Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
jgarcias
Participant

Log DNS query

Hello everybody,

 

Actually we have several gateway clusters in our environment. By default we are logging DNS traffic (UDP 53) but we can see that actually only the connection itself is being logged

 

Does somebody know how to log the query in the DNS packet? I would like to see the queried domain in the log. I can see that there is a field named "DNS query" and "DNS Query Type" but both are empty so I think it should be an option to enable the gateway to fill that fields.

 

 

Thanks

5 Replies
PhoneBoy
Admin
Admin

What is the precise rule that is accepting the traffic?
I suspect it needs to done with an App Control rule (something that logs Detailed or Extended).

0 Kudos
jgarcias
Participant

Our goal is having the queried domain name in the DNS logs, so as we can export it to a SIEM (via logexporter) and have the DNS request information, not only the connection.

We have some internal applications that tries to access different services (rare or custom protocols) and URLF/APP CONTROL does not show that information, but if we could log that in the DNS, at least we could see the domain name requested.

 

Thanks

0 Kudos
jgarcias
Participant

any tip on how to achieve that, @PhoneBoy

0 Kudos
PhoneBoy
Admin
Admin

I thought there was an App Control signature that did this, but it doesn't appear there is one.
This is probably an RFE, but it might be worth a TAC case to confirm.

0 Kudos
liwo
Explorer

I'm looking to implement something similar - did you get anywhere with this?

0 Kudos