Packetbeat on high volume production Windows-AD-DNS-Servers


we are trying to visualize and permanently record our DNS traffic. The DNS Server is run on Windows 10 and the logs it writes are ok but extending it with packetbeat would increase the visibility a lot. The concerns I have are running packetbeat on such critical infrastructure are

  1. security: packetbeat runs with admin priveledges and listens promisc on the network interface. We would only enable the DNS protocol in packetbeat. But the DNS Servers need to be reachable from everywhere in our network and thus anyone on the network can potentially craft malicious DNS packets potentially exploiting a but in packetbeat. Looking at the security record so far I can't see any major threats where this was exploited but it's kin a of not obvious to me to actually determine the risk? Any hints welcome!
  2. performance: not so concerned as I think all that can happen here is packetbeat dropping/missing packets. But packetbeat shouldn't infect the overall server performance significantly if I carefully use max_procs to be max the cpu's available. Is that correct?

Thanks 1000x and keep up the great work,

You could always create a dedicated sensor running packetbeat that gets a copy of the traffic going to your DCs if you don't want to run the software on your DCs

We looked into that but as all of this runs within an ESX environment and there seems no way of getting a permanent (virtual) mirror port this is unfortunately not an option. Or do you have a recommendation to actually tap into trafficflows within virtual environments?

sorry haven't used ESX in about 10+ years - there must be a way (dedicate a nic / offload mirroring to a physical switch, etc)...I just depends on how much you want it and what the risk / benefit is in your context.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.