Google Cloud DNS Query and Response Logs

Cloud & SaaSDNS AnalysisGoogle CloudCloud Control PlaneSIEM / Log Aggregator

Location

Cloud DNS logging in Cloud Logging and Cloud Monitoring for managed zones and policies

Description

DNS telemetry for Google Cloud managed zones and Cloud DNS features, including query/response activity and operational signals about resolver behavior when logging is enabled.

Forensic Value

Cloud DNS logs help identify workload resolution of attacker domains, DNS-based C2, and data-exfiltration patterns originating from cloud workloads that never traverse on-premises DNS infrastructure.

Tools Required

Google Cloud Consolegcloud CLICloud LoggingSIEM

Collection Commands

Google Cloud Console

Cloud DNS > relevant zone or policy > Monitoring/Logging > export DNS activity and confirm the logging configuration for the investigation window

gcloud CLI

gcloud dns managed-zones describe <zone-name> --format=json > gcp_dns_zone_config.json

Collection Constraints

•DNS evidence quality depends on Cloud DNS logging being enabled for the zones or policies that served the workloads in scope.
•DNS logs establish resolution activity but do not prove the full application-layer transaction that followed.

MITRE ATT&CK Techniques

T1071.004T1568T1048.003

References

Cloud DNS monitoring and logging

Used in Procedures

Map Exfiltration Channels (HTTP, DNS, Cloud Sync)

analyze

Related Blockers

Cloud or Container Logging Coverage Missing

The investigation depends on cloud-control-plane or container telemetry that was never enabled, was retained too briefly, or was routed to an unavailable destination. This creates blind spots around identity misuse, cluster administration, and workload behavior.

Acquisition Methods

Google Cloud Logging Export

linux — cloud