Reporting

Reply
Highlighted

How to get top 10 domains list from recursive queue

akhader
Techie
Posts: 10
5299     0

Dear All,

I would like to get the top 10 (by count )top level domains from the recursive queue.

Fox example if the recursive queue got 100 ramdom subdomains for example.com and 500 random subdomains for test.com and 200 random subdomains for google.com and 300 for the main domain microsoft.com

 

I want only the list like below.

500 test.com

300 microsoft.com

200 google.com

100 example.com

 

 

Your kind support in this regard will be very much appreciated.

 

 

Abdul Khader

 

Re: How to get top 10 domains list from recursive queue

Expert
Posts: 169
5300     0

Have you looked at the Infoblox reporting server? If not I would recommend you download a VM and trial it.

Paul Roberts
PCN (UK) Ltd

All opinions expressed are my own and not representative of PCN Inc./PCN (UK) Ltd. E&OE

Re: How to get top 10 domains list from recursive queue

akhader
Techie
Posts: 10
5300     0

Dear Paul,

First, thanks for the quick reply.

 

Two things.
1) We have reporter(IB-4000). Does reporter give logs/information in realtime ?

 

2) We have high QPS per grid member around 30,000 QPS.

With this volume of traffic, it would take minutes to fill recursive queue and start impacting the legitimate clients in case,

a) If there is Phantom-sub-Domain attack for multiple domains from multiple clients

b) If any of the popular domains like google, apple, facebook etc do not resolve because of network issue or anyother issue.

 

For this reason we need to know recursive queue information in realtime as we will have minutes to react.

 

Having said that, kindly let me know how the reporter can help us  in getting the recursive information.

Please note that, recursive queue number (example 25000 in queue) does not help the purpose. We need the domain names and if possible count for each domains(Only main domain, example if random subdomains for microsoft.com are in queue,we just need microsoft.com).

 

Appreciate your support in this regard.

Abdul Khader

 
 
 
 
 

Re: How to get top 10 domains list from recursive queue

akhader
Techie
Posts: 10
5300     0

Dear Paul/ All,

Any support would be highly appreciated.

 

 

 

Regards

Abdul Khader

Re: How to get top 10 domains list from recursive queue

akhader
Techie
Posts: 10
5300     0

Dear All,

Using bind, it's very simple to get the recursive list.

Following command will create a file called named.recursing

 

rndc recursing

 

The file named.recursing will have the list of domains which are in the recursive list.
It should be pretty easy to achieve this in infoblox.

 

 

Kindly advise.

 

Abdul Khader

Re: How to get top 10 domains list from recursive queue

Adviser
Posts: 147
5300     0

Abdul,

 

While not just a list of recursive domains, you can view/dump the contents of the DNS cache by selecting the member in the GUI and "view cache" or via the 'show dns cache' command from the CLI. This may give you some of what you are looking for in a troubleshooting type of situation.

 

Reporting does provide customized and detailed reports on the top requested domains and other interesting queries such as NXDOMAINS and while this may be near real-time dending on the metrics, it is not real time as the data needs to be indexed and passed to the Splunk engine for processing. Reporting can generate alerting as well.

 

A function you may want to also take a look at is our Advanced DNS Protection (ADP) or Software ADP which can now be implemented on many of our appliances. This provides customized rules that can alert and take actions on such things as traffic rates, NXDOMAIN attacks, etc.

 

I hope this helps!

Check out our new Tech docs website at http://docs.infobox.com for latest documentation on Infoblox products

Re: How to get top 10 domains list from recursive queue

akhader
Techie
Posts: 10
5300     0

Thanks for the reply. Appreciate it.

 

Solution given does not meet the requirements of as per the query.

Basically what I am asking for is, just the recursive queue.

 

I feel the contents of cache file does not differentiate recursive queue. Even if it does, cache file will contain millions of lines and parsing it for recursive queue would be not be feasible solution for quick reaction.

ADP does help in mitigation of phantom domains but what if a legitimate domain like microsoft or google does not work due to network issue form our side or because of DNS the Authoritative DNS servers for these domains ? In this case ADP would not be helpful.

We would like to automatically check the recursive queue periodically and match the queue with the popular domains. If any of the popular domain is found(Say the count is 100 for one of the popular domains), we would like to get notified by email so that we can take remedial action immediately.

All I am asking is an option in the GUI to download the recursive queue, or any other way by which we can get the recursive queue and parse(May be using SNMP ?). If Infoblox can actually do the following, it would be a good selling point.

TOP 100 domains in recursive queue.

NOTE : Only top level domain name is mentioned. Say, if the domain in queue is SAsdasd.microsoft.com then you show only the top domain that is microsoft.com

DomainCount
microsoft.com2000
google.com1500
facebook.com1000

 

 

Hope you understand the query and the expected solution.

Re: How to get top 10 domains list from recursive queue

Adviser
Posts: 147
5300     0

Abdul,

 

I believe I follow what you are looking for and I will do some additional investigation to determine what else may be possible.

 

Somewhat related, Infoblox introduced a new fault tolerant recursive caching feature in NIOS 8.2. When this feature is enabled the recursive cache will maintain domains that have expired from the cache if they are currently unreachable either due to a timeout or SERVFAIL. 

 

This feature can mitigate some of your risk but I understand you are still looking for a method to determine and essentially report on the contents of the recursive queue.

 

Thank you!

Check out our new Tech docs website at http://docs.infobox.com for latest documentation on Infoblox products

Re: How to get top 10 domains list from recursive queue

akhader
Techie
Posts: 10
5300     0

Ssalo,

Thanks for the quick useful reply.

I appreciate it very much.

 

The new feature in 8.2 is indeed useful. However, as you understand very well that I am still looking for just the recursive queue.

Can we download it using API ?  It would be rather nice to make the recursive queue downloadable from all grid members using API. This will help the administrator automate the recursive queue using scripting.

 

 

Thanks

Abdul Khader

 

 

Showing results for 
Search instead for 
Do you mean 

Recommended for You