GCP-VPCNetwork-DNS-Logging-Enabled

Severity: High

Description: This control ensures that Cloud DNS logging is enabled for all VPC networks. Cloud DNS logging records the queries from the name servers within your VPC to Stackdriver. Logged queries can come from Compute Engine VMs, GKE containers, or other GCP resources provisioned within the VPC.

Remediation Steps:

Perform following to enable cloudDNS logging :

1. Sign in to GCP Console https://console.cloud.google.com.

2. Go to VPC network list in GCP Console by visiting networking list.

3. Go to the VPC networks page by visiting: https://console.cloud.google.com/networking/networks/list

4. Click on VPC network instance which you want to remediate

5. Click on Edit

6. From DNS server policy dropdown select existing DNS service for which DNS logging is enabled or Create new server policy with DNS logging enabled

7. Click on save.

Important:

Cloud DNS logging is disabled by default on each network.

Reference:

• CIS Google Cloud Platform Foundation Benchmark v1.2.0 - 05-01-2021: Recommendation #2.12

• https://cloud.google.com/dns/docs/monitoring