03-28-2017 09:40 PM
I would like to get the top 10 (by count )top level domains from the recursive queue.
Fox example if the recursive queue got 100 ramdom subdomains for example.com and 500 random subdomains for test.com and 200 random subdomains for google.com and 300 for the main domain microsoft.com
I want only the list like below.
Your kind support in this regard will be very much appreciated.
03-30-2017 05:50 AM
Have you looked at the Infoblox reporting server? If not I would recommend you download a VM and trial it.
PCN (UK) Ltd
All opinions expressed are my own and not representative of PCN Inc./PCN (UK) Ltd. E&OE
04-01-2017 03:42 AM
First, thanks for the quick reply.
1) We have reporter(IB-4000). Does reporter give logs/information in realtime ?
2) We have high QPS per grid member around 30,000 QPS.
With this volume of traffic, it would take minutes to fill recursive queue and start impacting the legitimate clients in case,
a) If there is Phantom-sub-Domain attack for multiple domains from multiple clients
b) If any of the popular domains like google, apple, facebook etc do not resolve because of network issue or anyother issue.
For this reason we need to know recursive queue information in realtime as we will have minutes to react.
Having said that, kindly let me know how the reporter can help us in getting the recursive information.
Please note that, recursive queue number (example 25000 in queue) does not help the purpose. We need the domain names and if possible count for each domains(Only main domain, example if random subdomains for microsoft.com are in queue,we just need microsoft.com).
Appreciate your support in this regard.
04-09-2017 10:30 PM
Using bind, it's very simple to get the recursive list.
Following command will create a file called named.recursing
The file named.recursing will have the list of domains which are in the recursive list.
It should be pretty easy to achieve this in infoblox.
07-19-2017 02:31 PM
While not just a list of recursive domains, you can view/dump the contents of the DNS cache by selecting the member in the GUI and "view cache" or via the 'show dns cache' command from the CLI. This may give you some of what you are looking for in a troubleshooting type of situation.
Reporting does provide customized and detailed reports on the top requested domains and other interesting queries such as NXDOMAINS and while this may be near real-time dending on the metrics, it is not real time as the data needs to be indexed and passed to the Splunk engine for processing. Reporting can generate alerting as well.
A function you may want to also take a look at is our Advanced DNS Protection (ADP) or Software ADP which can now be implemented on many of our appliances. This provides customized rules that can alert and take actions on such things as traffic rates, NXDOMAIN attacks, etc.
I hope this helps!
07-31-2017 09:18 PM
Thanks for the reply. Appreciate it.
Solution given does not meet the requirements of as per the query.
Basically what I am asking for is, just the recursive queue.
I feel the contents of cache file does not differentiate recursive queue. Even if it does, cache file will contain millions of lines and parsing it for recursive queue would be not be feasible solution for quick reaction.
ADP does help in mitigation of phantom domains but what if a legitimate domain like microsoft or google does not work due to network issue form our side or because of DNS the Authoritative DNS servers for these domains ? In this case ADP would not be helpful.
We would like to automatically check the recursive queue periodically and match the queue with the popular domains. If any of the popular domain is found(Say the count is 100 for one of the popular domains), we would like to get notified by email so that we can take remedial action immediately.
All I am asking is an option in the GUI to download the recursive queue, or any other way by which we can get the recursive queue and parse(May be using SNMP ?). If Infoblox can actually do the following, it would be a good selling point.
TOP 100 domains in recursive queue.
NOTE : Only top level domain name is mentioned. Say, if the domain in queue is SAsdasd.microsoft.com then you show only the top domain that is microsoft.com
Hope you understand the query and the expected solution.
08-03-2017 12:06 PM
I believe I follow what you are looking for and I will do some additional investigation to determine what else may be possible.
Somewhat related, Infoblox introduced a new fault tolerant recursive caching feature in NIOS 8.2. When this feature is enabled the recursive cache will maintain domains that have expired from the cache if they are currently unreachable either due to a timeout or SERVFAIL.
This feature can mitigate some of your risk but I understand you are still looking for a method to determine and essentially report on the contents of the recursive queue.
08-04-2017 03:40 AM
Thanks for the quick useful reply.
I appreciate it very much.
The new feature in 8.2 is indeed useful. However, as you understand very well that I am still looking for just the recursive queue.
Can we download it using API ? It would be rather nice to make the recursive queue downloadable from all grid members using API. This will help the administrator automate the recursive queue using scripting.