BIND DNS

Self Service Ingestion

Connect this data source on your own, using the Hunters platform.

TL;DR

Supported data types

3rd party detection

Hunters detection

IOC search

Search

Table name

Log format

Collection method

BIND DNS Events

✅

✅

bind_dns_events

Text/NDJSON

API

BIND DNS Logs

✅

✅

bind_dns_logs

NDJSON

API


Overview

imageBIND DNS is a complete implementation of the DNS protocol. BIND 9 can be configured as an authoritative name server, a resolver, and, on supported hosts, a stub resolver. While large operators usually dedicate DNS servers to a single function per system, smaller operators will find that BIND 9’s flexible configuration features support multiple functions, such as a single DNS server acting as both an authoritative name server and a resolver.

Integrating BIND DNS into Hunters will allow ingestion of the data types into your datalake, and leveraging the data for various detection use cases.

Supported data types

BIND DNS Events

Table name: bind_dns_events

BIND DNS Events refer to the various activities and operations recorded by the BIND (Berkeley Internet Name Domain) server, which is a widely used DNS server software. These events can include queries, updates, errors, and security notifications related to DNS operations. Tracking these events is crucial for monitoring the health and security of the DNS infrastructure, diagnosing issues, and ensuring the reliable resolution of domain names to IP addresses.

Learn more here.

BIND DNS Logs

Table name: bind_dns_logs

BIND DNS logs are crucial for network administrators to monitor and maintain the health and security of DNS servers. These logs capture various activities, including DNS queries and responses, security-related events, zone transfers, and dynamic updates. By analyzing these logs, administrators can detect issues such as query failures, potential security threats, and configuration errors, ensuring the DNS infrastructure operates efficiently and securely.

Send data to Hunters

Hunters supports the ingestion of BIND DNS logs via an intermediary AWS S3 bucket.

To connect BIND DNS logs:

  1. Export your logs from BIND DNS to an AWS S3 bucket.

  2. Once the export is completed and the logs are collected to S3, follow the steps in this section.

Expected format

BIND Events

BIND Events can be ingested in txt or NDJSON format.

09-Feb-2023 01:42:42.444 client @0x1a2bbc3456878 123.45.67.89#11223 (www.sample.com): query: www.sample.com IN PTR +E(0)D (44.111.222.333)

BIND Logs

BIND Logs are expected in NDJSON format.

{
  "@timestamp": "2022-07-11T22:04:14.750Z",
  "@version": "1",
  "answers": [
    {
      "c": 1,
      "d": "pagead-googlehosted.l.google.com.",
      "n": "f2c45e10347b97136279eee1d19c4cc7.safeframe.googlesyndication.com.",
      "t": 5,
      "ttl": 60
    },
    {
      "c": 1,
      "d": "1.2.3.4",
      "n": "pagead-googlehosted.l.google.com.",
      "t": 1,
      "ttl": 59
    }
  ],
  "block": false,
  "destination": {
    "ip": "10.1.1.153",
    "port": 53
  },
  "dns": {
    "header_flags": [
      "RA",
      "RD"
    ],
    "id": 25803,
    "query": {
      "type": 1
    },
    "question": {
      "name": "asd.googlesyndication.com",
      "registered_domain": "googlesyndication.com",
      "subdomain": "f2c45e10347b97136279eee1d19c4cc7.safeframe",
      "top_level_domain": "com",
      "type": "A"
    },
    "tld": {
      "domain": "googlesyndication.com",
      "sld": "googlesyndication",
      "subdomain": "f2c45e10347b97136279eee1d19c4cc7.safeframe.googlesyndication.com",
      "tld": "com",
      "top_level_domain": "com",
      "trd": "f2c45e10347b97136279eee1d19c4cc7.safeframe"
    }
  },
  "event": {
    "action": "dns_query",
    "dataset": [
      "dns",
      "dns"
    ],
    "module": "logstash"
  },
  "flags": {
    "AA": false,
    "AD": false,
    "CD": false,
    "OP": 0,
    "QR": true,
    "RA": true,
    "RC": 0,
    "RD": true,
    "TC": false,
    "Z": false
  },
  "h_id": 35268,
  "host": "10.14.56.35",
  "host_ffp": "10.12.7.14",
  "logsource": "asd-asd-2",
  "network": {
    "protocol": "UDP"
  },
  "num_answers": 2,
  "num_replies": 2,
  "pid": "26279",
  "query": {
    "c": 1
  },
  "source": {
    "ip": "10.76.24.88",
    "port": 56311
  },
  "timestamp": "Jul 12 00:04:14",
  "ts": 1657577054651,
  "type": "syslog"
}