You can capture DNS queries and responses for later analysis. When configuring this feature, you can choose to save the capture file locally on your appliance, as well as on the FTP (File Transfer Protocol) or SCP (Secure Copy) server. When you save it locally, you can use show query_capture to view the contents of the capture file. You can also use filter commands to exclude certain queries and view only the desired ones. Note that using multiple CLI commands to filter data for the appliances with large number of captured DNS queries and responses can significantly affect the system performance, protocol performance, and CLI command performance.
A capture file for logging DNS queries and responses is rolled over based on the configured time limit or when the file reaches 100 MB in size, whichever is sooner. The default time limit is 10 minutes. The capture file is automatically saved and exported to an FTP or SCP server based on your configuration. When you configure the appliance to save the capture file locally and later enable FTP or SCP, the appliance copies all the data starting with the oldest data. Infoblox recommends that you constantly monitor the FTP or SCP server to ensure that it has sufficient disk space. DNS queries and responses are stored on the appliance if the FTP or SCP server becomes unreachable. The maximum storage capacity varies based on the appliance model. After reaching the maximum limit, the appliance overwrites the old data with the new one. For information about the maximum hard drive space, see the table below. The amount of data captured depends on the DNS query rate and the domains that are included in or excluded from the capture. For information about how to exclude domains, see Excluding Domains From Query and Response Capturebelow.
You can also use the dnstap log format to achieve performance query logging. For information about dnstap implementation and configuring dnstap, see Configuring dnstap.
Capturing DNS Queries
You can capture queries to all domains or limit the capture to specific domains. You can also apply the Bulk Add Domains feature to tailor query capture to a desired subset of domains or zones. When capturing DNS queries, NIOS matches the specified domain name(s) and everything that belongs to the domain. For example, when you specify 'foo.com' as the domain, NIOS captures queries sent to 'foo.com,' 'mail.foo.com,' and 'ftp.foo.com.' NIOS captures queries to domains for which a name server is authoritative; it also captures recursive queries. Note that this feature does not support wildcard characters or regular expressions.
...
<dd-mmm-YYYY HH:MM:SS.uuu> <client IP>#<port> query: <query_Domain name> @0x7fbad80bda00 <class name> <type name> <- or +>[SETDC] <(name server ip)>
...
30-Apr-2013 13:35:02.187 client 10.120.20.32#42386: query: foo.com @0x7fbad80bda00 IN A + (100.90.80.102)
Capturing DNS Responses
You can capture DNS responses for the DNS queries sent to the server. The amount of data captured depends on the domains that are included in or excluded from the capture. A DNS response is based on a query generated for a domain. In the response message, NIOS captures the TTL value of a resource record, the resource record type, and resource data.
Following are characteristics of the response messages:
They log only the answer section and do not include the authority and additional sections.
Responses to all queries are logged, including queries with the type "ANY."
The RR (resource record) list is not available at the end of a response message if rcode has a value other than NOERROR or if the response is NOERROR (nodata).
Responses to all RR types, including those records not managed by NIOS such as HINFO records, are logged. However, there are few exceptions for some of the scenarios with DNSSEC records.
Responses containing DNSSEC RRs (DNSKEY, DS, NSEC, NSEC3, NSEC3PARAM, RRSIG) when queried for non-DNSSEC RRs are not logged. However, responses are logged if a DNSSEC RR is explicitly queried.
DNS updates are not logged in responses.
DNS Response Message Format and Examples
The DNS query generates a response message in the following format:
| Code Block |
|---|
<dd-mmm-YYYY HH:MM:SS.uuu> <client IP>#<port> query: <query_Domain name> <class name> <type name> <- or +>[SETDC] <(name server ip)> |
Flags = <- or +>[ATEDVL]
where
...
L = response contains DTC synthetic record
The following is a sample DNS query message:
30-Apr-2020 13:35:02.187 client 10.120.20.32#42386: query: foo.com IN A + (100.90.80.102)
Following are some DNS response samples:
...
To configure DNS query and response captures:
Grid: From the Data Management tab, select the DNS tab, expand the Toolbar and click Grid DNS Properties.
Member: From the Data Management tab, select the DNS tab and click the Members tab -> member checkbox -> Edit icon.In the Grid DNS Properties or Member DNS Properties editor, click Toggle Advanced Mode and select the Logging tab.
Under Data Collection for all DNS Queries/Responses to a Domain, complete the following:
Select the Capture DNS Queries checkbox to start capturing DNS queries. This enables the feature set for configuration. When you enable this option at the member level, the appliance captures DNS queries for the selected members only.
Select the Capture DNS Responses checkbox to start capturing DNS responses. This enables the feature set for configuration. When you enable this option at the member level, the appliance captures DNS responses for the selected members only.
| Note | |
|---|---|
| title | NoteEnabling the logging of queries and responses at the same time can increase disk space usage and adversely affect DNS services and performance. Infoblox recommends that you do not configure both logging of queries and logging of responses at the same time. |
Select Capture queries/responses for all domains to capture queries and responses to all domains and zones.
Select Limit capture to these domains to capture DNS queries and responses to domains and zones one at a time.
Specify domains for DNS capture operations in the Domain table by clicking the Add icon, and choosing Add Domain or Bulk Add Domains from the menu.
To define the destination for capture files, do the following:
Retain captured queries on the local disk: Select this checkbox to save the DNS queries on the appliance. In addition to the local disk, you can select to export the DNS queries to the remote server by selecting SCP in the Export to drop-down list.
Export to: From the drop-down list, select SCP to back up the DNS queries on the remote server and None to save queries only on the appliance. To save the captured DNS queries on both the appliance and the remote server, select the Retain captured queries on the local disk checkbox and SCP from the Export to drop-down list. When you configure an SCP server and enable the MGMT port, the NIOS appliance uses SSH for data transfer. It uses the same authentication and provides the same security as SSH. SCP uses the LAN1 port to communicate with the external servers.
When you select FTP or SCP from the Export to drop-down list, complete the following:
In the Directory Path field, enter the directory to which the capture file will be saved on the server. Infoblox recommends that you use the ~ symbol for the remote server.
In the Server Address field, enter the IP address of the remote server to which the capture files will be saved.
Enter the file server account Username and Password values.
Limit query data collected per file to minutes or 100MB (whichever comes first): This option limits the collection of query data per capture file. A capture file for logging DNS queries and responses is rolled over based on the configured time limit or when the file reaches 100 MB in size, whichever is sooner. The default time limit is 10 minutes. You can enter a value from 1 to 10.
4. Save the configuration.
The following table lists the maximum hard drive space required for capturing DNS queries and responses for supported Infoblox appliance models.
MaximumHardDriveSpaceusedforDNSqueriesandResponses
Supported NIOS Appliances | Maximum Hard Drive Space for DNS Query/Response Capture (MB) |
|---|---|
Trinzic 815 and IB-V815 | 900 |
Trinzic 825 and IB-V825 | 3100 |
Trinzic 1415 and IB-V1415 | 6000 |
Trinzic 1425 and IB-V1425 | 10000 |
Trinzic 2215 and IB-V2215 | 12000 |
Trinzic 2225 and IB-V2225 | 28000 |
PT-1405 | 10000 |
PT-2205 | 28000 |
Excluding Domains From Query and Response Capture
You can exclude individual domains and their subdomains from DNS query and response capturing. You can also use the Bulk Add Domains feature for a subset of domains to exclude them from query and response capturing.
Subdomains can also be specified for exclusion. NIOS matches the specified domain names and their subdomains while filtering them in the Exclusion list. For example, when you specify 'foo.com' as the domain to be excluded, NIOS filters queries for 'foo.com,' 'mail.foo.com,' and 'ftp.foo.com.'
| Note | |
|---|---|
| title | NoteIDNs are not supported for the domains that are added to the Inclusion list and Exclusion list. You can use the punycode representation of an IDN in these lists. |
To exclude a domain from query and response capturing, do the following:
Grid: From the Data Management tab, select the DNS tab, expand the Toolbar and click Grid DNS Properties.
Member: From the Data Management tab, select the DNS tab and click the Members tab -> member checkbox -> Edit icon.In the Grid DNS Properties or Member DNS Properties editor, click Toggle Advanced Mode and select the Logging tab.
Under Data Collection for all DNS Queries/Responses to a Domain, select the Exclude the following domains checkbox.
Click the Add icon and select Add Domain or Bulk Add Domains and specify domains in the Domain table.
| Note |
|---|
NoteNIOS first matches the domains in the Exclusion list and then matches the domains in the Inclusion list. NIOS does not capture queries and responses for the subdomains in the Capture DNS Queries/Responses list (Inclusion list) if their domains are added to the Exclude the following domains list (Exclusion list). |
The following table provides examples of domains and subdomains added to the Inclusion inclusion and Exclusion exclusion lists and the corresponding effects on the query and response capture operations:
Capture DNS Queries/Responses | Exclude the Following Domains | Queried Domain | Captured Queries/Responses | Results |
|---|---|---|---|---|
foo.com | it.foo.com |
| Yes | Does not match the exclusion list and therefore NIOS captures queries/responses made to foo.com and finance.foo.com. |
| No | Matches the exclusion list and excludes their subdomains. NIOS does not capture queries/responses made to it.foo.com and ms.it.foo.com. | ||
it.foo.com | foo.com | Domain is added to the exclusion list and its subdomain is added to the inclusion list. Therefore, this is not a valid configuration as queries/responses are not captured. The appliance displays a warning message for such invalid configuration. | ||
it.foo.com | it.foo.com | Domain is added to both the exclusion and the inclusion lists. This is not a valid configuration as queries/responses are not captured. The appliance displays a warning message for such invalid configuration. | ||
foo.com | corp1.com | Domain added to the inclusion list is not the subdomain of the domain added to the exclusion list. This is a redundant configuration as the outcome is the same even if the domain is removed from the Exclusion list. The appliance displays a warning message for such invalid configuration. | ||
foo.com |
| Yes | Exclusion list is empty and therefore matches the Inclusion list. NIOS captures queries/responses made to foo.com and finance.foo.com | |
| No | NIOS does not capture queries/responses made to corp1.com as this domain is not mentioned in the inclusion list. | ||
Capture All | foo.com |
| No | Matches the exclusion list and NIOS does not capture queries made to foo.com. |
| No | Subdomain matches the exclusion list and NIOS does not capture queries/responses made to finance.foo.com. | ||
| Yes | Does not match the exclusion list. Matches the inclusion list and therefore NIOS captures queries/responses made to corp1.com. |