DNS Logs for Incident Response

A number of talks at the FIRST conference this week have mentioned the value of Domain Name Service (DNS) logs for both detecting and investigating various types of computer misuse: from users accessing unauthorised websites to PCs infected with botnets to targeted theft of information (see, for example, Google’s talk).

DNS is sometimes described as the distributed phone book of the Internet – it’s how computers convert use-friendly names like into the numeric IP addresses that are actually used to move packets around the network. Every time a user or program converts from an Internet name to an IP address their computer has to make a request to the DNS, and that request can be logged. So how much of a privacy issue is this?

There are actually two types of DNS logs – logs of requests (which computer requested translation of which name) and logs of responses (what numeric address the name translated to at a particular time). Request logging clearly can have an impact on privacy: if you can link the IP address of the requesting computer to the person who was logged on then you can see what websites and other Internet hosts they were accessing. However the DNS request log can’t tell you which pages, or even how many pages, the user accessed. So it seems like less of a privacy invasion than collecting web proxy or e-mail logs, which many organisations and ISPs already do. Request logs are actually more like logs of traffic flows, which also show which machines communicated with which other machines (indeed a flow will normally be logged very soon after a DNS request!). There are a couple of differences: traffic flows (unlike request logs) say how much information was exchanged, while for hosts that contain a number of different websites the DNS query log, unlike the flow log, will reveal which of those sites was requested.

DNS response logs can be much less of a privacy issue, because they can be collected in a way that reveals only what translation request was made and not who made it. Such a log can’t be used to find problem users or local machines, but can be used (see, for example Florian Weimer’s original paper) to detect external threats such as rapidly moving phishing sites.

So it seems that logs of DNS requests, at least, should be considered as raising some privacy issues: organisations and incident response teams should only collect and use them if they have a clear need and proportionate processes for this. However in many cases that need and processes will already have been established for the collection and use of proxy or flow logs. DNS logs therefore seem to offer a significant help to security and incident response teams without creating a significantly greater privacy threat for internet users.

By Andrew Cormack

I'm Chief Regulatory Advisor at Jisc, responsible for keeping an eye out for places where our ideas, services and products might raise regulatory issues. My aim is to fix either the product or service, or the regulation, before there's a painful bump!

Leave a Reply

Your email address will not be published. Required fields are marked *