Written with contributions from Bryon Singh, Director of Security Operations, RailWorks Corporation
In the 1993 film Jurassic Park, there’s an iconic scene where Lex Murphy stares at a 3D file system and exclaims, “It’s a Unix system! I know this!” What makes the moment memorable isn’t just the line—it’s the idea that understanding the underlying system reveals what’s really happening behind the scenes.
In cybersecurity, DNS query audit logs play a very similar role. They quietly record the fundamental “language” of the internet, and for defenders who know how to read them, they tell a story attackers would rather keep hidden. That’s exactly why CIS Critical Security Control v8 – Safeguard 8.6 exists.
What Is Safeguard 8.6?
Safeguard 8.6: Collect DNS Query Audit Logs is part of CIS Control 8 – Audit Log Management. The safeguard focuses on ensuring organizations:
- Log DNS queries
- Centralize those logs
- Retain them long enough to support detection and investigations
At its core, this safeguard acknowledges a simple truth:
Almost every meaningful attack leaves DNS evidence behind.
Whether it’s malware reaching out to command-and-control infrastructure, phishing links resolving to lookalike domains, or data exfiltration via DNS tunneling, DNS is rarely bypassed entirely.
Why DNS Logs Are So Powerful
DNS is foundational. Before a system can connect to anything on the internet—cloud services, APIs, malicious servers—it must resolve a name to an IP address.
That makes DNS logs uniquely valuable because they are:
- Early indicators of compromise
Malicious DNS lookups often happen before payload execution or lateral movement.
- Harder for attackers to avoid
Attackers can encrypt traffic, rotate IPs, and use living-off-the-land binaries—but they still need name resolution.
- High-signal when contextualized
When enriched with asset identity, user context, and threat intelligence, DNS logs can quickly separate normal behavior from suspicious activity.
Think of DNS logs like phone records in The Matrix (1999). Neo can’t escape the system without using a landline, and every call creates a trace. DNS plays the same role in modern networks.
Common Threats Revealed by DNS Logging
Safeguard 8.6 isn’t theoretical. DNS logs directly support detection of real-world attack techniques, including:
- Command-and-Control (C2) Traffic
Malware often beacons to domains that:
- Are newly registered
- Use algorithmically generated names (DGA)
- Change IPs frequently
DNS query logs make these patterns visible.
- Phishing and Initial Access
Users clicking phishing links generate DNS lookups to:
- Typosquatted domains
- Internationalized domain names (IDNs)
- Lookalike SaaS login pages
Without DNS logs, this activity may blend into normal web traffic.
- DNS Tunneling and Data Exfiltration
Attackers can encode data into subdomains (e.g., datachunk123.attacker.com).
DNS logs often show:
- Unusually long query names
- High query frequency
- Repetitive patterns from a single host
These are strong signals that something is wrong.
What Should Be Logged?
To align with Safeguard 8.6, DNS logs should include at least:
- Timestamp
- Source IP or client identifier
- Queried domain name
- Query type (A, AAAA, TXT, MX, etc.)
- Response code (NOERROR, NXDOMAIN, SERVFAIL)
- Resolved IP (when applicable)
Where possible, logs should also be enriched with:
- Hostname or device ID
- User identity (for internal resolvers)
- Network zone (internal, DMZ, remote)
Centralization and Retention Matter
Collecting DNS logs isn’t enough. Safeguard 8.6 assumes that logs are:
- Centralized (e.g., SIEM, log analytics platform)
- Protected from tampering
- Retained long enough to investigate delayed detection
Many attacks are discovered weeks—or months—after initial compromise. If DNS logs are only kept for a few days, critical forensic evidence is lost.
A practical retention baseline is:
- 30–90 days hot storage for detection and triage
- 6–12 months cold storage for investigations and compliance
Mapping DNS Logs to Other Controls
DNS logging becomes exponentially more valuable when combined with other CIS controls:
- Control 7 (Email and Web Browser Protections):
Correlate DNS lookups with phishing email delivery.
- Control 10 (Malware Defenses):
Identify pre-execution DNS activity associated with malware.
- Control 13 (Network Monitoring and Defense):
Pair DNS logs with network flow data to validate suspicious connections.
Implementation Tips for Safeguard 8.6
To operationalize this safeguard effectively:
- Log at the Resolver Layer
Capture logs from internal DNS resolvers, not just endpoint clients.
- Normalize and Parse Early
Ensure DNS logs are structured and searchable in your SIEM.
- Apply Threat Intelligence
Enrich domains with reputation, age, and category data.
- Create Baselines
Understand what “normal” DNS behavior looks like in your environment.
- Alert on Patterns, Not Just Domains
Focus on behaviors such as:
- Excessive NXDOMAIN responses
- High-entropy subdomains
- Beaconing intervals
Final Thoughts
Safeguard 8.6 may sound narrow—just DNS logs—but in practice, it’s one of the most cost-effective detection capabilities an organization can deploy. DNS is universal, lightweight to collect, and rich with investigative value.
DNS query audit logs won’t stop every attack—but they often tell you where it started, where it’s going, and how long it’s been there.
And in cybersecurity, those clues can make all the difference.
Resources
Here’s a link to the Policy Templates provided free of charge from the fine folks at the Center for Internet Security.
Looking for even more details? Here you go. If this still doesn’t satisfy your curiosity, DM me.
CIS Control 8 – Audit Log Management
Collect, alert, review, and retain audit logs of events that could help detect, understand, or recover from an attack.
CIS Safeguard 8.6 – Collect DNS Query Audit Logs
Collect DNS query audit logs on enterprise assets, where appropriate and supported.
Shameless Marketing Information
Gotham Technology Group offers a Security Operations Center as a Service (SOCaaS) powered by Arctic Wolf Networks. Our team will work alongside your team to support and mature your security operations.