📊 DNS Log Analysis Using Splunk (Zeek Logs)

Ingesting, analyzing, and visualizing DNS logs using Splunk & Zeek

📌 Project Overview

This project demonstrates how to ingest, parse, and analyze DNS logs using Splunk Enterprise.
Using Zeek-style JSON DNS logs, we perform security-focused DNS traffic analysis with Splunk Search Processing Language (SPL).

The project helps in identifying:

• Frequently queried domain names
• Most active client IPs
• DNS query type distribution
• Potential anomalies in DNS behavior

---

🎯 Objectives

By completing this project, you will learn how to:

• Ingest JSON-formatted DNS logs into Splunk
• Extract useful DNS metadata (queries, IPs, record types)
• Write SPL queries for DNS traffic analysis
• Detect suspicious or abnormal DNS activity
• Build a foundation for DNS-based threat detection

---

🛠️ Tools & Technologies

• Splunk Enterprise
• Zeek DNS Logs (JSON format)
• Search Processing Language (SPL)

---

📂 Dataset Information

The dataset consists of Zeek-style DNS logs in JSON format containing the following fields:

ts          → Timestamp
id.orig_h  → Source IP address
id.resp_h  → DNS server IP
qtype      → DNS query type (A, AAAA, PTR, CNAME)
query      → Queried domain name
answers    → DNS response
rcode      → DNS response code
rtt        → Round Trip Time

---

⚙️ Lab Setup & Data Ingestion

Step 1: Upload DNS Logs

1. Open Splunk Web

2. Navigate to:

Settings → Add Data → Upload

3. Select the file:

dns_logs.json

4. Configure:

• Source Type: json (or custom zeek:dns)
• Index: create a new index like dns_lab (recommended)

---

Step 2: Verify Data Ingestion

Run the following SPL query:

index=dns_lab | head 5

---

🔍 Lab Tasks & SPL Queries

🔹 Task 1: Most Frequently Queried Domain Names

Identify the domains queried most often.

index=dns_lab 
| stats count by query
| sort -count

Use Case: Detect suspicious domains, beaconing behavior, or malware C2 traffic.

---

🔹 Task 2: Most Active Client IPs

Find hosts generating the highest DNS traffic.

index=dns_lab 
| stats count by "id.orig_h"
| sort -count

Use Case: Identify compromised systems or misconfigured devices.

---

🔹 Task 3: DNS Query Type Breakdown

Analyze DNS record types in the environment.

index=dns_lab 
| stats count by qtype

Common Types:

• A → IPv4 address lookup
• AAAA → IPv6 address lookup
• CNAME → Canonical name mapping
• PTR → Reverse DNS lookup

---

📈 Key Findings

• Identified top queried domains (e.g., Google, Microsoft, Yahoo)
• Discovered high-volume DNS-generating client IPs
• Observed distribution of A, AAAA, CNAME, and PTR records
• Analyzed response time (RTT) and failed DNS resolutions
• Established a baseline for DNS behavior

---

🚨 Security Insights

This analysis can help detect:

• DNS tunneling
• Malware beaconing via repeated DNS queries
• Excessive reverse DNS lookups
• High-latency or failed DNS responses
• Rare or suspicious domain queries

---

📊 Dashboards & Alerts (Enhancements)

Future improvements may include:

• Splunk dashboards for DNS activity visualization

• Alerts for:

  • High DNS query volume
  • NXDOMAIN spikes
  • Rare or newly observed domains

---

✅ Conclusion

By completing this project, you have:

• Successfully ingested and parsed DNS logs in Splunk
• Built SPL queries for DNS traffic analysis
• Identified key DNS usage patterns
• Gained hands-on experience in SIEM-based security analysis

This project is well-suited for SOC Analyst, Cybersecurity, and SIEM roles.

---

🚀 Future Enhancements

• GeoIP enrichment for DNS responses
• DNS tunneling detection using entropy analysis
• Correlation with HTTP or proxy logs
• Automated alerting and reporting

---

⭐ If you found this project helpful, consider starring the repository!