usa cyber flag

As many know, the US Cyber Command issued a recent emergency directive for DNS Infrastructure Tampering.

While much of the directive relates to validating organisational DNS, password and MFA settings, one key aspect of the directive discusses the monitoring and management of authorised and unauthorised changes to the DNS environment. In order to meet this requirement, adequate logging should be in place to monitor changes to the DNS settings, and log data should include date/time information as well as information on who is making the changes. Snare can help meet this requirement in several ways.

The Snare enterprise agents can track all access and modification to the DNS settings on Windows and Unix systems.

The key aspects of the logs that can be collected are:

  • All user authentication activity. If the user logs into the system either from the local console, Active Directory, or via ssh on Unix then Snare can collect the relevant operating system audit events or kernel events to show that a specific user logged into the system. This data will include the source IP, authentication type, relevant success and failure of the attempt and the date and time stamp of the activity.
    • Microsoft has technical articles on how to configure your audit policy to generate the specific events both on legacy 2003 and newer 2008R2, 2012R2, 2016 and 2019 systems that support advanced audit policies.
    • All the events are quite detailed, and include:
      • Who made the changes,
      • What the changes were,
      • What zones were affected and obviously,
      • When these changes occurred.
  • The Microsoft custom event logs on Windows 2008R2, 2012R2, 2016 and 2019 also include DNS Server and DNS client eventlog categories. The Snare agent will collect these using the default objectives. The events collected show additional changes to the DNS records that can occur through either manual or dynamic updates associated with Active Directory DNS and zone files. A summary of the event types are:
    • 512, 513,514,515,516 – ZONE_OP – These can be part of major updates and changes to the zone files.
    • 519,520 DYNAMIC_UPDATE
    • 536 CACHE_OP
    • 537,540,541 Configuration – these events will be the areas of main concern with systems changes.
    • 556 SERVER_OP
    • 561 ZONE_OP
  • The Snare agent for windows will collect DNS Server logs as part of the default configuration.
  • As part of the installation process, the Windows agent can be told to manage the configuration of the Windows audit subsystem, to ensure that it generates the relevant administrative events.  Alternatively, the Snare for Windows agent can be configured to be subservient to manually configured local policy or group policy settings. It should be noted that unless the associated audit subsystem is appropriately configured, events may not be delivered to the Snare for Windows agent, for processing.
  • For Unix systems the the DNS files are usually flat text files.  The Snare Linux agent can use two aspects to monitor the files
    • File watches: The agent can be configured to watch for any and all changes to specific files related to DNS configuration settings, and will raise kernel audit events on access or modification, including details of who accessed/changed the file, and date/time information associated with the event. On Linux  systems, configuration files related to bind, dnsmasq or other DNS server tools may be monitored.
    • The default administrative Objectives for the Linux agent, track all user logins, administrative activity, an privileged commands. File watches are also configured for for changes to the /etc directory, which hosts system level configuration files for the operating system.
  • File Integrity Monitoring – The Snare Linux agent can also perform sha512 checksum operations on system configuration files, such as DNS configuration files, in order to watch for changes. This will track all new files, changes to files or deletion of files and directories being monitored. These events dont show who did the change but will track the actual changes and permission changes to files. The FIM monitoring can be run on a configurable schedule (eg: once per hour or once per day) depending on the level of granularity wanted.
  • Once the logs have been generated then its up to the SIEM and reporting systems to provide reports or alerts relating to the changes. Snare offers two complimentary method for this:
    • Snare Central – this can provide objective reports looking for the specific event IDs and produce a report in tabular format as well as graph and pie charts of the activity. These can be emailed out on any schedule needed to include the PDF report, CSV and text output as needed.
  • Snare Advanced Analytics – For this we can provide a a view of changes that occur in the system and update the dashboard in near real time as the logs are being collected.
  • As part of normal operations all changes should be validated as part of approved activity as per your normal operating procedures and anything that is not approved would be escalated as a incident for investigation.

If your organisation needs help in this area and you would like more information, please contact our friendly sales team at for a chat on how we can help your business achieve a more effective and efficient CISA DNS monitoring solution.

Steve Challans

Chief Information Security Officer