6. DNS server logs
OxCERT may under certain circumstances need to make use of DNS resolver logs when handling incidents. Where clients are configured to use a local DNS resolver as opposed to the central University servers, OxCERT will identify potentially malicious DNS lookups originating from the IP address of the local resolver. To aid investigations, OxCERT strongly recommend that local DNS resolvers are clearly identifiable as such (via hostname or DNS comment), and, subject to local privacy policies allowing it, retain logs of queries so that the source of malicious DNS requests can be identified.