DNS Query Logs Integration
Overview
DNS query logs provide visibility into domain resolution activity across your network. KYRA MDR collects DNS logs for detecting DNS tunneling, DGA domains, C2 communications, and data exfiltration. Supports BIND, Microsoft DNS, Unbound, and Pi-hole.
Prerequisites
- A KYRA MDR Collector installed and running
- DNS server with query logging capability
- Network connectivity from the DNS server to the collector
- Sufficient storage for DNS log volume
Configuration
Configure DNS query logging:
For BIND (named):
logging { channel kyra-mdr { syslog local6; severity info; print-time yes; }; category queries { kyra-mdr; };};For Unbound:
server: log-queries: yes log-replies: yes use-syslog: yesForward via rsyslog:
local6.* @@<collector-ip>:514Collected Log Types
| Log Type | Description | Security Use |
|---|---|---|
| Queries | DNS query requests | Domain monitoring, DGA detection |
| Responses | DNS response data | DNS spoofing detection |
| NXDOMAIN | Non-existent domain responses | DGA and typosquat detection |
| Zone Transfers | AXFR/IXFR events | Unauthorized zone access |
| DNSSEC | Validation success and failure | DNS integrity monitoring |
| Recursive | Recursive resolution events | DNS abuse detection |
Troubleshooting
No query logs: DNS query logging is often disabled by default. Verify it is explicitly enabled.
High volume: DNS query logging can generate millions of events per day. Consider filtering by query type.
Syslog forwarding: Verify the facility (e.g., local6) is not filtered out in rsyslog configuration.
Contact kyra@seekerslab.com for support.