More Info:
Security monitoring and forensics cannot depend solely on IP addresses from VPC flow logs, especially when considering the dynamic IP usage of cloud resources, HTTP virtual host routing, and other technology that can obscure the DNS name used by a client from the IP address. Monitoring of Cloud DNS logs provides visibility to DNS names requested by the clients within the VPC. These logs can be monitored for anomalous domain names, evaluated against threat intelligence, and Note: For full capture of DNS, firewall must block egress UDP/53 (DNS) and TCP/443 (DNS over HTTPS) to prevent client from using external DNS name server for resolution.Risk Level
MediumAddress
SecurityCompliance Standards
CISGCPTriage and Remediation
Remediation
Using Console
Using Console
To remediate the misconfiguration “Ensure Cloud DNS Logging Is Enabled For All VPC Networks” for GCP using GCP console, follow these steps:
- Open the GCP Console and select the project where you want to enable DNS logging.
- In the left-hand navigation menu, click on “Network services” and then click on “Cloud DNS”.
- Click on the checkbox next to the DNS zone for which you want to enable logging.
- Click on the “Edit” button at the top of the page.
- Scroll down to the “Logging” section and click on the “Enable” button.
- Select the “Logs” tab and choose the logs you want to enable.
- Click on the “Save” button to save your changes.
- Repeat steps 3-7 for each DNS zone in your project.
Using CLI
Using CLI
To remediate the misconfiguration “Ensure Cloud DNS Logging Is Enabled For All VPC Networks” for GCP using GCP CLI, you can follow the below steps:
- Open the Google Cloud Console and select the project where the VPC networks are located.
- Open the Cloud Shell by clicking on the icon on the top right corner of the console.
-
Run the following command to enable Cloud DNS logging for all VPC networks in the project:
gcloud dns managed-zones list | awk '{print "gcloud dns managed-zones update "$1" --log-dns-queries";}' | grep -v "LOGGING" | bash
This command will list all the managed zones in the project, and then update each managed zone with the--log-dns-queries
flag to enable Cloud DNS logging. -
Verify that Cloud DNS logging has been enabled for all VPC networks by running the following command:
gcloud dns managed-zones describe [MANAGED_ZONE_NAME]
Replace[MANAGED_ZONE_NAME]
with the name of the managed zone you want to verify. Look for thednsQueriesLogMode
field in the output, which should be set toALL
.
Using Python
Using Python
To remediate this misconfiguration in GCP using Python, follow these steps:
- Import the necessary libraries and authenticate with GCP:
- Get a list of all VPC networks in the project:
- For each VPC network, check if logging is enabled for Cloud DNS:
- Save the script and run it to enable Cloud DNS logging for all VPC networks in the project.