IG2 IG3

Collect DNS Query Audit Logs

Control Group: 8. Audit Log Management

Asset Type: Network

Security Function: Detect

Description

Collect DNS query audit logs on enterprise assets, where appropriate and supported.

Implementation Checklist

1

Deploy detection tools or enable detection capabilities

2

Configure alerting thresholds and notification channels

3

Establish monitoring schedule and review process

4

Test detection capabilities with simulated events

5

Document detection procedures and escalation paths

6

Enable logging on all in-scope systems

7

Configure log forwarding to centralized SIEM

8

Define log retention periods per policy

9

Establish log review schedule and procedures

10

Implement DNS filtering/security solution

11

Configure blocking of known malicious domains

12

Enable DNS query logging and monitoring

Tool Recommendations

Splunk Enterprise Security Gartner MQ Leader, SIEM 2024

SIEM platform with log management, threat detection, investigation, and compliance reporting across enterprise data sources

Cisco (Splunk) · Ingest-based or workload-based

Microsoft Sentinel Gartner MQ Leader, SIEM 2024

Cloud-native SIEM and SOAR with AI-driven analytics, automated threat response, and native Azure/M365 integration

Microsoft · Pay-as-you-go (per GB ingested)

CrowdStrike Falcon LogScale Gartner MQ Leader, EPP 2024; Forrester Wave Leader, Security Analytics 2024

High-performance log management and observability platform designed for petabyte-scale data with real-time search

CrowdStrike · Per-GB subscription

Threats & Vulnerabilities (CIS RAM)

Threat Scenarios

DNS-Based Command and Control Evasion

Confidentiality

Malware communicates with command-and-control infrastructure using DNS tunneling or DNS-over-HTTPS, and without DNS query logging the organization cannot detect these covert channels or identify compromised hosts.

Data Exfiltration via DNS Queries

Confidentiality

Attackers encode stolen data into DNS query subdomains to exfiltrate sensitive information through the DNS protocol, which without query logging appears as normal DNS traffic and bypasses traditional DLP controls.

Malicious Domain Resolution Without Detection

Integrity

Enterprise assets resolve known malicious domains, phishing sites, or newly registered threat infrastructure, but without DNS query logs the security team has no visibility into these indicators of compromise.

Vulnerabilities (When Safeguard Absent)

No DNS Query Logging on Enterprise DNS Servers

Internal DNS servers and resolvers do not have query logging enabled, providing zero visibility into which domains are being resolved by enterprise assets and eliminating a critical data source for threat detection.

DNS Queries Bypass Monitored Resolvers

Endpoints are permitted to make DNS queries directly to external resolvers (8.8.8.8, 1.1.1.1) rather than being forced through enterprise DNS servers, completely bypassing any DNS logging that does exist.

Evidence Requirements

Type	Evidence Item	Collection Frequency
Technical	Detection tool deployment evidence (dashboard screenshots, agent status)	Captured monthly
Technical	Sample alert/detection output demonstrating capability	Captured quarterly
Technical	SIEM dashboard showing log sources and collection status	Captured monthly
Record	Log review records and findings	Per review cycle
Technical	DNS filtering configuration and block statistics	Monthly
Document	Governing policy document (current, approved, communicated)	Reviewed annually

Related Policy Templates

Audit Log Management Policy

Control 8

Related Safeguards in Control 8

8.1 Establish and Maintain an Audit Log Management Process

8.2 Collect Audit Logs

8.3 Ensure Adequate Audit Log Storage

8.4 Standardize Time Synchronization

8.5 Collect Detailed Audit Logs

8.7 Collect URL Request Audit Logs

8.8 Collect Command>Line Audit Logs

8.9 Centralize Audit Logs

8.10 Retain Audit Logs

8.11 Conduct Audit Log Reviews

8.12 Collect Service Provider Logs