4.3.2 Ensure DNS Filter logs all DNS queries and responses

Information

DNS filter should log all DNS queries and responses.

DNS filter should log all DNS queries and responses (whether the DNS category is blocked, monitored, or allowed). This enables SOC or security analysts to do further investigations on security incidents, especially on threat hunting or incident response activities. Although there are many data sources that can provide DNS query logs (AD or EDR), this option should be enabled out of best practice and with the assumption that no other data source is available.

Solution

Review DNS Filter Security Profiles and validate that "Log all DNS queries and responses" is enabled.

Impact:

By default, allowed DNS is not logged. This creates a data gap in threat hunting or incident response activities.

See Also

https://workbench.cisecurity.org/benchmarks/15284

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-2, CSCv7|8.7

Plugin: FortiGate

Control ID: 9cdd32ba03c0e191b9ff7c1315b5861167c50372c2b89f6b1434a35c89dc10bf