It’s staggering to me how few security teams have gotten wise to regularly interrogating the logs from their recursive DNS servers. In many ways DNS logging can be considered sprinkling flour on the floor to track the footsteps of the culprit who’s been raiding the family fridge. Each step leaves a visible impression of where and how the intruder navigated the kitchen, and their shoe size.
To turn on logging in bind use:
# rndc querylog
This puts all DNS queries into /var/log/messages. Just grep for
named and pipe that into some custom perl script or whatever to run against a blacklist.
# grep named /var/log/messages | run_my_blacklist_script.pl