After you set up your Legacy Data Connector virtual appliance, you must set up certain configurations so the Legacy Data Connector can gather relevant information from the Grid members, and then send the data to the Infoblox reporting server or Infoblox cloud destination.

When configuring the Grid to capture DNS queries and responses, you can choose to save the capture file locally on your appliance, or configure a SCP (Secure Copy) server and provide the credentials for the users configured on the Legacy Data Connector.

A capture file for logging DNS queries and responses is rolled over based on the configured time limit or when the file reaches 100 MB in size, whichever is sooner. The default time limit is 10 minutes. The capture file is automatically saved and exported to a SCP server based on your configuration. When you configure the appliance to save the capture file locally and later enable SCP, the appliance copies all the data starting with the oldest data. Infoblox recommends that you constantly monitor the SCP server to ensure that it has sufficient disk space. DNS queries and responses are stored on the appliance if the SCP server becomes unreachable. The maximum storage capacity varies based on the appliance model. After reaching the maximum limit, the appliance overwrites the old data with the new one. For information about the maximum hard drive space, see the section, Maximum Hard Drive Space used for DNS Queries and Responses on this page. The amount of data captured depends on the DNS query rate and the domains that are included in or excluded from the capture. For information about how to exclude domains, see Viewing Registered Legacy Data Connector Details.

Capturing DNS Queries

You can capture queries to all domains or limit the capture to specific domains. You can also apply the Bulk Add Domains feature to tailor query capture to a desired subset of domains or zones. When capturing DNS queries, NIOS matches the specified domain name(s) and everything that belongs to the domain. For example, when you specify ‘foo.com’ as the domain, NIOS captures queries sent to ‘foo.com,’ ‘mail.foo.com,’ and ‘ftp.foo.com.’ NIOS captures queries to domains for which a name server is authoritative; it also captures recursive queries. Note that this feature does not support wildcard characters or regular expressions. 

DNS Query Message Format 

The DNS query generates a query message in the following format:

<dd-mmm-YYYY HH:MM:SS.uuu> <client IP>#<port> query: <query_Domain name> <class name> <type name> <- or +>[SETDC] <(name server ip)>

where
+ = recursion
- = no recursion
S = TSIG
E = EDNS option set
T = TCP query
D = EDNS ‘DO’ flag set
C = ‘CD’ message flag set
Following is a sample DNS query message:
30-Apr-2013 13:35:02.187 client 10.120.20.32#42386: query: foo.com IN A + (100.90.80.102) 

Capturing DNS Responses

You can capture DNS responses for the DNS queries sent to the server. The amount of data captured depends on the domains that are included in or excluded from the capture. A DNS response is based on a query generated for a domain. In the response message, NIOS captures the TTL value of a resource record, the resource record type, and resource data.

Following are characteristics of the response messages:

• They log only the answer section and do not include the authority and additional sections.
• Responses to all queries are logged, including queries with the type "ANY."
• The RR (resource record) list is not available at the end of a response message if rcode has a value other than NOERROR or if the response is NOERROR (nodata).
• Responses to all RR types, including those records not managed by NIOS such as HINFO records, are logged. However, there are few exceptions for some of the scenarios with DNSSEC records.
• Responses containing DNSSEC RRs (DNSKEY, DS, NSEC, NSEC3, NSEC3PARAM, RRSIG) when queried for non-DNSSEC RRs are not logged. However, responses are logged if a DNSSEC RR is explicitly queried.
• DNS updates are not logged in responses.

DNS Response Message Format and Examples 

The DNS query generates a response message in the following format:

<dd-mmm-YYYY HH:MM:SS.uuu> client <client ip>#port <UDP or TCP>: [view: DNS view] query: <queried domain name> <class name> <type name> response: <rcode> <flags> [<RR in text format>; [<RR in text format>;] ...]
Flags = <- or +>[ATEDVL]

where
- = recursion not available
+ = recursion available (from DNS message header)
A = authoritative answer (from DNS message header)
t = truncated response (from DNS message header)
E = EDNS OPT record present (from DNS message header)
D = DNSSEC OK (from EDNS OPT RR)
V = responding server has validated DNSSEC records
L = response contains GSLB synthetic record

Following are some DNS response samples:

Example 1: When querying an A record
07-Apr-2013 20:16:49.083 client 10.120.20.198#57398 UDP: query: a2.foo.com IN A response: NOERROR +AED a2.foo.com. 28800 IN A 1.1.1.2;
Example 2: When querying an AAAA record
07-Apr-2013 20:16:49.083 client 10.120.20.198#57398 UDP: query: a4.foo.com IN AAAA response: NOERROR +AED a4.foo.com. 28800 IN AAAA ab::a;
Example 3: When querying an A record over IPv6
07-Apr-2013 20:16:49.083 client 2001::2#57398 UDP: query: a2.foo.com IN A response: NOERROR +AED a2.foo.com. 28800 IN A 1.1.1.2;
Example 4: When querying an A record over TCP
07-Apr-2013 20:16:49.083 client 10.120.20.198#57398 TCP: query: a2.foo.com IN A response: NOERROR +ED a2.foo.com. 28800 IN A 1.1.1.2;
Example 5: When querying ANY record
07-Apr-2013 20:16:49.083 client 10.120.20.198#57398 UDP: query: a2.foo.com IN ANY response: NOERROR +ED a2.foo.com. 28800 IN A 1.1.1.2;
Example 6: When querying an A record with multiple addresses

07-Apr-2013 20:16:49.083 client 10.120.20.198#57398 UDP: query: a1.foo.com IN A response: NOERROR +ED a1.foo.com. 28800 IN A 1.1.1.1; a1.foo.com. 28800 IN A 11.1.1.1; 

Example 7: When querying an aliased A record

07-Apr-2013 20:16:49.083 client 10.120.20.198#57398 UDP: query: c2.foo.com IN A response: NOERROR +ED c2.foo.com. 28800 IN CNAME a2.foo.com.; a2.foo.com. 28800 IN A 1.1.1.2;

Example 8: When querying an NXDOMAIN

07-Apr-2013 20:16:49.083 client 10.120.20.198#57398 UDP: query: non-exist.foo.com IN A response: NXDOMAIN +ED

Example 9: Response message for NOERROR/nodata

07-Apr-2013 20:16:49.083 client 10.120.20.198#57398 UDP: query: a1.foo.com IN SRV response: NOERROR +ED

Example 10: Response message for refused query

07-Apr-2013 20:16:49.083 client 10.120.20.198#57398 UDP: query: refused.com IN A response: REFUSED +ED
Example 11: Response message when server fails
07-Apr-2013 20:16:49.083 client 10.120.20.198#12345 UDP: query: servfail.com IN A response: SERVFAIL +E

Example 12: Response message when query A record in a signed zone

07-Apr-2013 20:16:49.083 client 10.120.20.198#57398 UDP: query: a1.signed.com IN A response: NOERROR +ED a1.signed.com. 28800 IN A 1.1.1.1;

Example 13: Response message for explicit query to DNSSEC RRs

07-Apr-2013 20:16:49.083 client 10.120.20.198#57398 UDP: query: a1.signed.com IN RRSIG response: NOERROR +ED a1.signed.com. 28800 IN RRSIG A 5 3 28800 20130616004903 20130611234903 4521 signed.com. evROKe7RbnkjFTsumT3JJg76bduFLfdEEnszitXHQCbVYBS5rDy+qbUI HCQuN/ldCNTJbZQ8MEhuatzfms+2Y5K2sU67P9Yg6GkOMxsT2LcJiBm/ YqrYiZBWGKpLF6J0PdX05133Xwq8XxUStUEJxKfuzcKSY6jaSduQIdFL v6A=; a1.signed.com. 900 IN RRSIG NSEC 5 3 900 20130616004903 20130611234903 4521 signed.com. CnFmXMx9D+ZkDsztQbW2xx8XCROGNMBp0baxFXS/Pxxhg4PQcq58laI97y2Xgqswn/wKNhY8p9hkes5+6t/ihCOIbw FryxtdivPfYYFf3jafedFN ymZu05K9bYUfCUzZTGiRzoJYhxBM7xFT8fMvxni9ngsbLym82Tqv3Nua 6wU=; 

Configuring DNS Queries and Responses on NIOS

To configure DNS queries and responses:

1. Grid: From the Data Management tab, select the DNS tab, expand the Toolbar and click Grid DNS Properties.
   Member: From the Data Management tab, select the DNS tab and click the Members tab -> member check box -> Edit icon.
2. In the Grid DNS Properties or Member DNS Properties editor, click Toggle Advanced Mode and select the Logging tab.
3. Under Data Connection for all DNS Queries/Responses to a Domain, complete the following:

• Select the Capture DNS Queries check box to start capturing DNS queries. This enables the feature set for configuration. When you enable this option at the member level, the appliance captures DNS queries for the selected members only.
• Select the Capture DNS Responses check box to start capturing DNS responses. This enables the feature set for configuration. When you enable this option at the member level, the appliance captures DNS responses for the selected members only.

  ---

  Note: Enabling the logging of queries and responses at the same time can increase disk space usage and adversely affect DNS services and performance. Infoblox recommends that you do not configure both logging at the same time.

• ---

  Select Capture queries/responses for all domains to capture queries and responses to all domains and zones.
• Select Limit capture to these domains to capture DNS queries and responses to domains and zones one at a time.
  
• Specify domains for DNS capture operations in the Domain table by clicking the Add icon, and choosing Add Domain or Bulk Add Domains from the menu.
• To define the destination for capture files, do the following:
  • Retain captured queries on the local disk: Select this check box to save the DNS queries on the appliance. In addition to the local disk, you can select to export the DNS queries to the Legacy Data Connector by selecting SCP in the Export to drop-down list.
  • Export to: From the drop-down list, select SCP to back up the DNS queries on the Legacy Data Connector and None to save queries only on the appliance. To save the captured DNS queries on both the appliance and the Legacy Data Connector, select the Retain captured queries on the local disk check box and SCP from the Export to drop-down list.
    

  ---

  Note: When you configure an SCP server and enable the MGMT port, the NIOS appliance uses SSH for data transfer. It uses the same authentication and provides the same security as SSH. SCP uses the LAN1 port to communicate with the external servers.
  

  ---

• When you select SCP from the Export to drop-down list, complete the following:
  • In the Directory Path field, enter the directory to which the capture file will be saved on the server. Infoblox recommends that you use the ~ symbol for the Legacy Data Connector VM.
  • In the Server Address field, enter the IP address of the Legacy Data Connector VM to which the capture files will be saved.
  • Enter the file server account Username and Password values.
• Limit query data collected per file to minutes or 100MB (whichever comes first): This option limits the collection of query data per capture file. A capture file for logging DNS queries and responses is rolled over based on the configured time limit or when the file reaches 100 MB in size, whichever is sooner. The default time limit is 10 minutes. You can enter a value from 1 to 10. 

4. Save the configuration.

Table2.1 lists the maximum hard drive space required for capturing DNS queries and responses for supported Infoblox appliance models.
Table 2.1 Maximum Hard Drive Space used for DNS queries and Responses