DNS Hits

The  DNS tab provides comprehensive security data about the types of DNS hits within your network over a specific time period. This tab collects the data from the other reports and makes the information available in one location. To export the DNS table data in csv format, click Export. The default file name is dns-activity_dns.csv. Exported data is limited to 50,000 records.

Performing Search Queries

The search feature supports using queries to perform searches using the integrated search query language. Using the search query language, you can search all records in the Security Events report with customized queries. Using the search query options available in the DNS report, you can:

• Run a search on any of the following fields:
  
  • DEVICE IP
    
  • DEVICE NAME
  • DHCP FINGERPRINT
    
  • DNS VIEW
    
  • MAC ADDRESS
    
  • OS VERSION
    
  • RESPONSE
    
  • QUERY
    
  • QUERY TYPE
    
  • SOURCE

• The = and the NOT (!=) operators.
• Use AND and OR operators.
• Use single and double quoted to enter values with spaces.
• Use parentheses to group search parts. 
• Use the wildcard symbol (*) as the last character of the search value for a partial match.
• Use the ENTER key to apply search.
• Use the TAB key to autocomplete search with the first available suggestion.

Sample Search Queries

The following are search query examples:

• query=domain.*AND device=52.123*
• device=office1.domain OR device=office2.domain.com
• dns_view=example-view AND query_type=A

• (source=‘Infoblox Endpoint’ OR source=“example 1”) AND device=52.123*

  Search by the query fields matches values by subdomains. E.g. query = domain.com
  matches
  'domain.com', 'office.domain.com', 'space.office.domain.com

Filtering the DNS Tab

To filter DNS events by specific criteria, select the applicable objects from the following drop-down menus located below the top action menu:

• Source: The location of the device within the network infrastructure. For example, the device can be an on-prem appliance or an endpoint device. You can select which records to view by selecting or deselecting from among the options available. When filtering by source, the filter drop-down is limited to showing 10 sources.
• Show: Security and activity events can be filtered by choosing an option from the Show drop-down menu. 

The DNS table displays the following information by specific criteria where you can select the applicable objects from the following column drop-down menus: 

• DETECTED: The date and time of the first DNS detection.
• QUERY: Displays the domain that sent the DNS queries. 
• SOURCE: The location of the device within the network infrastructure. For example, the device can be an on-prem appliance or an endpoint device.
• DEVICE NAME: The name.
• RESPONSE: The response taken by Infoblox Platform for the malicious hit.
• QUERY TYPE: The DNS query type.
• DNS VIEW: The DNS version data being served.
• MAC ADDRESS: The detected MAC address of the device.
• DHCP FINGERPRINT: The unique identifier that was formed by the values in the DHCP option 55 or 60. This identifier is used to identify the requesting client or device.
• USER: The user that triggered the hit. For remote offices, the portal displays Unknown for these users.
• OS VERSION: The detected OS version of the device.
• DEVICE IP: The IP address of the device responsible for the hit. If you are using Infoblox Endpoint for the Infoblox Grid, Infoblox Platform can identify the hostname of the Grid Master and displays it in this filter. If the NIOS appliance is not running a supported NIOS version or if this device is a remote site, Infoblox Platform captures the IP address (instead of the hostname) of the appliance in this field.

Export Records

Click Export to download a CSV file of report records. The maximum number of exported DNS report records is 50,000.