03-13-2018 08:27 AM
For a migration we implemented Infoblox members on new IP addresses in a network. For legacy clients, we configured the IP addresses of the old DNS servers on the Lan2 interface.
We want to monitor which clients are still using the IP address at Lan2 by using the reporting appliance. We don't want to enable query logging or activate a separate view on Lan2.
Has anyone a suggestion?
Many Thanks in advance.
03-13-2018 06:16 PM - edited 03-13-2018 08:17 PM
“We don't want to enable query logging”, is what’s going to be critical here. Looking at the raw data indexed for ‘DNS query capture’ category, I can’t see the listen-on interface to which a DNS query is being targeted to, though I could see that getting logged into the syslogs (While query logging enabled – which you’ve mentioned not to be a reliable solution). If we had the flexibility to enable DNS query logging, we could have tried to create a custom splunk search in order to pull this information as a report from the indexed syslog data.
That being said, I believe the ‘set traffic_capture’ utility available in latest NIOS releases would help you to get this specific data that you are looking for. The ‘set traffic_capture’ command allows you to capture the traffic for one or all of the ports on a NIOS appliance and save the traffic capture in a file. To capture traffic, the NIOS appliance must have a minimum of 500 MB of free disk space; otherwise, the traffic capture might fail. The NIOS appliance saves all traffic it captures in a .cap file and compresses it into a .tar.gz file. The size of the .cap file is limited to 4 GB for Infoblox-4010, Infoblox-4030, Infoblox-4030-10GE, and PT-4000, and the size is limited to 1 GB for all other NIOS appliances.
From the CLI of this DNS server, you may use something like :
‘set traffic_capture on port lan2 filter 'udp dst port 53' duration 86400 with-rolling’
Note : The 'duration' is in seconds & you may change that according to your wish.
This is just like a normal traffic capture, but we’re specifically capturing only the ‘DNS queries’ destined towards UDP port 53 of the LAN2 interface on your DNS server. We’re not capturing the DNS responses, so we’re capturing only the raw data that your are looking for. When you use the ‘with-rolling’ extension as I’ve mentioned above, the appliance automatically saves the file into a new file when it reaches the maximum size limit & continues capturing the traffic. The appliance can save up to 4 traffic capture files.
Once you collect enough data that you need, you may get this file by either :
- set traffic_capture off (From the CLI followed by the next command to export the file to an SCP/FTP)
- set traffic_capture transfer [ftp|scp] <server-ip> <user-name> <user-password> [dest <file_name>]
- Simply download the file from the Grid tab -> Grid Manager tab -> Members tab -> and click Traffic Capture from the Toolbar.
I would suggest exporting the file from the CLI to FTP/SCP rather than downloading it from the GUI since, long running tasks such as downloading larger files from the GUI can take considerable amount of time. For additional information about this utility, you may refer section ‘set traffic_capture’ from the ‘Infoblox CLI Guide for release 8.2’ available at https://support.infoblox.com -> ‘Tech docs’ -> NIOS -> ‘CLI Guide’.
I hope this helps you in someway.
03-20-2018 04:13 AM
Thank you for your reply. I was already aware of the solutions you suggest. Another solution I figured out is to enable a separate view on the lan2 which forward the queries to the lan1 interface. Than reporting can generate a standaard top clients per view report.
I put the restriction not to enable query logging, only for not overriding the volume license per day in reporting.
The customer want to get a daily report with a top clients list they can approach to change the IP settings. They do not want to manualy analyse capture files or syslog files.