VPC network has Cloud DNS logging enabled
compute_network_dns_logging_enabled
VPC networks are assessed for a DNS policy that enables Cloud DNS query logging. When present, resolvers record queries for the network from VMs, GKE, peering, and inbound forwarding, with entries written to Cloud Logging.
Risk
Without DNS query logs, suspicious lookups (C2, DGA, DNS exfiltration) go unseen, reducing confidentiality and hindering incident response. Visibility gaps also hide misconfigurations and elevated NXDOMAIN rates that can impact the availability of name resolution.
prowler gcp --checks compute_network_dns_logging_enabled
Recommendation
Enable Cloud DNS query logging for all VPC networks via DNS policies and route logs to centralized analysis. Enforce least privilege on log access, set retention and sampling to manage cost, and add detections for malicious domains. Apply defense in depth with DNS response policies and egress controls.
Remediation
- In the Google Cloud console, go to Cloud DNS > Policies
- If the VPC already has a policy: select the policy, click Edit, check Enable logging, click Save
- If there is no policy for the VPC: click Create policy, enter a name, check Enable logging, add the target VPC network, click Create
Source Code
Resource Type
compute.googleapis.com/Network