Page tree

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

You can capture DNS queries and responses for later analysis. When configuring this feature, you can choose to save the capture file locally on your appliance, as well as on the FTP (File Transfer Protocol) or SCP (Secure Copy) server. When you save it locally, you can use show query_capture to view the contents of the capture file. You can also use filter commands to exclude certain queries and view only the desired ones. Note that using multiple CLI commands to filter data for the appliances with large number of captured DNS queries and responses can significantly affect the system performance, protocol performance, and CLI command performance. For more information about CLI commands, refer to the Infoblox CLI Guide. 

Note
titleNote

The DNS queries and responses captured on an IB-4030 appliance does do not contain cached query information.

A capture file for logging DNS queries and responses is rolled over based on the configured time limit or when the file reaches 100 MB in size, whichever is sooner. The default time limit is 10 minutes. The capture file is automatically saved and exported to an FTP or SCP server based on your configuration. When you configure the appliance to save the capture file locally and later enable FTP or SCP, the appliance copies all the data starting with the oldest data. Infoblox recommends that you constantly monitor the FTP or SCP server to ensure that it has sufficient disk space. DNS queries and responses are stored on the appliance if the FTP or SCP server becomes unreachable. The maximum storage capacity varies based on the appliance model. After reaching the maximum limit, the appliance overwrites the old data with the new one. For information about the maximum hard drive space, see the table below. The amount of data captured depends on the DNS query rate and the domains that are included in or excluded from the capture. For information about how to exclude domains, see Excluding Domains From Query and Response Capture.

...

You can capture queries to all domains or limit the capture to specific domains.

You can also apply the Bulk Add Domains feature to tailor query capture to a desired subset of domains or zones. When capturing DNS queries, NIOS matches the specified domain name(s) and everything that belongs to the domain. For example, when you specify 'foo.com' as the domain, NIOS captures queries sent to 'foo.com,' 'mail.foo.com,' and 'ftp.foo.com.' use the dnstap log format to achieve performance query logging. If you choose to enable the dnstap log format, you will not be able to capture queries and responses using the Data connector for all DNS Queries/Responses to a Domainfields. And if you use the Data connector for all DNS Queries/Responses to a Domainfields for query capture, the DNSTAP settings for DNS Queries/Responses fields will be disabled. To use dnstap log format, see Logging DNS Queries and Responses.

Capturing DNS Queries

You can capture queries to all domains or limit the capture to specific domains. You can also apply the Bulk Add Domains feature to tailor query capture to a desired subset of domains or zones. When capturing DNS queries, NIOS matches the specified domain name(s) and everything that belongs to the domain. For example, when you specify 'foo.com' as the domain, NIOS captures queries sent to 'foo.com,' 'mail.foo.com,' and 'ftp.foo.com.' NIOS captures queries to domains for which a name server is authoritative; it also captures recursive queries. Note that this feature does not support wildcard characters or regular expressions.

...

30-Apr-2013 13:35:02.187 client 10.120.20.32#42386: query: foo.com @0x7fbad80bda00 IN A + (100.90.80.102)

...

Capturing DNS Responses

You can capture DNS responses for the DNS queries sent to the server. The amount of data captured depends on the domains that are included in or excluded from the capture. A DNS response is based on a query generated for a domain. In the response message, NIOS captures the TTL value of a resource record, the resource record type, and resource data.
Following are characteristics of the response messages:

...

07-Apr-2013 20:16:49.083 client 10.120.20.198#57398 UDP: query: a1.signed.com IN RRSIG response: NOERROR +ED a1.signed.com. 28800 IN RRSIG A 5 3 28800 20130616004903 20130611234903
4521 signed.com. evROKe7RbnkjFTsumT3JJg76bduFLfdEEnszitXHQCbVYBS5rDy+qbUI HCQuN/ldCNTJbZQ8MEhuatzfms+2Y5K2sU67P9Yg6GkOMxsT2LcJiBm/ YqrYiZBWGKpLF6J0PdX05133Xwq8XxUStUEJxKfuzcKSY6jaSduQIdFL v6A=; a1.signed.com.900 IN RRSIG NSEC 5 3 900 20130616004903 20130611234903 4521 signed.com.
CnFmXMx9D+ZkDsztQbW2xx8XCROGNMBp0baxFXS/Pxxhg4PQcq58laI97y2Xgqswn/wKNhY8p9hkes5+6t/ihCOIbw FryxtdivPfYYFf3jafedFN ymZu05K9bYUfCUzZTGiRzoJYhxBM7xFT8fMvxni9ngsbLym82Tqv3Nua 6wU=;

...

Configuring DNS Query and Response

...

Captures

...

To configure DNS

...

To configure DNS query and response captures:

...

query and response captures:

  1. Grid: From the Data Management tab, select the DNS tab, expand the Toolbar and click Grid DNS Properties.
    Member: From the Data Management tab, select the DNS tab and click the Members tab -> member check box -> Edit icon.
  2. In the Grid DNS Properties or Member DNS Properties editor, click Toggle Advanced Mode and select the Logging tab.
  3. Under Data Collection for all DNS Queries/Responses to a Domain, complete the following:
    • Select the Capture DNS Queries check box to start capturing DNS queries. This enables the feature set for configuration. When you enable this option at the member level, the appliance captures DNS queries for the selected members only.
    • Select the Capture DNS Responses check box to start capturing DNS responses. This enables the feature set for configuration. When you enable this option at the member level, the appliance captures DNS responses for the selected members only.

...

Supported Infoblox Appliances

Maximum Hard Drive Space for DNS Query /Response Capture (MB)

Trinzic 100

400

Trinzic 810

900

Trinzic 815 and IB-V815

900

Trinzic 820

3100

Trinzic 825 and IB-V825

3100

Trinzic 1410

6000

Trinzic 1415 and IB-V1415

6000

Trinzic 1420

10000

Trinzic 1425 and IB-V1425

10000

Trinzic 2210

12000

Trinzic 2215 and IB-V2215

12000

Trinzic 2220

28000

Trinzic 2225 and IB-V2225

28000

Infoblox-4010

40000

IB-VM-100

400

IB-VM-2000 (120G)

15000

IB-VM-810 (120G)

900

IB-VM-820

3100

IB-VM-1410 (120G)

6000

IB-VM-1420 (120G)

10000

IB-VM-2210 (120G)

12000

IB-VM-2220 (120G)

28000

IB-VM-4010 (120G)

40000

PT-1400

10000

PT-1405

10000

PT-2200

28000

PT-2205

28000

PT-4000

40000

...

Excluding Domains From Query and Response Capture

You can exclude individual domains and their subdomains from DNS query and response capturing. You can also use the Bulk Add Domains feature for a subset of domains to exclude them from query and response capturing.
Subdomains can also be specified for exclusion. NIOS matches the specified domain names and their subdomains while filtering them in the Exclusion list. For example, when you specify 'foo.com' as the domain to be excluded, NIOS filters queries for 'foo.com,' 'mail.foo.com,' and 'ftp.foo.com.'

...

Capture DNS Queries/ Responses
(Inclusion List)

Exclude the following domains (Exclusion List)


Queried Domain


Queries/ Responses Captured


Results

foo.com

  • foo.com
  • finance.foo.com

Yes

Exclusion list is empty and therefore matches the Inclusion list. NIOS captures queries/responses made to foo.com and finance.foo.com


  • corp1.com

No

NIOS does not capture queries/responses made to corp1.com as this domain is not mentioned in the Inclusion list.

Capture All

foo.com

  • foo.com

No

Matches the Exclusion list and NIOS does not capture queries made to foo.com.



  • finance.foo.com

No

Subdomain matches the Exclusion list and NIOS does not capture queries/responses made to finance.foo.com.



  • corp1.com

Yes

Does not match the Exclusion list. Matches the Inclusion list and therefore NIOS captures queries/responses made to corp1.com.

foo.com

it.foo.com

  • foo.com
  • finance.foo.com

Yes

Does not match the Exclusion list and therefore NIOS captures queries/responses made to foo.com and finance.foo.com.



  • it.foo.com
  • ms.it.foo.com

No

Matches the Exclusion list and excludes their subdomains. NIOS does not capture queries/responses made to it.foo.com and ms.it.foo.com.

it.foo.com

foo.com



Domain is added to the Exclusion list and its subdomain is added to the Inclusion list. Therefore, this is not a valid configuration as queries/responses are not captured. The appliance displays a warning message for such invalid configuration.

it.foo.com

it.foo.com



Domain is added to both the Exclusion and Inclusion lists. This is not a valid configuration as queries/responses are not captured. The appliance displays a warning message for such invalid configuration.

foo.com

corp1.com



Domain added to the Inclusion list is not the subdomain of the domain added to the Exclusion list. This is a redundant configuration as the outcome is the same even if the domain is removed from the Exclusion list. The appliance displays a warning message for such invalid configuration.

Configuring dnstap to Log DNS Queries and Responses

You can use the dnstap log format to log DNS queries and responses at high rates to well-known destinations. NIOS logs all valid DNS queries and responses that are not dropped by Advanced DNS Protection. For information about dnstap, see https://dnstap.info/ 

To use the dnstap log format, you need to enable dnstap by running the set enable_dnstapcommand. To view whether the dnstap log format is enabled or disabled, run the show dnstap-status command. To view the number of queries and responses sent to the destination when the dnstap log format is enabled for high performance logging of queries and responses, run the show dnstap-stats command.

Limitations of Using dnstap to Log Queries and Responses

  • dnstap supports UDP, TCP, and EDNS protocols that require additional processing thus leading to a decrease in performance.
  • NIOS does not support BIND9 dnstap.
  • If the remote logging server is not accessible, then the logs are dropped and not buffered.
  • The dnstap server cannot truncate EDNSO queries.
  • If you run a query that contains +edns=1, the dnstap server processes it as a bad signature (TSIG signature failure).
  • Capturing the queries and responses also depends on other factors such as size of the flavor deployed and features enabled over it.
  • dnstap does not support query and response logging on the MGMT interface.

Configuring dnstap to Log DNS Queries and Response Captures

  1. Grid: From the Data Management tab, select the DNS tab, expand the Toolbar and click Grid DNS Properties.
    Member: From the Data Management tab, select the DNS tab and click the Members tab -> member check box -> Edit icon.
  2. In the Grid DNS Properties or Member DNS Properties editor, click Toggle Advanced Mode and select the Logging tab.
  3. Select the Queries check box to start capturing DNS queries. When you enable this option at the member level, NIOS captures DNS queries for the selected member only.
  4. Select the Responses check box to start capturing DNS responses. When you enable this option at the member level, NIOS captures DNS responses for the selected member only.
  5. In the DNSTAP Receiver Address field, enter the IP address from which to capture queries or responses. It supports both IPv4 and IPv6 addresses.
  6. In the DNSTAP Receiver Port field, enter the port number on which to configure the dnstap client system. The default port number 6000. 
  7. Click Save and Close.

Infoblox recommends the configurations in the following table to meet high performance query logging using the dnstap log format:

FeatureTotal CPU

Total Virtual Memory 
(without Advanced DNS Protection software)

Total Virtual Memory
(with Advanced DNS Protection software)
Database Object Count Grid Master Capable 
Small recursive DNS (with acceleration)101624100,000 No
Medium recursive DNS (with acceleration)162432100,000No
Large recursive DNS (with acceleration)263442100,000No