DNS Firewall

The  DNS FIrewall tab provides information on all DNS activity posted to the Infoblox DNS list or user-created custom list. You can view events from your DNS Firewall policies, including DFP and Mobile. Note that in order for a device to be included in the data, it must be assigned to a policy. To export the DNS Firewall Request table data in csv format, click Export. The default file name is security-activity_dns-firewall.csv. Exported data is limited to 50,000 records.

Performing Search Queries

The search feature supports using queries to perform searches using the integrated search query language.  Using the search query language, you can search all records in the Security Events report with customized queries. Using the search query options available in the DNS Firewall report, you can:

• Run a search on any of the following fields:
• ACTION
• CLASS
  
• DEVICE IP
  
• DEVICE NAME
• DHCP FINGERPRINT
  
• DNS VIEW
  
• FEED
  
• MAC ADDRESS
  
• OS VERSION
  
• POLICY
  
• PROPERTY
  
• QUERY
  
• QUERY TYPE
  
• RESPONSE
  
• SOURCE
  
• THREAT CONFIDENCE
  THREAT LEVEL
• The = and the NOT (!=) operators
• Use AND and OR operators.
• Use single and double quoted to enter values with spaces.
• Use parentheses to group search parts. 
• Use the wildcard symbol (*) as the last character of the search value for a partial match.
• Use the ENTER key to apply search.
• Use the TAB key to autocomplete search with the first available suggestion.

Sample Search Queries

The following are search query examples:

• query=domain.*AND device=52.123*
• device=office1.domain OR device=office2.domain.com
• dns_view=example-view AND query_type=A

(source=‘Infoblox Endpoint’ OR source=“example 1”) AND device=52.123*

Search by the query fields matches values by subdomains. E.g. query = domain.com
matches
'domain.com', 'office.domain.com', 'space.office.domain.com

Filtering the DNS Firewall Tab

To filter DNS Firewall events by specific criteria, select the applicable objects from the following drop-down menus located below the top action menu:

• Action: The configured action for the security rule. This can be Allow, Redirect, Block, or Log.
• Confidence: The threat confidence score assigned to an indicator. The confidence level can be High, Medium, or Low.
• Feed: The list of threat feeds against which the malicious hit was triggered.
• Class: The threat intelligence feeds, such as Phishing, MalwareC2DGA, and others. 
• Level: The threat level for the malicious hit. This can be High, Medium, Low, or Info.
• Policy: Active security policies.
• Source: The location of the device within the network infrastructure. For example, the device can be an on-prem appliance or an endpoint device. You can select which records to view by selecting or deselecting from among the options available. 

• Show: Security and activity events can be filtered by choosing an option from the Show drop-down menu. 

  Note

  Depending on the availability of data records, not all filter options may be displayed.

The DNS Firewall table displays the following information by specific criteria, select the applicable objects from the following column drop-down menus:

• DETECTED: The date the indicator was first detected. 
• THREAT LEVEL: The threat level for the malicious hit. This can be High, Medium, Low, or Info.
• QUERY: Displays the domain that sent the DNS query. Clickingthe view on Dossier icon associated with a record allows you to view the Dossier threat look-up record of a threat class or property for the selected record. On the Dossier threat look-up page, you can view the Dossier report details for additional information on the selected record. 
• CLASS: The threat intelligence class, such as Phishing, MalwareC2DGA, and others.
• PROPERTY: The property or nature of the threat. By default, the portal includes all threat properties.
• POLICY: The security policy against which the malicious hit triggered.
• ACTION: The configured action for the security rule. This can be Allow, Redirect, Block, or Log.
• DEVICE NAME: The name of the device.
• SOURCE: The location of the device within the network infrastructure. For example, the device can be an on-prem appliance or an endpoint device.
• RESPONSE: The response taken by Infoblox Platform for the malicious hit.
• DNS VIEW: The DNS version data being served.
• FEED: The name of the threat feed against which the malicious hit triggered.
• QUERY TYPE: The DNS query type.
• MAC ADDRESS: The detected MAC address of the device.
• DHCP FINGERPRINT: The unique identifier that was formed by the values in the DHCP option 55 or 60. This identifier is used to identify the requesting client or device.
• USER: The user that triggered the hit. For remote offices, the portal displays Unknown for these users.

• THREAT CONFIDENCE: A scoring system for malicious hits where confidence is rated High, Medium, or Low. 

• DEVICE IP: The IP address of the device responsible for the hit.
• OS VERSION: The version of the device's operating system making the request.
• INDICATOR: The policy source from which the indicator type being reported. The indicator can originate from an application or category filter, from a custom list, or from a feed.
• RESPONSE REGION: The region within a country where the response originated based on information acquired from the public IP address of Infoblox Endpoint and DFP,
• RESPONSE COUNTRY: The country where the response originated based on information acquired from the public IP address of Infoblox Endpoint and DFP,
• DEVICE REGION: The region within a country where the response originated. 
• DEVICE COUNTRY: The country where the device resides.

Export Records

Click Export to download a CSV file of report records. The maximum number of exported DNS Firewall report records is 50,000.