Capture DNS Queries/ Responses
Exclude the following domains (Exclusion List)
Exclusion list is empty and therefore matches the Inclusion list. NIOS captures queries/responses made to foo.com and finance.foo.com
NIOS does not capture queries/responses made to corp1.com as this domain is not mentioned in the Inclusion list.
Matches the Exclusion list and NIOS does not capture queries made to foo.com.
Subdomain matches the Exclusion list and NIOS does not capture queries/responses made to finance.foo.com.
Does not match the Exclusion list. Matches the Inclusion list and therefore NIOS captures queries/responses made to corp1.com.
Does not match the Exclusion list and therefore NIOS captures queries/responses made to foo.com and finance.foo.com.
Matches the Exclusion list and excludes their subdomains. NIOS does not capture queries/responses made to it.foo.com and ms.it.foo.com.
Domain is added to the Exclusion list and its subdomain is added to the Inclusion list. Therefore, this is not a valid configuration as queries/responses are not captured. The appliance displays a warning message for such invalid configuration.
Domain is added to both the Exclusion and Inclusion lists. This is not a valid configuration as queries/responses are not captured. The appliance displays a warning message for such invalid configuration.
Domain added to the Inclusion list is not the subdomain of the domain added to the Exclusion list. This is a redundant configuration as the outcome is the same even if the domain is removed from the Exclusion list. The appliance displays a warning message for such invalid configuration.
Configuring dnstap to Log DNS Queries and Responses
You can use the dnstap log format to log DNS queries and responses at high rates to well-known destinations. NIOS logs all valid DNS queries and responses that are not dropped by Advanced DNS Protection. For information about dnstap, see https://dnstap.info/
For Advanced DNS Protection software with acceleration, you must download the latest ruleset before enabling dnstap.
Limitations of Using dnstap to Log Queries and Responses
- dnstap supports UDP, TCP, and EDNS protocols that require additional processing thus leading to a decrease in performance.
- NIOS does not support BIND9 dnstap.
- If the remote logging server is not accessible, then the logs are dropped and not buffered.
- The dnstap server cannot truncate EDNSO queries.
- If you run a query that contains +edns=1, the dnstap server processes it as a bad signature (TSIG signature failure).
- Capturing the queries and responses also depends on other factors such as size of the flavor deployed and features enabled over it.
- dnstap does not support query and response logging on the MGMT interface.
Configuring dnstap to Log DNS Queries and Response Captures
- Grid: From the Data Management tab, select the DNS tab, expand the Toolbar and click Grid DNS Properties.
Member: From the Data Management tab, select the DNS tab and click the Members tab -> member check box -> Edit icon.
- In the Grid DNS Properties or Member DNS Properties editor, click Toggle Advanced Mode and select the Logging tab.
- Select the Queries check box to start capturing DNS queries. When you enable this option at the member level, NIOS captures DNS queries for the selected member only.
- Select the Responses check box to start capturing DNS responses. When you enable this option at the member level, NIOS captures DNS responses for the selected member only.
- In the DNSTAP Receiver Address field, enter the IP address from which to capture queries or responses. It supports both IPv4 and IPv6 addresses.
- In the DNSTAP Receiver Port field, enter the port number on which to configure the dnstap client system. The default port number 6000.
- Click Save and Close.
Infoblox recommends the configurations in the following table to meet high performance query logging using the dnstap log format:
Total Virtual Memory
(without Advanced DNS Protection software)