Skip to main content

πŸ“ Google GCE Network DNS Policy Logging is not enabled 🟒

  • Contextual name: πŸ“ GCE Network DNS Policy Logging is not enabled 🟒
  • ID: /ce/ca/google/vpc/network-dns-policy-logging
  • Located in: πŸ“ Google VPC

Flags​

Our Metadata​

  • Policy Type: COMPLIANCE_POLICY
  • Policy Category:
    • SECURITY

Similar Policies​

Logic​

Description​

Open File

Description​

Cloud DNS logging records the queries from the name servers within your VPC to Stackdriver. Logged queries can come from Compute Engine VMs, GKE containers, or other GCP resources provisioned within the VPC.

Rationale​

Security monitoring and forensics cannot depend solely on IP addresses from VPC flow logs, especially when considering the dynamic IP usage of cloud resources, HTTP virtual host routing, and other technology that can obscure the DNS name used by a client from the IP address. Monitoring of Cloud DNS logs provides visibility to DNS names requested by the clients within the VPC. These logs can be monitored for anomalous domain names, evaluated against threat intelligence.

Note: For full capture of DNS, firewall must block egress UDP/53 (DNS) and TCP/443 (DNS over HTTPS) to prevent client from using external DNS name server for resolution.

Impact​

Enabling of Cloud DNS logging might result in your project being charged for the additional logs usage.

Audit​

From Google Cloud CLI​
  1. List all VPCs networks in a project:

... see more

Remediation​

Open File

Remediation​

From Google Cloud CLI​

Add New DNS Policy With Logging Enabled​

For each VPC network that needs a DNS policy with logging enabled:

gcloud dns policies create enable-dns-logging --enable-logging --description="Enable DNS Logging" --networks=VPC_NETWORK_NAME

The VPC_NETWORK_NAME can be one or more networks in comma-separated list

Enable Logging for Existing DNS Policy​

For each VPC network that has an existing DNS policy that needs logging enabled:

gcloud dns policies update POLICY_NAME --enable-logging --networks=VPC_NETWORK_NAME

The VPC_NETWORK_NAME can be one or more networks in comma-separated list

policy.yaml​

Open File

Linked Framework Sections​

SectionSub SectionsInternal RulesPoliciesFlags
πŸ’Ό CIS GCP v1.2.0 β†’ πŸ’Ό 2.12 Ensure that Cloud DNS logging is enabled for all VPC networks - Level 1 (Automated _ Roadmapped)1
πŸ’Ό CIS GCP v1.3.0 β†’ πŸ’Ό 2.12 Ensure That Cloud DNS Logging Is Enabled for All VPC Networks - Level 1 (Automated)1
πŸ’Ό CIS GCP v2.0.0 β†’ πŸ’Ό 2.12 Ensure That Cloud DNS Logging Is Enabled for All VPC Networks - Level 1 (Automated)1
πŸ’Ό CIS GCP v3.0.0 β†’ πŸ’Ό 2.12 Ensure That Cloud DNS Logging Is Enabled for All VPC Networks - Level 1 (Automated)1
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό Logging and Monitoring Configuration59
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AU-6 Audit Record Review, Analysis, and Reporting (L)(M)(H)62030
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AU-7 Audit Record Reduction and Report Generation (M)(H)118
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό AU-6 Audit Record Review, Analysis, and Reporting (L)(M)(H)24
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AU-6 Audit Record Review, Analysis, and Reporting (L)(M)(H)230
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AU-7 Audit Record Reduction and Report Generation (M)(H)118
πŸ’Ό ISO/IEC 27001:2022 β†’ πŸ’Ό 5.25 Assessment and decision on information security events13
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό DE.AE-2: Detected events are analyzed to understand attack targets and methods1823
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.PT-1: Audit/log records are determined, documented, implemented, and reviewed in accordance with policy1632
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό RS.AN-1: Notifications from detection systems are investigated1823
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.AE-02: Potentially adverse events are analyzed to better understand associated activities31
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.AE-03: Information is correlated from multiple sources46
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό RS.AN-03: Analysis is performed to establish what has taken place during an incident and the root cause of the incident17
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό RS.AN-06: Actions performed during an investigation are recorded, and the records' integrity and provenance are preserved18
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό RS.AN-07: Incident data and metadata are collected, and their integrity and provenance are preserved18
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό RS.MA-02: Incident reports are triaged and validated24
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AU-6 Audit Record Review, Analysis, and Reporting10111
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AU-7 Audit Record Reduction and Report Generation2118
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 10.6.1 Review security events and critical system component logs at least daily.2
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 10.6.2 Review logs of all other system components periodically based on the organization's policies and risk management strategy, as determined by the organization's annual risk assessment.5
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 10.6.3 Follow up exceptions and anomalies identified during the review process.2
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 10.4.1 The audit logs are reviewed at least once daily.12
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 10.4.1.1 Automated mechanisms are used to perform audit log reviews.2
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 10.4.2 Logs of all other system components are reviewed periodically.15
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 10.4.2.1 The frequency of periodic log reviews for all other system components is defined in the entity's targeted risk analysis.2
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 10.4.3 Exceptions and anomalies identified during the review process are addressed.2
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 10.4.1 The audit logs are reviewed at least once daily.12
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 10.4.1.1 Automated mechanisms are used to perform audit log reviews.2
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 10.4.2 Logs of all other system components are reviewed periodically.15
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 10.4.2.1 The frequency of periodic log reviews for all other system components is defined in the entity's targeted risk analysis.2
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 10.4.3 Exceptions and anomalies identified during the review process are addressed.2
πŸ’Ό SOC 2 β†’ πŸ’Ό CC4.1-1 Considers a Mix of Ongoing and Separate Evaluations2
πŸ’Ό SOC 2 β†’ πŸ’Ό CC4.1-2 Considers Rate of Change2
πŸ’Ό SOC 2 β†’ πŸ’Ό CC4.1-3 Establishes Baseline Understanding2
πŸ’Ό SOC 2 β†’ πŸ’Ό CC4.1-4 Uses Knowledgeable Personnel2
πŸ’Ό SOC 2 β†’ πŸ’Ό CC4.1-5 Integrates With Business Processes2
πŸ’Ό SOC 2 β†’ πŸ’Ό CC4.1-6 Adjusts Scope and Frequency2
πŸ’Ό SOC 2 β†’ πŸ’Ό CC4.1-7 Objectively Evaluates2
πŸ’Ό SOC 2 β†’ πŸ’Ό CC4.1-8 Considers Different Types of Ongoing and Separate Evaluations2
πŸ’Ό SOC 2 β†’ πŸ’Ό CC7.3-1 Responds to Security Incidents2
πŸ’Ό SOC 2 β†’ πŸ’Ό CC7.3-2 Communicates and Reviews Detected Security Events2
πŸ’Ό SOC 2 β†’ πŸ’Ό CC7.3-3 Develops and Implements Procedures to Analyze Security Incidents2
πŸ’Ό SOC 2 β†’ πŸ’Ό CC7.3-4 Assesses the Impact on Confidential Information2
πŸ’Ό SOC 2 β†’ πŸ’Ό CC7.3-5 Determines Confidential Information Used or Disclosed2