11-05-2018 07:02 AM
occasionally we get SNMP error traps to our monitoring system that NXDOMAIN response rate is >80% for a specific DNS member. I am currently trying to find the source of that issue as it keeps returning.
The first problem is that, if the issue occurs, it is usally very short (just a few minutes).
I was expecting to see spikes in the "DNS Replies Trend" for nxdomain replies during the time we get the SNMP error traps, but the graphs don't show >80% of nxdomain responses at any time.
So I cannot reproduce the issue with that dashboard.
Is is possible that the issue was not present for long enough to be properly visible in the graph (it seems the datapoints are a 10 minute snapshot) ?
I then checked the "DNS Top NXDOMAIN / NOERROR (no data)" Dashboard and set the Date time range to when the alarm occured. I see some FQDNs that I would like to check out further.
How can I drill down further to see which clients were responsible for these queries that resulted in NXDOMAIN responses ?
11-08-2018 08:44 AM
I would suggest checking into the Data Connector VM. It's pretty useful if you have the Reporting appliance space to grab all the DNS query data in your environment. Best report it populates is the 'DNS Domains Queried by Client' --> can search on client IP, domain name, and like all the other reports, a specific time range.
My recommendations if you're going to use the Data Connector VM, read the entire install/setup PDF thoroughly and browse the User guide while you're at it. The setup isn't the most straight forward; and also keep an eye on your daily Reporting License Usage (if that matters in your licensing setup).