GCP DNS Should Have Logging Enabled

More Info:

Ensure that Cloud DNS has logging enabled.

Risk Level

Low

Address

Operational Maturity, Reliability, Security

Compliance Standards

CISGCP, CBP

Triage and Remediation

Remediation

Using Console

Using CLI

To remediate the misconfiguration of GCP DNS not having logging enabled, follow the below steps:

Open the Google Cloud Console and select the project that needs to be remediated.
Click on the Navigation menu and select “Logging” under the “Operations” section.
Click on the “Log Exports” tab and then click on the “Create Export” button.
In the “Create Export” window, select “Cloud Storage” as the sink destination.
Select the Cloud Storage bucket where you want to store the logs.
In the “Filter” section, select “Advanced Filter” and enter the following filter:

resource.type="dns_query"

Click on the “Create” button to create the export.
Now, go to the Cloud DNS page in the Google Cloud Console.
Click on the name of the DNS zone that needs to be remediated.
Click on the “Edit” button at the top of the page.
In the “Logging” section, select the “Export to Cloud Logging” checkbox.
Select the log export that was created in step 7 from the dropdown list.
Click on the “Save” button to save the changes.

With these steps, the misconfiguration of GCP DNS not having logging enabled has been remediated. Now, all DNS queries will be logged and exported to the specified Cloud Storage bucket.

Using Python

To remediate this misconfiguration, you can use the following steps in Python:

Import the required libraries:

from google.cloud import logging_v2
from google.cloud.logging_v2.types import LogMetric
from google.protobuf import duration_pb2

Set up the client for the GCP project:

client = logging_v2.MetricsServiceV2Client()
project_id = "YOUR_PROJECT_ID"
project_name = f"projects/{project_id}"

Define the log metric:

metric_name = "dns-logs"
metric_description = "DNS logs for GCP"
metric_filter = "resource.type=gce_instance AND logName=projects/YOUR_PROJECT_ID/logs/syslog AND textPayload: \"dns\""
metric_interval = duration_pb2.Duration(seconds=60)
metric = LogMetric(name=metric_name, description=metric_description, filter=metric_filter, interval=metric_interval)

Create the log metric:

response = client.create_log_metric(project_name, metric)

Verify that the log metric has been created:

print(f"Created metric {response.name}")

These steps will enable logging for DNS in GCP. You can modify the filter to include other log types as well.

Additional Reading:

https://cloud.google.com/dns/docs/monitoring

GCP Introduction

GCP Pricing

GCP Threats

GCP Misconfigurations

Resources

GCP Threats

GCP DNS Should Have Logging Enabled

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading:

GCP Introduction

GCP Pricing

GCP Threats

GCP Misconfigurations

Resources

GCP Threats

​More Info:

​Risk Level

​Address

​Compliance Standards

​Triage and Remediation

​Remediation

​Additional Reading:

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading: