Page tree

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Capture DNS Queries/ Responses
(Inclusion List)

Exclude the following domains (Exclusion List)


Queried Domain


Queries/ Responses Captured


Results

foo.com

  • foo.com
  • finance.foo.com

Yes

Exclusion list is empty and therefore matches the Inclusion list. NIOS captures queries/responses made to foo.com and finance.foo.com


  • corp1.com

No

NIOS does not capture queries/responses made to corp1.com as this domain is not mentioned in the Inclusion list.

Capture All

foo.com

  • foo.com

No

Matches the Exclusion list and NIOS does not capture queries made to foo.com.



  • finance.foo.com

No

Subdomain matches the Exclusion list and NIOS does not capture queries/responses made to finance.foo.com.



  • corp1.com

Yes

Does not match the Exclusion list. Matches the Inclusion list and therefore NIOS captures queries/responses made to corp1.com.

foo.com

it.foo.com

  • foo.com
  • finance.foo.com

Yes

Does not match the Exclusion list and therefore NIOS captures queries/responses made to foo.com and finance.foo.com.



  • it.foo.com
  • ms.it.foo.com

No

Matches the Exclusion list and excludes their subdomains. NIOS does not capture queries/responses made to it.foo.com and ms.it.foo.com.

it.foo.com

foo.com



Domain is added to the Exclusion list and its subdomain is added to the Inclusion list. Therefore, this is not a valid configuration as queries/responses are not captured. The appliance displays a warning message for such invalid configuration.

it.foo.com

it.foo.com



Domain is added to both the Exclusion and Inclusion lists. This is not a valid configuration as queries/responses are not captured. The appliance displays a warning message for such invalid configuration.

foo.com

corp1.com



Domain added to the Inclusion list is not the subdomain of the domain added to the Exclusion list. This is a redundant configuration as the outcome is the same even if the domain is removed from the Exclusion list. The appliance displays a warning message for such invalid configuration.

Configuring dnstap to Log DNS Queries and Responses

You can use the dnstap log format to log DNS queries and responses at high rates to well-known destinations. NIOS logs all valid DNS queries and responses that are not dropped by Advanced DNS Protection. For information about dnstap, see https://dnstap.info/ 

...

Note
titleNote

For Advanced DNS Protection software with acceleration, you must download the latest ruleset before enabling dnstap.

Limitations of Using dnstap to Log Queries and Responses

  • dnstap supports UDP, TCP, and EDNS protocols that require additional processing thus leading to a decrease in performance.
  • NIOS does not support BIND9 dnstap.
  • If the remote logging server is not accessible, then the logs are dropped and not buffered.
  • The dnstap server cannot truncate EDNSO queries.
  • If you run a query that contains +edns=1, the dnstap server processes it as a bad signature (TSIG signature failure).
  • Capturing the queries and responses also depends on other factors such as size of the flavor deployed and features enabled over it.
  • dnstap does not support query and response logging on the MGMT interface.

Configuring dnstap to Log DNS Queries and Response Captures

  1. Grid: From the Data Management tab, select the DNS tab, expand the Toolbar and click Grid DNS Properties.
    Member: From the Data Management tab, select the DNS tab and click the Members tab -> member check box -> Edit icon.
  2. In the Grid DNS Properties or Member DNS Properties editor, click Toggle Advanced Mode and select the Logging tab.
  3. Select the Queries check box to start capturing DNS queries. When you enable this option at the member level, NIOS captures DNS queries for the selected member only.
  4. Select the Responses check box to start capturing DNS responses. When you enable this option at the member level, NIOS captures DNS responses for the selected member only.
  5. In the DNSTAP Receiver Address field, enter the IP address from which to capture queries or responses. It supports both IPv4 and IPv6 addresses.
  6. In the DNSTAP Receiver Port field, enter the port number on which to configure the dnstap client system. The default port number 6000. 
  7. Click Save and Close.

Infoblox recommends the configurations in the following table to meet high performance query logging using the dnstap log format:

...

Total Virtual Memory 
(without Advanced DNS Protection software)

...