This page describes how to create and modify a DNS threat detector to monitor VPC networks for malicious, internet-bound DNS activity.
For more information about DNS threat detection, see Threat Monitoring .
DNS threat monitoring can impact your billing. See Cloud DNS Pricing for more information.
Before you begin
Complete the following before you create a DNS threat detector.
- Enable the Network Security API in your project.
- Make sure that you have the required roles to enable a DNS threat detector.
- If you want to use Google Cloud CLI to perform tasks, update Google Cloud CLIto the latest version.
Create DNS threat detector
To create a DNS threat detector for all of your VPC networks in a project, complete the following steps. Any new VPC networks added to the project are monitored automatically.
You can have only one DNS threat detector enabled for a project.
Console
-
In the Google Cloud console, go to the Advanced threat detectionpage.
-
Click Create DNS threat detector.
-
Enter a name for your DNS threat detector.
-
Select All VPC networks in the project.
-
Click Create.
gcloud
gcloud beta network-security dns-threat-detectors create NAME \ --location=global \ --project= PROJECT_ID \ --provider="INFOBLOX"
Replace the following:
-
NAME: the name for your DNS threat detector. -
PROJECT_ID: your project ID.
API
POST https://networksecurity.googleapis.com/v1beta1/projects/ PROJECT_ID /locations/global/dnsThreatDetectors/ NAME { "name" : " NAME ", "scope" : " PROJECT_ID ", "provider" : "INFOBLOX" }
Replace the following:
-
NAME: the name of your DNS threat detector. -
PROJECT_ID: your project ID.
Exclude a VPC network from threat monitoring
You can exclude a VPC network from threat monitoring by editing your DNS threat detector. You can also exclude the network when creating a DNS threat detector.
New VPC networks added to the project are monitored automatically.
Console
-
In the Google Cloud console, go to the Advanced threat detectionpage.
-
Click More , and select Edit.
-
In the Scopesection, select All VPC networks in the project except excluded networks.
-
Select the VPC networks that you don't want to monitor.
-
Click Save.
gcloud
gcloud beta network-security dns-threat-detectors update NAME \ --add-excluded-networks=projects/ LIST_OF_NETWORKS \ --provider="INFOBLOX" \ --location=global
Replace the following:
-
NAME: the name of your DNS threat detector. -
LIST_OF_NETWORKS: the list of VPC networks you want to exclude. -
PROJECT_ID: your project ID.
API
PATCH https://networksecurity.googleapis.com/v1beta1/projects/ PROJECT_ID /locations/global/dnsThreatDetectors/ NAME { "name" : " NAME ", "scope" : " PROJECT_ID ", "excluded_networks" : [ " LIST_OF_NETWORKs " ], "provider" : "INFOBLOX" }
Replace the following:
-
NAME: the name of your DNS threat detector. -
PROJECT_ID: your project ID. -
LIST_OF_NETWORKS: a comma-delimited list of VPC networks you want to exclude. Each network must be in quotes.
Remove your DNS threat detector
You can delete your DNS threat detector.
Console
-
In the Google Cloud console, go to the Advanced threat detectionpage.
-
Click More , and select Delete.
gcloud
gcloud beta network-security dns-threat-detectors delete NAME \ --project= PROJECT_ID \ --location=global
Replace the following:
-
NAME: the name of your DNS threat detector. -
PROJECT_ID: your project ID.
API
DELETE https://networksecurity.googleapis.com/v1beta1/projects/ PROJECT_ID /locations/global/dnsThreatDetectors/ NAME { "name" : " NAME ", "scope" : " PROJECT_ID " }
Replace the following:
-
NAME: the name of your DNS threat detector. -
PROJECT_ID: your project ID.
Add labels
You can add labels to your DNS threat detector after it has been created.
Console
-
In the Google Cloud console, go to the Network Securitypage.
-
Click More , and select Label.
-
Enter or select labels for your DNS threat detector.
What's next
- To view any threats detected, see View threats .
- For more information about logging, see Use logging and monitoring .
- To find solutions for common issues that you might encounter with your DNS threat detector, see Troubleshooting .
