11-15-2018 04:48 AM
The company have been using the DNS-suffixlist instead of using FQDN. The list have been rather a long one.
In an attempt to shorten the list for security and performance reasons we reconfigured clients and applications but would like to make sure that we have accomplished that clients are now using FQDN rather than using hostnames and leaving the suffix-query searching to the absolut minimum.
My question is regarding Reporting:
Is there a Splunk-query i could do to catch clients that queries the searchlist one by one, row by row, step by step for a hostname+domainsuffix?
11-16-2018 12:33 PM
I'm sure there is, but would a simplier query just be to look at your high NXDOMAIN query source clients. Most of our suffix search list abusers are also on the top NXDOMAIN requests as well. The other search that jumps out is when they add the suffix onto a valid FQDN.
ie you wind up with "servername.2nd-level.infoblox.com.infoblox.com"
Those are usually pretty easy to sort to the top of the query list as well.