You can capture DNS queries and responses for later analysis. When configuring this feature, you can choose to save the capture file locally on your appliance, as well as on the FTP (File Transfer Protocol) or SCP (Secure Copy) server. When you save it locally, you can use show query_capture to view the contents of the capture file. You can also use filter commands to exclude certain queries and view only the desired ones. Note that using multiple CLI commands to filter data for the appliances with large number of captured DNS queries and responses can significantly affect the system performance, protocol performance, and CLI command performance.
A capture file for logging DNS queries and responses is rolled over based on the configured time limit or when the file reaches 100 MB in size, whichever is sooner. The default time limit is 10 minutes. The capture file is automatically saved and exported to an FTP or SCP server based on your configuration. When you configure the appliance to save the capture file locally and later enable FTP or SCP, the appliance copies all the data starting with the oldest data. Infoblox recommends that you constantly monitor the FTP or SCP server to ensure that it has sufficient disk space. DNS queries and responses are stored on the appliance if the FTP or SCP server becomes unreachable. The maximum storage capacity varies based on the appliance model. After reaching the maximum limit, the appliance overwrites the old data with the new one. For information about the maximum hard drive space, see the table below. The amount of data captured depends on the DNS query rate and the domains that are included in or excluded from the capture. For information about how to exclude domains, see Excluding Domains From Query and Response Capturebelow.
...
To configure DNS query and response captures:
Grid: From the Data Management tab, select the DNS tab, expand the Toolbar and click Grid DNS Properties.
Member: From the Data Management tab, select the DNS tab and click the Members tab -> member checkbox -> Edit icon.In the Grid DNS Properties or Member DNS Properties editor, click Toggle Advanced Mode and select the Logging tab.
Under Data Collection for all DNS Queries/Responses to a Domain, complete the following:
Select the Capture DNS Queries checkbox to start capturing DNS queries. This enables the feature set for configuration. When you enable this option at the member level, the appliance captures DNS queries for the selected members only.
Select the Capture DNS Responses checkbox to start capturing DNS responses. This enables the feature set for configuration. When you enable this option at the member level, the appliance captures DNS responses for the selected members only.
| Note |
|---|
NoteEnabling the logging of queries and responses at the same time can increase disk space usage and adversely affect DNS services and performance. Infoblox recommends that you do not configure both logging of queries and logging of responses at the same time. |
...
MaximumHardDriveSpaceusedforDNSqueriesandResponses
Supported NIOS Appliances | Maximum Hard Drive Space for DNS Query/Response Capture (MB) |
|---|
TE-926 | 3100 |
TE-1516 | 6000 |
TE-1526 | 10000 |
TE-2326 | 28000 |
TE-4126 | 40000 |
TE-815 and IB-V815 | 900 |
TE-825 and IB-V825 | 3100 |
TE-1415 and IB-V1415 | 6000 |
TE-1425 and IB-V1425 | 10000 |
TE-2215 and IB-V2215 | 12000 |
TE-2225 and IB-V2225 | 28000 |
PT-1405 | 10000 |
PT-2205 | 28000 |
Excluding Domains From Query and Response Capture
...
To exclude a domain from query and response capturing, do the following:
Grid: From the Data Management tab, select the DNS tab, expand the Toolbar and click Grid DNS Properties.
Member: From the Data Management tab, select the DNS tab and click the Members tab -> member checkbox -> Edit icon.In the Grid DNS Properties or Member DNS Properties editor, click Toggle Advanced Mode and select the Logging tab.
Under Data Collection for all DNS Queries/Responses to a Domain, select the Exclude the following domains checkbox.
Click the Add icon and select Add Domain or Bulk Add Domains and specify domains in the Domain table.
| Note |
|---|
NoteNIOS first matches the domains in the Exclusion list and then matches the domains in the Inclusion list. NIOS does not capture queries and responses for the subdomains in the Capture DNS Queries/Responses list (Inclusion list) if their domains are added to the Exclude the following domains list (Exclusion list). |
The following table provides examples of domains and subdomains added to the inclusion and exclusion lists and the corresponding effects on the query and response capture operations:
Capture DNS Queries/Responses | Exclude the Following Domains | Queried Domain | Captured Queries/Responses | Results |
|---|---|---|---|---|
foo.com | it.foo.com |
| Yes | Does not match the exclusion list and therefore NIOS captures queries/responses made to foo.com and finance.foo.com. |
| No | Matches the exclusion list and excludes their subdomains. NIOS does not capture queries/responses made to it.foo.com and ms.it.foo.com. | ||
it.foo.com | foo.com | Domain is added to the exclusion list and its subdomain is added to the inclusion list. Therefore, this is not a valid configuration as queries/responses are not captured. The appliance displays a warning message for such invalid configuration. | ||
it.foo.com | it.foo.com | Domain is added to both the exclusion and the inclusion lists. This is not a valid configuration as queries/responses are not captured. The appliance displays a warning message for such invalid configuration. | ||
foo.com | corp1.com | Domain added to the inclusion list is not the subdomain of the domain added to the exclusion list. This is a redundant configuration as the outcome is the same even if the domain is removed from the Exclusion list. The appliance displays a warning message for such invalid configuration. | ||
foo.com |
| Yes | Exclusion list is empty and therefore matches the Inclusion list. NIOS captures queries/responses made to foo.com and finance.foo.com | |
| No | NIOS does not capture queries/responses made to corp1.com as this domain is not mentioned in the inclusion list. | ||
Capture All | foo.com |
| No | Matches the exclusion list and NIOS does not capture queries made to foo.com. |
| No | Subdomain matches the exclusion list and NIOS does not capture queries/responses made to finance.foo.com. | ||
| Yes | Does not match the exclusion list. Matches the inclusion list and therefore NIOS captures queries/responses made to corp1.com. |