DNS Logging: See Who’s Querying Your Domain

G5 Cyber Security

2 weeks ago

TL;DR

An authoritative DNS server doesn’t directly know who is asking about your domain, but it logs the IP addresses making requests. You can use these logs to identify which systems are querying your domain name. This guide explains how.

How Authoritative DNS Works

When someone types your website address (e.g., example.com) into their browser, a series of events happen:

The user’s computer asks its configured DNS resolver (usually provided by their internet service provider – ISP) for the IP address associated with example.com.
The resolver may cache the answer if it knows it already. If not, it starts querying other DNS servers.
Eventually, the resolver asks your authoritative DNS server (the one you’ve configured to manage records for example.com).
Your authoritative server responds with the IP address(es) associated with example.com.

Crucially, your authoritative server only sees the IP address of the resolver that asked it – not the original user’s computer.

Logging DNS Queries

To see who is querying your domain, you need to enable logging on your authoritative DNS server. The exact method depends on which DNS server software you are using. Here’s how for some common options:

1. BIND

Edit the named.conf.options file (location varies by system, typically /etc/bind/named.conf.options).

Add or modify the logging configuration section. A basic example:

logging {
   channel querylog {
      file "/var/log/bind/query.log" versions 3 size 5m;
      severity dynamic;
      print-time yes;
      print-category yes;
   };

   category queries {
      querylog;  // Log all queries to the querylog channel
   };
};

Restart BIND:
```
sudo systemctl restart bind9
```
Examine the /var/log/bind/query.log file. You’ll see entries like this:
```
2024-10-27T10:00:00.123456Z query.log: client 192.0.2.1#53 (example.com): query example.com IN A
```
This shows a request from IP address 192.0.2.1.

2. PowerDNS

Edit the PowerDNS configuration file (location varies, often /etc/powerdns/pdns.conf).
Enable logging with the log-format and syslog-facility options:
```
log-format = %t %l %q %r %a
syslog-facility = LOCAL0
```
Restart PowerDNS:
```
sudo systemctl restart pdns
```
Check your system logs (e.g., using journalctl -u pdns or /var/log/syslog) for entries related to PowerDNS and the LOCAL0 facility. You’ll see query information including IP addresses.

3. Cloud DNS Providers (AWS Route 53, Google Cloud DNS, Azure DNS)

Cloud providers typically offer query logging as a separate feature you need to enable and often pay extra for. The logs are usually stored in cloud storage services like S3 or Google Cloud Storage.

AWS Route 53: Enable Query Logging in the Route 53 console. Logs will be delivered to an S3 bucket.
Google Cloud DNS: Enable DNS query logging in the Cloud DNS settings. Logs are sent to Google Cloud Storage.
Azure DNS: Configure diagnostic settings to send DNS logs to Azure Monitor Logs or a storage account.

Refer to your cloud provider’s documentation for detailed instructions.

Interpreting the Logs

The IP addresses in the logs are those of the DNS resolvers that queried your server, not necessarily the end users.
You can use tools like WHOIS or online IP lookup services to identify the owner/operator of a resolver IP address. This might be an ISP, a public DNS service (like Google Public DNS 8.8.8.8), or a corporate network.
High query volumes from specific resolvers may indicate legitimate caching activity or potential reconnaissance attempts.

Important Considerations

Privacy: Be mindful of privacy regulations when logging IP addresses. Consider anonymizing or redacting data if necessary.
Log Rotation: Configure log rotation to prevent logs from filling up your disk space.
Security: Secure your DNS server and logs to prevent unauthorized access.