Interesting article on Analyzing DNS Logs Using Splunk and being able to identify if splunk sees a DNS lookup for a known bad domain name.
Again, if you use our data as this article does, do not pull the zone file more than once every 12 hours or you will be banned. Better yet, check to see if the file has changed first (such as via a wget option) BEFORE pulling the zone file. And please DONATE if you consider the list useful. A years worth of donations does not even equal one month’s hosting and infrastructure costs and we are not sure how much longer we can continue to pay these expenses out-of-pocket.
Article here: http://www.stratumsecurity.com/2012/07/03/splunk-security/
Log DNS queries and the client that requested it: It’s been said that DNS is the linchpin of the Internet. It’s arguably the most basic and under appreciated human-to-technology interface. It’s no different for malware. When you suspect that a device has been compromised on your network, it’s important to be able to see what the suspected device has been up to. The DNS logs of a compromised machine will quickly allow responders to identify other machines that may also be infected.