DNS is one of the most powerful data sources to ingest into Splunk for analytics, to fulfil security or IT operations use cases, or even for insights into the operations of your business. Just ask Ryan Kovar—if you're only to choose one data source to put into Splunk, make it your DNS data.
Doing so is not always easy, particularly in a Microsoft Windows environment, and (let’s be honest) it’s highly likely that's what you run. Enabling DNS Debug mode is an option, but it incurs load on the servers and produces a dataset that needs a lot of work to present well in Splunk.
The newly published Splunk Essentials For Wire Data app showcases dozens of use cases that can be applied in your organisation based around wire data. One of the categories within this app is Network Resolution Analysis, which primarily focusses on DNS data. Examples included in the app are:
- Misconfigured DNS endpoints
- Detecting IOC’s through DNS
- Detecting Dynamic DNS domains
- Detecting domain spoofing
- Resolution of sites outside the top 1 million
Each of these examples highlights the value of capturing DNS data using Splunk Stream in your environment and its relevance to security and IT operations use cases.
So how do you make this magic happen? Let’s take a step-by-step run through the required configuration, shall we? We'll assume that you have a functioning Splunk environment and have the Splunk Stream app installed. If not, go check out “Installing and Managing Splunk Stream in a Distributed Environment" first for a step-by-step guide on installing Splunk in a distributed environment.
Within the Splunk Stream app, select Configuration > Configure Streams.
The Configure Streams dashboard will display the default settings for protocol information to be collected.
Create a new stream for collecting the DNS details that you'd like to capture. Start by selecting the New Stream button, then Metadata Stream.
This will bring you into a workflow that allows you to configure the stream.
Select DNS as the protocol in the first step.
Once DNS is selected, give it a name and description with some context to help you to identify the data. Click Next.
On the aggregation step, ensure that No is selected for aggregation, then click Next. (You don't want aggregation because you want to see the individual DNS records.)
On the Fields screen, you'll select the fields (specific to DNS) that you want to collect and store in Splunk. Note that some, but not all, fields are selected by default.
Once you've selected the DNS fields that you'd like to collect, click Next.
You define filtering of the collected data on the Filters screen. The filters are based on the fields you selected on the previous screen. For instance, if you only wanted Stream to capture data from type "A" queries, you could define that here.
Filters are something that you may want to go back and tweak later, once you've collected data for a while and know what you have and what you'd like to keep (or discard).
After defining filters, select the Next button again to go to the Settings screen, where you'll define the destination index for your DNS data.
Select the destination index from the dropdown menu. You can set a custom index here, after creating it under settings->indexes.
After selecting the destination index, you can choose to save the configuration in Disabled mode if you're not quite ready to begin collecting data. You can also put it into Estimate mode to get an idea of how much data you'll be collecting once the configuration is enabled.
On the Groups screen, here is where you have a decision to make—you'll have the ability to select a group with which to associate the Stream configuration.
Your first option is to deploy to only the Windows DNS servers in your environment. If doing so, ensure you have the Splunk Universal Forwarder deployed to those hosts and create a Stream Group containing those servers. This option will capture client and server-side requests and responses. This can be done without touching any of your actual endpoints and will provide you with all DNS resolution data from your environment.
Your second option—if you're wanting to collect DNS data from distributed forwarders being your endpoint machines without touching the DNS server infrastructure at all, create a new group and add your forwarders to it. This option will allow you to see the client-side DNS requests and responses. You won’t see the requests generated by the DNS servers in your environment or any endpoints that don’t have a UF on them.
There are other options and architectures available to you using Splunk Stream, but we will cover those off in subsequent blog posts. These include using a Stream forwarder receiving traffic from a network TAP or SPAN port, or leveraging Stream’s ability to capture netflow or sflow data.
Finally, click Create Stream to save your configuration. You're done!
If you've enabled the configuration, you should now be collecting DNS data. You can validate this by searching for:
You should able to see beautiful JSON blobs of DNS transactions, with fields available on the left.
Remember that Splunk offers a reduced-cost license to ingest your DNS data (netflow, too!), which you can read more about here. This license allows you to ingest an individual sourcetype (DNS in our case) at a lower per GB cost than your normal Splunk Enterprise license.
Why not head over to Splunkbase and download the new Splunk Essentials for Wire Data app, which showcases 49 example use cases, across security, IT ops and fraud, all using data solely from Splunk Stream. Grab it here.