CIS Control 8.6: Collect DNS Query Audit Logs
DNS query logging is your first line of defense against malware callbacks and command-and-control communications. CIS Control 8.6 requires collecting and monitoring DNS queries to identify when users or systems attempt to reach known malicious domains—catching threats before they cause damage.
What this means
This control requires organizations to systematically capture and retain DNS query logs from all internal DNS resolvers and network gateways. By collecting these logs, you gain visibility into domain resolution attempts across your network, enabling detection of compromised systems trying to contact malware infrastructure, phishing domains, or other known malicious hosts. The audit logs serve as both a detective control (identifying compromises) and a compliance artifact demonstrating your threat detection capabilities.
How to comply
- 1.Enable query logging on all DNS servers and recursive resolvers within your network
- 2.Configure DNS logging to capture the source IP, queried domain, query type, timestamp, and response code
- 3.Centralize DNS logs to a SIEM or log aggregation platform for analysis and correlation
- 4.Integrate threat intelligence feeds of known malicious domains into your DNS monitoring workflow
- 5.Establish alerting rules to flag queries to known malicious, suspicious, or blocked domains in real time
- 6.Retain DNS logs for a minimum of 90 days to support incident investigation and forensics
- 7.Regularly review DNS logs for anomalous query patterns or policy violations
- 8.Document your DNS logging architecture, log retention policy, and alert procedures
Evidence auditors look for
- DNS server configuration screenshots showing query logging enabled
- Sample DNS audit log exports showing source IP, domain, timestamp, and response
- SIEM dashboard or query results showing malicious domain detection rules in place
- Threat intelligence feed subscription documentation integrated with DNS monitoring
- Alert logs demonstrating detection and blocking of queries to known malicious domains
- Log retention policy documentation and storage verification
- Incident response reports showing DNS logs used to identify compromised systems
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automates DNS log collection from your network infrastructure, correlates queries against real-time threat feeds, and surfaces detections as compliance evidence—eliminating manual log parsing and reducing detection time from hours to minutes.
See how GRCWatch handles this control automatically
Start free trial