Reply

Report to show timeline of DNS Top Clients

SRobinson
Techie
Posts: 7
2399     0

Has anyone created an improved DNS Top Clients report that enables the filtering on a specified source IP address and a time period that can be defined? Obviously, the built-in report can be played with to specify specific time ranges, but a time graph that showed a hosts query rate would be really nice.

I'm asking as we have some weird behaviour from some clients reporting to be generating 10s of millions of DNS queries in a 24 hour period, but when we filter it down to times it's difficult to find where the bulk of activity is.

Re: Report to show timeline of DNS Top Clients

Adviser
Posts: 126
2399     0

Hello SRobinson,


Can you see if https://community.infoblox.com/t5/Reporting/DNS-Top-Clients-Host-with-IP-filter/m-p/9703/highlight/t... is helpful ?

 

Best regards,

Mohammed Alman.

Re: Report to show timeline of DNS Top Clients

SRobinson
Techie
Posts: 7
2399     0

Yeah, I've already added that dashboard.

 

I think what I'm really looking for though is almost a y-axis of DNS queries, and x-axis of time, and then a column for each of the, say, top 5 DNS clients in that timeline. That way you could easily pinpoint when a device has gone "rogue" to reach out and find out if it's malicious or valid activity.

 

Not sure if this is possible though, so I may have to continue with the multiple changes to the date/time range

Highlighted

Re: Report to show timeline of DNS Top Clients

Expert
Posts: 180
2399     0

We use the one listed in this thread.

https://community.infoblox.com/t5/Reporting/DNS-Top-Client-New-Top-IP-not-seen-in-the-last-week/m-p/...

Top-New-DNS-Clients-V3, my post from 2016.

It lets you look for clients that are hitting you "now" that were not over some previous time period.  There are senerios where it doesn't work, like if one of your "normal" top clients doubles its query rate, but it does work to find the ones where a new top client suddenly appears out of nowhere.


Re: Report to show timeline of DNS Top Clients

Adviser
Posts: 126
2400     0

Hello There,

 

Thanks DEvans for your input. I just wanted to hop in with an XML code which might be of help as per SRobinson’s use case. But this would need a data collector VM in place(A free data collection tool which could be configured in your Grid). We’ve got 3 panels, while 2nd & 3rd are dependant on the input from the first panel. Just in case if you want to track top clients for a specific FQDN(Especially in case of attacks), I’ve added an additional filter for this here. Here’s how the code works :

 

Initially, this would list the Top 10 DNS clients with IP filter in the first panel & the 2nd/3rd panels would be waiting for data input. By default first panel would choose the time to be last 1 day & would pick up all members indexing DNS query capture data. Further you may apply filters as appropriate. This is how mine looks like initially : 

 

pic1.jpg 

 

The second panel would list the Top 10 FQDN queried by the client that you choose from panel 1. As I drilled down further by clicking on 10.64.12.13, I’ve got this in my second panel :

 

pic2.jpg 

 

Now the third panel would list you a complete number of queries choosen from panel 2. The most important part is, this stats would be for the queries originated from the client choosen from panel 1. As I clicked on “mail.google.com”, I’ve got numbers for total queries by 10.64.12.13 for this FQDN on all my grid members. As I’ve mentioned, the pie-chart below is statistics from the particular client chosen above:

 

 pic3.jpg

 

Here’s the complete XML code for the use-case mentioned above : 

 

 

<form>
  <label>Top DNS clients with IP filter and Top domains queried</label>
  <description>This dashboard uses the dns query capture data. Click on a client to drilldown further.</description>
  <fieldset submitButton="true" autoRun="true">
    <input type="time" token="time">
      <label>Time</label>
      <default>
        <earliest>-1d</earliest>
        <latest>now</latest>
      </default>
    </input>
        <input type="dropdown" token="topn">
      <label>Top N</label>
      <default>10</default>
      <choice value="5">5</choice>
      <choice value="10">10</choice>
      <choice value="20">20</choice>
      <choice value="50">50</choice>
      <choice value="100">100</choice>
      <choice value="200">200</choice>
      <choice value="250">250</choice>
      <choice value="500">500</choice>
    </input>
    <input type="text" token="source_ip">
      <label>CLIENT IP</label>
      <default>*</default>
      <initialValue>*</initialValue>
    </input>
      <input type="multiselect" token="members">
      <label>Members</label>
      <choice value="*">All</choice>
      <search>
        <query>index=ib_dns_capture | stats count by host</query>
        <earliest>$time.earliest$</earliest>
        <latest>$time.latest$</latest>
      </search>
      <fieldForLabel>host</fieldForLabel>
      <fieldForValue>host</fieldForValue>
      <default>*</default>
      <prefix>(</prefix>
      <suffix>)</suffix>
      <valuePrefix>host="</valuePrefix>
      <valueSuffix>"</valueSuffix>
      <delimiter> OR </delimiter>
    </input>
        <input type="text" token="qry_txt">
      <label>FQDN</label>
      <default>*</default>
    </input>
  </fieldset>
  <row>
    <panel>
      <chart>
        <search>
          <query>index=ib_dns_capture Query $members$ src_ip=$source_ip$ query="$qry_txt$"  |stats sum(query_count) as "QUERY COUNT" BY src_ip | rename src_ip as CLIENT| sort -"QUERY COUNT" | head $topn$
          </query>
          <earliest>$time.earliest$</earliest>
          <latest>$time.latest$</latest>
        </search>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisTitleX.visibility">visible</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisY2.enabled">0</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart">bar</option>
        <option name="charting.chart.bubbleMaximumSize">50</option>
        <option name="charting.chart.bubbleMinimumSize">10</option>
        <option name="charting.chart.bubbleSizeBy">area</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.showDataLabels">none</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart.stackMode">default</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">all</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.legend.placement">right</option>
         <drilldown>
            <set token="src_ip">$click.value$</set>
        </drilldown>
      </chart>
    </panel>
  </row>
  <row>
     <panel>
      <table depends="$src_ip$">
        <title>Top requested FQDN by $src_ip$. Click on a query to drill down further. </title>
        <search>
          <query>index=ib_dns_capture Query $members$ src_ip=$src_ip$ query="$qry_txt$"|stats sum(query_count) as FQDN_TOTAL by "query" | sort -FQDN_TOTAL | head 10</query>
          <earliest>$time.earliest$</earliest>
          <latest>$time.latest$</latest>
        </search>
        <drilldown>
            <set token="query">$click.value$</set>
        </drilldown>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <chart>
        <title>Total queries from $src_ip$ for "$query$" towards all DNS servers. </title>
        <search>
          <query>index=ib_dns_capture Query src_ip=$src_ip$ query=$query$ | stats sum(query_count) by host | rename sum(query_count) as "TOTAL HITS"</query>
          <earliest>$time.earliest$</earliest>
          <latest>$time.latest$</latest>
        </search>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisTitleX.visibility">visible</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisY2.enabled">0</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart">pie</option>
        <option name="charting.chart.bubbleMaximumSize">50</option>
        <option name="charting.chart.bubbleMinimumSize">10</option>
        <option name="charting.chart.bubbleSizeBy">area</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.showDataLabels">none</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart.stackMode">default</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">all</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.legend.placement">right</option>
      </chart>
    </panel>
  </row>
</form>

 

Additional note : From what I understand, your requirement is to inspect the top queries made by a particular client whenever its listed under top N clients. If that is the case, I doubt whether the requirement could be achieved by making use of ib:dns:query:top_clients data alone since it doesn’t carry the query part in it. You can find both queries & client IP address in either ib:syslog data(If query logging enabled) or the ib:dns:capture data(Which I’ve used to craft the search). As I mentioned earlier the XML code mentioned above needs a data connector VM in your grid, which is extremely helpful for such use cases & is really free/easy to deploy. If this hasn’t been deployed yet in your grid, please refer to the deployment guide from https://support.infoblox.com -> Tech Docs -> “Data collector”.

 

Hope this might be of help.

 

Best regards,

Mohammed Alman.

Showing results for 
Search instead for 
Do you mean 

Recommended for You