Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Enable Cloud DNS Logging for VPC Networks

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: CloudVPC-006

Ensure that Cloud DNS logging is enabled for all your Virtual Private Cloud (VPC) networks using DNS server policies. Cloud DNS logging records queries that the name servers resolve for your Google Cloud VPC networks, as well as queries from external entities directly to a public DNS zone. Recorded queries can come from virtual machine (VM) instances, GKE containers running in the same VPC network, peering zones, or other Google Cloud resources provisioned within your VPC.

This rule resolution is part of the Conformity Security & Compliance tool for GCP.

Security
Operational
excellence

Cloud DNS logging is disabled by default on each Google Cloud VPC network. By enabling monitoring of Cloud DNS logs, you can increase visibility into the DNS names requested by the clients within your VPC network. Cloud DNS logs can be monitored for anomalous domain names and evaluated against threat intelligence.

Audit

To determine if Cloud DNS logging is enabled for all your VPC networks, perform the following operations:

Using GCP Console

01 Sign in to the Google Cloud Management Console.

02 Select the Google Cloud Platform (GCP) project that you want to access from the top navigation bar.

03 Navigate to VPC network dashboard at https://console.cloud.google.com/networking.

04 In the navigation panel, select VPC networks to access the VPC networks available for the selected GCP project.

05 Click on the name of the VPC network that you want to examine.

06 In the VPC network details section, click on the name of the DNS policy listed under DNS server policy. If there is no policy listed under DNS server policy, the selected VPC network is not associated with a DNS policy, therefore the Audit process stops here. Otherwise, continue the Audit process with the next step.

07 On the DNS server policy page, select the RULES tab and check the Logs configuration attribute value. If the Logs attribute value is set to Off, the Cloud DNS logging is not enabled for the selected VPC network.

08 Repeat steps no. 5 – 7 for each Google Cloud VPC network created for the selected project.

09 Repeat steps no. 2 – 8 for each GCP project deployed in your Google Cloud account.

Using GCP CLI

01 Run projects list command (Windows/macOS/Linux) using custom query filters to list the IDs of the Google Cloud Platform (GCP) projects currently available in your Google Cloud account: 

gcloud projects list
  --format="table(projectId)"

02 The command output should return the requested GCP project identifiers (IDs): 

PROJECT_ID
cc-main-project-123123
cc-data-project-112233

03 Run compute networks list command (Windows/macOS/Linux) using the ID of the GCP project that you want to examine as identifier parameter and custom query filters to describe the name of each VPC network created within the selected project: 

gcloud compute networks list
  --project cc-main-project-123123
  --format="table(name)"

04 The command output should return the names of the VPC networks created for the specified project: 

NAME
cc-prod-vpc-network
cc-main-vpc-network

05 Run dns policies list command (Windows/macOS/Linux) using the name of the VPC network that you want to examine as the filtering parameter, to describe the name of the DNS policy associated with the specified Virtual Private Cloud (VPC): 

gcloud dns policies list
  --project cc-main-project-123123
  --format='value(name)'
  --filter='networks[].networkUrl ~ cc-prod-vpc-network'

06 The command output should return the name of the associated DNS policy: 

cc-prod-dns-policy

07 Run dns policies describe command (Windows/macOS/Linux) using the name of the DNS server policy that you want to examine as the identifier parameter, to describe the status of the DNS logging feature for the selected DNS policy: 

gcloud dns policies describe cc-prod-dns-policy
  --format="value(enableLogging)"

08 The command output should return the status of the Cloud DNS logging feature (True for enabled, False for disabled): 

False

If the dns policies describe command output returns False, the Cloud DNS logging is not enabled for the selected VPC network.

09 Repeat steps no. 5 – 8 for each VPC network created for the selected GCP project.

10 Repeat steps no. 3 – 9 for each GCP project deployed in your Google Cloud account.

Remediation / Resolution

To enable the Cloud DNS logging feature for your Google Cloud VPC networks, perform the following operations:

Using GCP Console

01 Sign in to the Google Cloud Management Console.

02 Select the Google Cloud Platform (GCP) project that you want to access from the top navigation bar.

03 Navigate to VPC network dashboard at https://console.cloud.google.com/networking.

04 In the navigation panel, select VPC networks to access the VPC networks available for the selected GCP project.

05 Click on the name of the VPC network that you want to reconfigure.

06 In the VPC network details section, click on the name of the DNS policy listed under DNS server policy to access the DNS policy associated with the selected VPC.

07 Choose EDIT POLICY to modify the DNS server policy configuration.

08 On the Edit a policy configuration page, select On under Logs to enable the Cloud DNS logging feature for the VPC network associated with the DNS policy. Choose SAVE to apply the changes.

09 Repeat steps no. 5 – 8 to enable DNS logging for other VPC networks created for the selected project.

10 Repeat steps no. 2 – 9 for each GCP project deployed within your Google Cloud account.

Using GCP CLI

01 Run dns policies update command (Windows/macOS/Linux) using the name of the VPC network and the name of the associated DNS policy that you want to reconfigure as the identifier parameters, to enable the Cloud DNS logging feature for the selected VPC network: 

gcloud dns policies update cc-prod-dns-policy
  --enable-logging
  --networks=cc-prod-vpc-network

02 The command output should return the resource information for the reconfigured DNS policy: 

Updated Policy [cc-prod-dns-policy].
{
  "description": "Production DNS Policy",
  "enableInboundForwarding": true,
  "enableLogging": true,
  "id": "1234567890123456789",
  "kind": "dns#policy",
  "name": "cc-prod-dns-policy",
  "networks": [
    {
      "kind": "dns#policyNetwork",
      "networkUrl": "https://compute.googleapis.com/compute/v1/projects/cc-main-project-123123/global/networks/cc-prod-vpc-network"
    }
  ]
}

03 For VPC networks without DNS policies, run dns policies create command (Windows/macOS/Linux) to create a new DNS server policy, enable Cloud DNS logging, and associate the new policy with the specified VPC network: 

gcloud dns policies create cc-web-dns-policy
  --enable-logging
  --description="Web DNS policy"
  --networks=cc-prod-vpc-network

04 The command output should return the resource information for the new DNS policy: 

{
  "description": "Web DNS policy",
  "enableInboundForwarding": true,
  "enableLogging": true,
  "id": "1234567890123456789",
  "kind": "dns#policy",
  "name": "cc-web-dns-policy",
  "networks": [
    {
      "kind": "dns#policyNetwork",
      "networkUrl": "https://compute.googleapis.com/compute/v1/projects/cc-main-project-123123/global/networks/cc-web-vpc-network"
    }
  ]
}

05 Repeat step no. 1 – 4 to enable DNS logging for other VPC networks available for the selected project.

06 Repeat steps no. 1 – 5 for each GCP project deployed in your Google Cloud account.

References

Publication date Apr 21, 2021

Related CloudVPC rules