More Info:

Ensure that Cloud DNS has logging enabled.

Risk Level

Low

Address

Operational Maturity, Reliability, Security

Compliance Standards

CISGCP, CBP

Triage and Remediation

Remediation

Using Console

To remediate the misconfiguration of GCP DNS not having logging enabled, you can follow the below steps using the GCP console:
  1. Open the GCP console and navigate to the Cloud DNS page.
  2. Select the DNS zone that needs to have logging enabled.
  3. Click on the “Edit” button at the top of the page.
  4. In the “Logging” section, select the checkbox for “Log DNS queries”.
  5. Choose the destination for the logs. You can either select “Logs Explorer” or “Cloud Storage”.
  6. If you choose “Cloud Storage”, provide the bucket name and folder path where the logs will be stored.
  7. Click on the “Save” button to save the changes.
Once logging is enabled, DNS queries made to the DNS zone will be logged and can be viewed in the selected destination. This will help in identifying any potential security threats and troubleshooting DNS issues.

To remediate the misconfiguration of GCP DNS not having logging enabled, follow the below steps:
  1. Open the Google Cloud Console and select the project that needs to be remediated.
  2. Click on the Navigation menu and select “Logging” under the “Operations” section.
  3. Click on the “Log Exports” tab and then click on the “Create Export” button.
  4. In the “Create Export” window, select “Cloud Storage” as the sink destination.
  5. Select the Cloud Storage bucket where you want to store the logs.
  6. In the “Filter” section, select “Advanced Filter” and enter the following filter:
resource.type="dns_query"
  1. Click on the “Create” button to create the export.
  2. Now, go to the Cloud DNS page in the Google Cloud Console.
  3. Click on the name of the DNS zone that needs to be remediated.
  4. Click on the “Edit” button at the top of the page.
  5. In the “Logging” section, select the “Export to Cloud Logging” checkbox.
  6. Select the log export that was created in step 7 from the dropdown list.
  7. Click on the “Save” button to save the changes.
With these steps, the misconfiguration of GCP DNS not having logging enabled has been remediated. Now, all DNS queries will be logged and exported to the specified Cloud Storage bucket.
To remediate this misconfiguration, you can use the following steps in Python:
  1. Import the required libraries:
from google.cloud import logging_v2
from google.cloud.logging_v2.types import LogMetric
from google.protobuf import duration_pb2
  1. Set up the client for the GCP project:
client = logging_v2.MetricsServiceV2Client()
project_id = "YOUR_PROJECT_ID"
project_name = f"projects/{project_id}"
  1. Define the log metric:
metric_name = "dns-logs"
metric_description = "DNS logs for GCP"
metric_filter = "resource.type=gce_instance AND logName=projects/YOUR_PROJECT_ID/logs/syslog AND textPayload: \"dns\""
metric_interval = duration_pb2.Duration(seconds=60)
metric = LogMetric(name=metric_name, description=metric_description, filter=metric_filter, interval=metric_interval)
  1. Create the log metric:
response = client.create_log_metric(project_name, metric)
  1. Verify that the log metric has been created:
print(f"Created metric {response.name}")
These steps will enable logging for DNS in GCP. You can modify the filter to include other log types as well.

Additional Reading: