Logging DNS domain lookups

Facebooktwittergoogle_plusredditpinterestlinkedinFacebooktwittergoogle_plusredditpinterestlinkedin

In this recipe, you will add a custom Intrusion Protection (IPS) signature to a security policy to record all domain lookups accepted by the policy. The signature records an IPS log message containing the domain name every time a DNS lookup occurs.

1. Enabling Intrusion Protection and multiple security profiles

Go to System > Config > Features and enable Intrusion Protection.

Select Show More and enable Multiple security profiles.

Apply the changes.

 

2. Creating a custom IPS signature

Go to Security Profiles > Intrustion Protection and select View IPS Signatures.

Create a new signature with this syntax. (You can copy and paste this text into the Signature field.)

F-SBID( --name DOM-ALL; --protocol udp; --service dns; --log DNS_QUERY;)

3. Adding the signature to an IPS profile

Go to Security Profiles > Intrusion Protection and create a new profile.  

Under Pattern Based Signatures and Filters, select Create New.

Set Sensor Type to Specify Signatures. The new signature should appear at the top of the list. If it does not, search for the signature’s name (in the example, log-DNS_QUERY).

Select the signature, then select OK.

 

4. Adding the profile to the DNS server’s security policy

Go to Policy & Objects > Policy > IPv4 and edit the policy allowing traffic to reach the DNS server.

Under Security Profiles, enable IPS and select the new profile.

 

Under Logging Options, enable Log Allowed Traffic and select Security Events.

 

5. Results

Go to Log & Report > Security Log > Intrustion Protection.

You will see that the IPS profile has detected matching traffic.

 

 If you select an entry, you can view more information.

The domain name is shown in the Message field.

 

If you have a FortiAnalyzer, you can create a custom dataset for the DNS query by going to Reports > Advanced > Dataset.

 
This dataset can then be used in a custom report.  

For further reading, check out DNS Service in the FortiOS 5.2 Handbook.

Victoria Martin

Victoria Martin

Technical Writer & Head Cookbook Chef at Fortinet
Victoria Martin works in Ottawa as part of the FortiOS technical documentation team. She graduated with a Bachelor's degree from Mount Allison University, after which she attended Humber College's book publishing program, followed by the more practical technical writing program at Algonquin College. She does need glasses but also likes wearing them, since glasses make you look smarter.
Victoria Martin

Latest posts by Victoria Martin (see all)

  • Was this helpful?
  • Yes   No
This log only appears when an IPS event has occurred.