Reporting

Reply
Highlighted

Discovering client that queries non-FQDN according to DNS-suffix searchlist

njsvs
Techie
Posts: 1
2121     0

The company have been using the DNS-suffixlist instead of using FQDN. The list have been rather a long one. 

 

In an attempt to shorten the list for security and performance reasons we reconfigured clients and applications but would like to make sure that we have accomplished that clients are now using FQDN rather than using hostnames and leaving the suffix-query searching to the absolut minimum.

 

My question is regarding Reporting:

 

Is there a Splunk-query i could do to catch clients that queries the searchlist one by one, row by row, step by step for a hostname+domainsuffix?

 

Thanx

Re: Discovering client that queries non-FQDN according to DNS-suffix searchlist

Expert
Posts: 173
2122     0

I'm sure there is, but would a simplier query just be to look at your high NXDOMAIN query source clients.   Most of our suffix search list abusers are also on the top NXDOMAIN requests as well.   The other search that jumps out is when they add the suffix onto a valid FQDN.   

 

ie you wind up with "servername.2nd-level.infoblox.com.infoblox.com"   

 

Those are usually pretty easy to sort to the top of the query list as well.


Showing results for 
Search instead for 
Do you mean 

Recommended for You