Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

DNS Logging #2020

Closed
aumohr opened this issue Jan 30, 2024 · 5 comments · Fixed by #2033
Closed

DNS Logging #2020

aumohr opened this issue Jan 30, 2024 · 5 comments · Fixed by #2033
Labels
bug Something isn't working cspr

Comments

@aumohr
Copy link
Collaborator

aumohr commented Jan 30, 2024

Describe the bug
None of the auto-generated Shared VPCs have a DNS Policy with DNS logging in place. To activate DNS logging is considered a security best practice to discover and investigate security events.

Rational
Cloud DNS logging records the queries coming from Compute Engine VMs, GKE containers, or other GCP resources provisioned within the VPC to Cloud Logging.

DNS logs can be used to investigate attacks and detect threats. Security Command Center Event Threat Detection requires Cloud DNS logs to detect some threats.

Recommendation
Cloud DNS logging is one of the sources for the Event Threat Detection. If you activate Security Command Center Premium tier at the organization level, Event Threat Detection consumes logs for your projects as they are created. Enable Cloud DNS logging by attaching a DNS policy with logging enabled to all VPC networks. To capture public DNS queries, logging must be enabled on public zones.

Expected behavior
The default configuration should have a DNS Policy configured to log DNS requests. There can be an option to opt-out to reduce costs.
@aumohr aumohr added the cspr label Jan 30, 2024
juliocc added a commit that referenced this issue Jan 31, 2024
@juliocc
Add DNS query logging to FAST net stages
80fe4c6 
Fixes #2020
@juliocc juliocc mentioned this issue Jan 31, 2024
Merged
juliocc added a commit that referenced this issue Jan 31, 2024
@juliocc
Add DNS query logging to FAST net stages (#2033)
4c68c01 
* Add DNS query logging to FAST net stages

Fixes #2020

* Update readmes

* Add variable to toggle DNS logging

* Extend DNS logging toggle to other net stages
@ludoo
Copy link
Collaborator

ludoo commented Feb 3, 2024

Reopening the issue, I am getting this error applying the peering network stage in my org

image

@ludoo ludoo reopened this Feb 3, 2024
@ludoo
Copy link
Collaborator

ludoo commented Feb 3, 2024
edited
Loading

The error derives from enabling inbound DNS at the VPC level via the ne-vpc module. Wasn't all the e2e testing supposed to catch this? :)

I see two ways to handle this

  • move DNS inbound policy out of net vpc and into the DNS module
  • handle DNS logging at the net vpc level

My strong preference is for the second, since we care about VPCs in DNS policies not zones, which is what the DNS module handles. DNS policy should be handled at the module level and not as a FAST resource, to prevent this kind of conflicts.

FAST is currently broken, so this needs to be fixed ASAP.

@ludoo ludoo added the bug Something isn't working label Feb 3, 2024
@ludoo ludoo mentioned this issue Feb 3, 2024
Merged
@ludoo
Copy link
Collaborator

ludoo commented Feb 3, 2024

Well, DNS logging is already in the net-vpc module

image

@ludoo
Copy link
Collaborator

ludoo commented Feb 3, 2024

Closing as #2041 addressed this.

@ludoo ludoo closed this as completed Feb 3, 2024
@wiktorn
Copy link
Collaborator

wiktorn commented Feb 3, 2024

The error derives from enabling inbound DNS at the VPC level via the ne-vpc module. Wasn't all the e2e testing supposed to catch this? :)

@ludoo They did catch this, though mail notification failed :-(

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working cspr
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add DNS query logging to FAST net stages GoogleCloudPlatform/cloud-foundation-fabric
3 participants
@ludoo @wiktorn @aumohr