Ensure That Cloud DNS Logging Is Enabled for All VPC Networks
Cloud DNS logging records the queries from the name servers within your VPC to Stackdriver. Logged queries can come from Compute Engine VMs, GKE containers, or other GCP resources provisioned within the VPC. Security monitoring and forensics cannot depend solely on IP addresses from VPC flow logs, especially when considering the dynamic IP usage of cloud resources, HTTP virtual host routing, and other technology that can obscure the DNS name used by a client from the IP address. Monitoring of Cloud DNS logs provides visibility to DNS names requested by the clients within the VPC. These logs can be monitored for anomalous domain names, evaluated against threat intelligence For full capture of DNS, firewall must block egress UDP/53 (DNS) and TCP/443 (DNS over HTTPS) to prevent client from using external DNS name server for resolution. Cloud DNS logging is disabled by default on each network.
Risk Level: Low
Cloud Entity: GCP VPC Network
CloudGuard Rule ID: D9.GCP.LOG.27
Covered by Spectral: Yes
Category: Networking & Content Delivery
GSL LOGIC
Network should have dnsPolicy.enableLogging=true
REMEDIATION
From Portal
- Go to the VPC networks page by visiting: https://console.cloud.google.com/networking/networks/list.
- Choose the VPC network and click on it.
- On the top of the page click on Edit(Make sure you have enabled DNS server policy API).
- Click on drop down under 'DNS server policy' and choose a log policy if already created or select Create a new server policy.
- Give a suitable name to the policy.
- Under the Logs tab, select option 'ON'.
- Click SAVE AND CONTINUE, then SAVE.
From Command Line
- List all VPCs networks in a project:
gcloud compute networks list --format="table[box,title='All VPC Networks'](name:label='VPC Network Name')"
- Add New DNS Policy With Logging Enabled. For each VPC network that needs a DNS policy with logging enabled:
gcloud dns policies create enable-dns-logging --enable-logging --description="Enable DNS Logging" --networks=VPC_NETWORK_NAME
The VPC_NETWORK_NAME can be one or more networks in comma-separated list
3. Enable Logging for Existing DNS Policy.For each VPC network that has an existing DNS policy that needs logging enabled:
gcloud dns policies update POLICY_NAME --enable-logging --networks=VPC_NETWORK_NAME
The VPC_NETWORK_NAME can be one or more networks in comma-separated list
4. List all DNS policies, logging enablement, and associated VPC networks:
gcloud dns policies list --flatten="networks[]" --format="table[box,title='All DNS Policies By VPC Network'](name:label='Policy Name',enableLogging:label='Logging Enabled':align=center,networks.networkUrl.basename():label='VPC Network Name')"
From TF
- To update current VPC network with new policy. See below example:
resource "google_dns_policy" "LOGGING_POLICY" {
project = "PROJECT-ID"
name = "POLICY_NAME"
enable_logging = true
networks {
network_url = data.google_compute_network.network-1.id
}
}
data "google_compute_network" "network-1" {
name = "network-1"
}
References
- https://cloud.google.com/dns/docs/monitoring
- https://workbench.cisecurity.org/sections/507170/recommendations/1260449
- https://cloud.google.com/dns/docs/monitoring#using_logging
GCP VPC Network
A VPC network, sometimes just called a ���network,��� is a virtual version of a physical network, like a data center network. It provides connectivity for your Compute Engine virtual machine (VM) instances, Kubernetes Engine clusters, App Engine Flex instances, and other resources in your project.
Projects can contain multiple VPC networks. New projects start with a default network that has one subnet in each region (an auto mo
Compliance Frameworks
- CloudGuard GCP All Rules Ruleset
- GCP CIS Controls V 8
- GCP CIS Foundations v. 1.2.0
- GCP CIS Foundations v. 1.3.0
- GCP CIS Foundations v. 2.0
- GCP CloudGuard Best Practices
- GCP MITRE ATT&CK Framework v12.1
- GCP NIST 800-53 Rev 5
Updated over 1 year ago