Versions Compared

Old Version 1

changes.mady.by.user Gary Leicht

Saved on

compared with

New Version Current

changes.mady.by.user Gary Leicht

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

The  DNS tab provides comprehensive security data about the types of DNS hits within your network over a specific time period. This tab collects the data from the other reports and makes the information available in one location. To export the DNS table data in csv format, click Export. The default file name is dns-activity_dns.csv. Exported data is limited to 50,000 records.

...

  • query=domain.*AND device=52.123*
  • device=office1.domain OR device=office2.domain.com
  • dns_view=example-view AND query_type=A

  • (source=‘BloxOne ‘Infoblox Endpoint’ OR source=“example 1”) AND device=52.123*

    Search by the query fields matches values by subdomains. E.g. query = domain.com
    matches
    'domain.com', 'office.domain.com', 'space.office.domain.com

...

  • Source: The location of the device within the network infrastructure. For example, the device can be an on-prem appliance or an endpoint device. You can select which records to view by selecting or deselecting from among the options available. When filtering by source, the filter drop-down is limited to showing 10 sources.
  • Show: Security and activity events can be filtered by choosing an option from the Show drop-down menu. 
Note
titleNote
  • Depending on the availability of data records, not all filter options may be displayed.
  • Amplification/Reflection attacksInfoblox Threat Defense does not resolve QTYPE=ANY and QCLASS=INDNS queries. If this occurs, then Infoblox Threat Defense will respond with NOTIMP to such requests. NOTIMP responses will be displayed in the RESPONSE field.

The DNS table displays the following information by specific criteria where you can select the applicable objects from the following column drop-down menus: 

  • DETECTED: The date and time of the first DNS detection.
  • QUERY: Displays the domain that sent the DNS queries. 
  • SOURCE: The location of the device within the network infrastructure. For example, the device can be an on-prem appliance or an endpoint device.
  • DEVICE NAME: The name or IP address of the device.
  • RESPONSE: The response taken by BloxOne Cloud by Infoblox Platform for the malicious hit.
  • QUERY TYPE: The DNS query type.
  • DNS VIEW: The DNS version data being served.
  • MAC ADDRESS: The detected MAC address of the device.
  • DHCP FINGERPRINT: The unique identifier that was formed by the values in the DHCP option 55 or 60. This identifier is used to identify the requesting client or device.
  • USER: The user that triggered the hit. For remote offices, the portal displays Unknown for these users.
  • OS VERSION: The detected OS version of the device.
  • DEVICE IP: The IP address of the device responsible for the hit. If you are using BloxOne using Infoblox Endpoint for the Infoblox Grid, BloxOne Cloud  Infoblox Platform can identify the hostname of the Grid Master and displays it in this filter. If the NIOS appliance is not running a supported NIOS version or if this device is a remote site, BloxOne Cloud  Infoblox Platform captures the IP address (instead of the hostname) of the appliance in this field.
Note
titleNote

You can add and remove custom fields by clicking on the icon located in the top, right-hand corner of the table, and selecting or deselecting which custom fields you want to view. All fields can be selected or deselected, or they can be returned to the default configuration by clicking Restore to default GRID setting.

Export Records

Click Export to download a CSV file of report records. The maximum number of exported DNS report records is 50,000.