Community Blog


Top Security Report #5 - Top Malware & DNS Tunneling by Client

This blog discusses the report #6 in a series of seven top security reports that can help you defend against bad actors.


Here are the previous parts: part 1, part 2, part 3


Top Malware & DNS Tunneling by Client

Accessed through the security dashboard, this report requires Active Trust/Active Trust Cloud. It provides filters for timeframe, members, source IP addresses, Network Address Translation (NAT) status and source port making the query. For the source IP, the admin can use wildcards or Classless Inter-Domain Routing (CIDR) notation to view a specific subnet. Admins can also see NATed public IP addresses inside their private network for additional visibility. This report returns the top client IP culprits, the number of associated tunneling events, the number of malicious queries and the date/time last seen. The admin can drill down for historical data, sort by the top number of queries, the most recent, or most prolific to identify and arrest bad actors engaged in malware or data exfiltration activities.


Top Report #5: Top Malware & DNS Tunneling by Client

Service Area

Data Protection & Malware Mitigation


Lists clients with the most outbound malicious queries (RPZ hits) & DNS tunneling events in a given timeframe

Primary User

Network & Security Admins


Identifies top infected clients making outbound malicious queries & those

tied to DNS tunneling, enabling security to prioritize efforts to prevent malware spread & damage from DNS tunneling attempts (e.g. data exfiltration)

Use Case

Security teams are seeking bad actors who are making malicious DNS queries & DNS tunneling activity related to data exfiltration


Out-of-the-box & requires Active Trust/Active Trust Cloud (AT/ATC)


The Top Malware & DNS Tunneling by Client report addresses data protection and malware mitigation by listing clients with the most outbound queries (via Response Policy Zone (RPZ) hits) and DNS tunneling activities in a given timeframe.  It’s a favorite of network and security admins because, for network teams, it identifies the top infected clients making outbound malicious queries.  For security teams, it identifies IP addresses tied to DNS tunneling, helps prioritize DNS security efforts to prevent malware spread and damage and reveals bad actors trying to steal or get data off the network.  This report is frequently used when security teams are seeking those responsible for making malicious DNS queries or engaged in DNS tunneling to exfiltrate sensitive data outside the company in order to remove them from the network.


security report 5.png


Here are the seven (7) security reports that can give you an edge over the bad actors.

Learn more:

  • Join the Infoblox Reporting & Analytics Technical Demo Series to continue the discussion in the free webinar on 7/17, 2018, 9A PDT, 12P EDT, 5P BST. Register
  • As an existing Infoblox DDI customer, you can deploy a virtual Infoblox Reporting & Analytics appliance free of charge — no strings attached. Download and try the Reporting & Analytics Free Tier today.





Showing results for 
Search instead for 
Do you mean