π Google GCE Network DNS Policy Logging is not enabled π’
- Contextual name: π GCE Network DNS Policy Logging is not enabled π’
- ID:
/ce/ca/google/vpc/network-dns-policy-logging - Located in: π Google VPC
Flagsβ
- π’ Policy with categories
- π’ Policy with type
- π’ Production policy
Our Metadataβ
- Policy Type:
COMPLIANCE_POLICY - Policy Category:
SECURITY
Similar Policiesβ
- Cloud Conformity
Logicβ
- π§ prod.logic.yaml π’
Descriptionβ
Descriptionβ
Cloud DNS logging records the queries from the name servers within your VPC to Stackdriver. Logged queries can come from Compute Engine VMs, GKE containers, or other GCP resources provisioned within the VPC.
Rationaleβ
Security monitoring and forensics cannot depend solely on IP addresses from VPC flow logs, especially when considering the dynamic IP usage of cloud resources, HTTP virtual host routing, and other technology that can obscure the DNS name used by a client from the IP address. Monitoring of Cloud DNS logs provides visibility to DNS names requested by the clients within the VPC. These logs can be monitored for anomalous domain names, evaluated against threat intelligence.
Note: For full capture of DNS, firewall must block egress UDP/53 (DNS) and TCP/443 (DNS over HTTPS) to prevent client from using external DNS name server for resolution.
Impactβ
Enabling of Cloud DNS logging might result in your project being charged for the additional logs usage.
Auditβ
From Google Cloud CLIβ
- List all VPCs networks in a project:
... see more
Remediationβ
Remediationβ
From Google Cloud CLIβ
Add New DNS Policy With Logging Enabledβ
For each VPC network that needs a DNS policy with logging enabled:
gcloud dns policies create enable-dns-logging --enable-logging --description="Enable DNS Logging" --networks=VPC_NETWORK_NAMEThe VPC_NETWORK_NAME can be one or more networks in comma-separated list
Enable Logging for Existing DNS Policyβ
For each VPC network that has an existing DNS policy that needs logging enabled:
gcloud dns policies update POLICY_NAME --enable-logging --networks=VPC_NETWORK_NAMEThe VPC_NETWORK_NAME can be one or more networks in comma-separated list
policy.yamlβ
Linked Framework Sectionsβ
| Section | Sub Sections | Internal Rules | Policies | Flags |
|---|---|---|---|---|
| πΌ CIS GCP v3.0.0 β πΌ 2.12 Ensure That Cloud DNS Logging Is Enabled for All VPC Networks - Level 1 (Automated) | 1 | |||
| πΌ Cloudaware Framework β πΌ Logging and Monitoring Configuration | 49 |