Regulatory Developments

Last updated: 
3 months 3 weeks ago
Blog Manager
Log in to request membershipHide blog description
One of Jisc’s activities is to monitor and, where possible, influence regulatory developments that affect us and our customer universities, colleges and schools as operators of large computer networks. Since Janet and its customer networks are classified by Ofcom as private networks, postings here are likely to concentrate on the regulation of those networks. Postings here are, to the best of our knowledge, accurate on the date they are made, but may well become out of date or unreliable at unpredictable times thereafter. Before taking action that may have legal consequences, you should talk to your own lawyers. NEW: To help navigate the many posts on the General Data Protection Regulation, I've classified them as most relevant to developing a GDPR compliance process, GDPR's effect on specific topics, or how the GDPR is being developed. Or you can just use my free GDPR project plan.

Group administrators:

Recent members:

DNS Logs for Incident Response

Monday, April 29, 2013 - 13:10

A number of talks at the FIRST conference this week have mentioned the value of Domain Name Service (DNS) logs for both detecting and investigating various types of computer misuse: from users accessing unauthorised websites to PCs infected with botnets to targeted theft of information (see, for example, Google's talk).

DNS is sometimes described as the distributed phone book of the Internet – it’s how computers convert use-friendly names like www.ja.net into the numeric IP addresses that are actually used to move packets around the network. Every time a user or program converts from an Internet name to an IP address their computer has to make a request to the DNS, and that request can be logged. So how much of a privacy issue is this?

There are actually two types of DNS logs – logs of requests (which computer requested translation of which name) and logs of responses (what numeric address the name translated to at a particular time). Request logging clearly can have an impact on privacy: if you can link the IP address of the requesting computer to the person who was logged on then you can see what websites and other Internet hosts they were accessing. However the DNS request log can’t tell you which pages, or even how many pages, the user accessed. So it seems like less of a privacy invasion than collecting web proxy or e-mail logs, which many organisations and ISPs already do. Request logs are actually more like logs of traffic flows, which also show which machines communicated with which other machines (indeed a flow will normally be logged very soon after a DNS request!). There are a couple of differences: traffic flows (unlike request logs) say how much information was exchanged, while for hosts that contain a number of different websites the DNS query log, unlike the flow log, will reveal which of those sites was requested.

DNS response logs can be much less of a privacy issue, because they can be collected in a way that reveals only what translation request was made and not who made it. Such a log can’t be used to find problem users or local machines, but can be used (see, for example Florian Weimer's original paper) to detect external threats such as rapidly moving phishing sites.

So it seems that logs of DNS requests, at least, should be considered as raising some privacy issues: organisations and incident response teams should only collect and use them if they have a clear need and proportionate processes for this. However in many cases that need and processes will already have been established for the collection and use of proxy or flow logs. DNS logs therefore seem to offer a significant help to security and incident response teams without creating a significantly greater privacy threat for internet users.

Privacy
incident response
Domain Names
  • Twitter logo
  • LinkedIn logo
  • Google+ logo
  • Reddit logo
  • StumbleUpon logo