More Info:

Security monitoring and forensics cannot depend solely on IP addresses from VPC flow logs, especially when considering the dynamic IP usage of cloud resources, HTTP virtual host routing, and other technology that can obscure the DNS name used by a client from the IP address. Monitoring of Cloud DNS logs provides visibility to DNS names requested by the clients within the VPC. These logs can be monitored for anomalous domain names, evaluated against threat intelligence, and Note: For full capture of DNS, firewall must block egress UDP/53 (DNS) and TCP/443 (DNS over HTTPS) to prevent client from using external DNS name server for resolution.

Risk Level

Medium

Address

Security

Compliance Standards

CISGCP

Triage and Remediation

Remediation

Using Console

To remediate the misconfiguration “Ensure Cloud DNS Logging Is Enabled For All VPC Networks” for GCP using GCP console, follow these steps:
  1. Open the GCP Console and select the project where you want to enable DNS logging.
  2. In the left-hand navigation menu, click on “Network services” and then click on “Cloud DNS”.
  3. Click on the checkbox next to the DNS zone for which you want to enable logging.
  4. Click on the “Edit” button at the top of the page.
  5. Scroll down to the “Logging” section and click on the “Enable” button.
  6. Select the “Logs” tab and choose the logs you want to enable.
  7. Click on the “Save” button to save your changes.
  8. Repeat steps 3-7 for each DNS zone in your project.
By following these steps, you will enable Cloud DNS logging for all VPC networks in your GCP project.

To remediate the misconfiguration “Ensure Cloud DNS Logging Is Enabled For All VPC Networks” for GCP using GCP CLI, you can follow the below steps:
  1. Open the Google Cloud Console and select the project where the VPC networks are located.
  2. Open the Cloud Shell by clicking on the icon on the top right corner of the console.
  3. Run the following command to enable Cloud DNS logging for all VPC networks in the project: gcloud dns managed-zones list | awk '{print "gcloud dns managed-zones update "$1" --log-dns-queries";}' | grep -v "LOGGING" | bash This command will list all the managed zones in the project, and then update each managed zone with the --log-dns-queries flag to enable Cloud DNS logging.
  4. Verify that Cloud DNS logging has been enabled for all VPC networks by running the following command: gcloud dns managed-zones describe [MANAGED_ZONE_NAME] Replace [MANAGED_ZONE_NAME] with the name of the managed zone you want to verify. Look for the dnsQueriesLogMode field in the output, which should be set to ALL.
By following the above steps, you can remediate the misconfiguration “Ensure Cloud DNS Logging Is Enabled For All VPC Networks” for GCP using GCP CLI.
To remediate this misconfiguration in GCP using Python, follow these steps:
  1. Import the necessary libraries and authenticate with GCP:
from google.cloud import dns
from google.oauth2 import service_account

credentials = service_account.Credentials.from_service_account_file('/path/to/credentials.json')
client = dns.Client(project='your-project-id', credentials=credentials)
  1. Get a list of all VPC networks in the project:
networks = client.list_networks()
  1. For each VPC network, check if logging is enabled for Cloud DNS:
for network in networks:
    dns_settings = network.dns_settings
    if dns_settings:
        if not dns_settings.logging_enabled:
            dns_settings.logging_enabled = True
            network.update()
  1. Save the script and run it to enable Cloud DNS logging for all VPC networks in the project.
Note: Make sure to replace ‘your-project-id’ with the actual ID of your GCP project, and ‘/path/to/credentials.json’ with the actual path to your service account credentials file.

Additional Reading: