DNS is one of the most powerful data sources to ingest into Splunk for analytics, to fulfil security or IT operations use cases, or even for insights into the operations of your business. Just ask Ryan Kovar—if you're only to choose one data source to put into Splunk, make it your DNS data.
Doing so is not always easy, particularly in a Microsoft Windows environment, and (let’s be honest) it’s highly likely that's what you run. Enabling DNS Debug mode is an option, but it incurs load on the servers and produces a dataset that needs a lot of work to present well in Splunk.
The newly published Splunk Essentials For Wire Data app showcases dozens of use cases that can be applied in your organisation based around wire data. One of the categories within this app is Network Resolution Analysis, which primarily focusses on DNS data. Examples included in the app are:
- Misconfigured DNS endpoints
- Detecting IOC’s through DNS
- Detecting Dynamic DNS domains
- Detecting domain spoofing
- Resolution of sites outside the top 1 million
Each of these examples highlights the value of capturing DNS data using Splunk Stream in your environment and its relevance to security and IT operations use cases.
So how do you make this magic happen? Let’s take a step-by-step run through the required configuration, shall we? We'll assume that you have a functioning Splunk environment and have the Splunk Stream app installed. If not, go check out “Installing and Managing Splunk Stream in a Distributed Environment" first for a step-by-step guide on installing Splunk in a distributed environment.
Within the Splunk Stream app, selectConfiguration > Configure Streams.
TheConfigure Streamsdashboard will display the default settings for protocol information to be collected.
Create a new stream for collecting the DNS details that you'd like to capture. Start by selecting theNew Streambutton, thenMetadata Stream.
This will bring you into a workflow that allows you to configure the stream.
SelectDNSas the protocol in the first step.
OnceDNSis selected, give it a name and description with some context to help you to identify the data. ClickNext.
On the aggregation step, ensure thatNois selected for aggregation, then clickNext.(You don't want aggregation because you want to see the individual DNS records.)
On theFieldsscreen, you'll select the fields (specific to DNS) that you want to collect and store in Splunk. Note that some, but not all, fields are selected by default.
Once you've selected the DNS fields that you'd like to collect, clickNext.
You define filtering of the collected data on theFiltersscreen. The filters are based on the fields you selected on the previous screen. For instance, if you only wanted Stream to capture data from type "A" queries, you could define that here.
Filters are something that you may want to go back and tweak later, once you've collected data for a while and know what you have and what you'd like to keep (or discard).
After defining filters, select theNextbutton again to go to theSettingsscreen, where you'll define the destination index for your DNS data.
Select the destination index from the dropdown menu. You can set a custom index here, after creating it under settings->indexes.
After selecting the destination index, you can choose to save the configuration inDisabledmode if you're not quite ready to begin collecting data. You can also put it intoEstimatemode to get an idea of how much data you'll be collecting once the configuration is enabled.
On theGroupsscreen, here is where you have a decision to make—you'll have the ability to select a group with which to associate the Stream configuration.
Your first option is to deploy to only the Windows DNS servers in your environment. If doing so, ensure you have the Splunk Universal Forwarder deployed to those hosts and create a Stream Group containing those servers. This option will capture client and server-side requests and responses. This can be done without touching any of your actual endpoints and will provide you with all DNS resolution data from your environment.
Your second option—if you're wanting to collect DNS data from distributed forwarders being your endpoint machines without touching the DNS server infrastructure at all, create a new group and add your forwarders to it. This option will allow you to see the client-side DNS requests and responses. You won’t see the requests generated by the DNS servers in your environment or any endpoints that don’t have a UF on them.
There are other options and architectures available to you using Splunk Stream, but we will cover those off in subsequent blog posts. These include using a Stream forwarder receiving traffic from a network TAP or SPAN port, or leveraging Stream’s ability to capture netflow or sflow data.
Finally, clickCreate Streamto save your configuration. You're done!
Validation
If you've enabled the configuration, you should now be collecting DNS data. You can validate this by searching for:
sourcetype=stream:dns
You should able to see beautiful JSON blobs of DNS transactions, with fields available on the left.
Remember that Splunk offers a reduced-cost license to ingest your DNS data (netflow, too!), which you can read more abouthere. This license allows you to ingest an individual sourcetype (DNS in our case) at a lower per GB cost than your normal Splunk Enterprise license.
What Next?!
Why not head over to Splunkbase and download the new Splunk Essentials for Wire Data app, which showcases 49 example use cases, across security, IT ops and fraud, all using data solely from Splunk Stream. Grab it here.
Credit to Steve Brant and David Veuve for creating much of this content, which is also available in the Splunk Security Essentials app Data Onboarding Guides.
Simon O'Brien
I am a passionate Splunker, traveller, family man, cook, basketballer, social advocate and security professional. I have the best job in the world, and live in the best place in the world.
