR. Also, you should definitely block known DNS-over-HTTP providers that are outside your control. Make sure to inspect traffic to both unknown and known servers, as this can reveal harmful activity. Logging DNS queries directly from the client XDR will help because it’s way harder for attackers to hide those requests compared to passive DNS resolvers. For any IoT devices, a Secure Web Gateway (SWG) set up as a transparent proxy could be helpful too, especially for logging all traffic. Also, creating a separate guest network that is isolated from your internal systems is a wise move!
Absolutely! It’s true that advanced attackers might tunnel DNS queries, but detecting them still helps with many less sophisticated threats.
Forwarding DNS queries to your SIEM is definitely a best practice. We used Splunk for this, and during incidents, it provided us with valuable insights and helped to correlate alerts effectively. The volume can get noisy, but the costs were minimal in our case.
Thanks for your input! Can you share more about your setup? How do you forward the DNS queries—through Sysmon or NXLog? Also, how do you manage the noise and volume?
All of our users are on-site, but a few do need VPN access for apps. Most devices are Windows, and we have also thought about how Sysmon will increase the volume of logs. We're just looking to forward only DNS queries to the SIEM.