Connect this data source on your own, using the Hunters platform.
TL;DR
Supported data types | 3rd party detection | Hunters detection | IOC search | Search | Table name | Log format | Collection method |
|---|---|---|---|---|---|---|---|
BIND DNS Events | ✅ | ✅ | bind_dns_events | Text/NDJSON | API | ||
BIND DNS Logs | ✅ | ✅ | bind_dns_logs | NDJSON | API |
Overview
BIND DNS is a complete implementation of the DNS protocol. BIND 9 can be configured as an authoritative name server, a resolver, and, on supported hosts, a stub resolver. While large operators usually dedicate DNS servers to a single function per system, smaller operators will find that BIND 9’s flexible configuration features support multiple functions, such as a single DNS server acting as both an authoritative name server and a resolver.
Integrating BIND DNS into Hunters will allow ingestion of the data types into your datalake, and leveraging the data for various detection use cases.
Supported data types
BIND DNS Events
Table name: bind_dns_events
BIND DNS Events refer to the various activities and operations recorded by the BIND (Berkeley Internet Name Domain) server, which is a widely used DNS server software. These events can include queries, updates, errors, and security notifications related to DNS operations. Tracking these events is crucial for monitoring the health and security of the DNS infrastructure, diagnosing issues, and ensuring the reliable resolution of domain names to IP addresses.
Learn more here.
BIND DNS Logs
Table name: bind_dns_logs
BIND DNS logs are crucial for network administrators to monitor and maintain the health and security of DNS servers. These logs capture various activities, including DNS queries and responses, security-related events, zone transfers, and dynamic updates. By analyzing these logs, administrators can detect issues such as query failures, potential security threats, and configuration errors, ensuring the DNS infrastructure operates efficiently and securely.
Send data to Hunters
Hunters supports the ingestion of BIND DNS logs via an intermediary AWS S3 bucket.
To connect BIND DNS logs:
Export your logs from BIND DNS to an AWS S3 bucket.
Once the export is completed and the logs are collected to S3, follow the steps in this section.
Expected format
BIND Events
BIND Events can be ingested in txt or NDJSON format.
09-Feb-2023 01:42:42.444 client @0x1a2bbc3456878 123.45.67.89#11223 (www.sample.com): query: www.sample.com IN PTR +E(0)D (44.111.222.333)
BIND Logs
BIND Logs are expected in NDJSON format.
{
"@timestamp": "2022-07-11T22:04:14.750Z",
"@version": "1",
"answers": [
{
"c": 1,
"d": "pagead-googlehosted.l.google.com.",
"n": "f2c45e10347b97136279eee1d19c4cc7.safeframe.googlesyndication.com.",
"t": 5,
"ttl": 60
},
{
"c": 1,
"d": "1.2.3.4",
"n": "pagead-googlehosted.l.google.com.",
"t": 1,
"ttl": 59
}
],
"block": false,
"destination": {
"ip": "10.1.1.153",
"port": 53
},
"dns": {
"header_flags": [
"RA",
"RD"
],
"id": 25803,
"query": {
"type": 1
},
"question": {
"name": "asd.googlesyndication.com",
"registered_domain": "googlesyndication.com",
"subdomain": "f2c45e10347b97136279eee1d19c4cc7.safeframe",
"top_level_domain": "com",
"type": "A"
},
"tld": {
"domain": "googlesyndication.com",
"sld": "googlesyndication",
"subdomain": "f2c45e10347b97136279eee1d19c4cc7.safeframe.googlesyndication.com",
"tld": "com",
"top_level_domain": "com",
"trd": "f2c45e10347b97136279eee1d19c4cc7.safeframe"
}
},
"event": {
"action": "dns_query",
"dataset": [
"dns",
"dns"
],
"module": "logstash"
},
"flags": {
"AA": false,
"AD": false,
"CD": false,
"OP": 0,
"QR": true,
"RA": true,
"RC": 0,
"RD": true,
"TC": false,
"Z": false
},
"h_id": 35268,
"host": "10.14.56.35",
"host_ffp": "10.12.7.14",
"logsource": "asd-asd-2",
"network": {
"protocol": "UDP"
},
"num_answers": 2,
"num_replies": 2,
"pid": "26279",
"query": {
"c": 1
},
"source": {
"ip": "10.76.24.88",
"port": 56311
},
"timestamp": "Jul 12 00:04:14",
"ts": 1657577054651,
"type": "syslog"
}