Reply

Reporting on RPZ hits at caching layer

pnewcomb
Techie
Posts: 6
269     0

We have a secondary dns layer that is supposed to be the dns server layer for all clients.

The secondary DNS servers forward to the caching layer.

 

While RPZ is on both layers now, I want to only have RPZ at the secondary layer.

First I must determine that RPZ hits are only being reported from the secondary layer before I move the RPZ licenses off the caching layer.

 

I want to run a report that will demonstrate that clients are not sending queries to the caching layer.

 

The dns secondary server names begin with “usqasb01dns”

The dns Caching server names begin with “usqasb01dnf”

 

This is the current search criteria:

 

index=ib_dns_summary report=si_dns_rpz_hits| eval MITIGATION_ACTION=case(MITIGATION_ACTION == "PT", "Passthru", MITIGATION_ACTION == "NX" or MITIGATION_ACTION == "ND", "Block", MITIGATION_ACTION == "SB" or MITIGATION_ACTION =="A1" or MITIGATION_ACTION =="A4" or MITIGATION_ACTION =="AA" or MITIGATION_ACTION =="DN", "Substitute") | fields _time  MITIGATION_ACTION   TOTAL_COUNT   | timechart bins=1000 avg(TOTAL_COUNT) by MITIGATION_ACTION  useother=f | interpolate 1200| fillnull | addtotals row=true col=false | rename Total as "ClientHits"

 

Can I add a condition to look for the caching servers?

Usqasb01dnf101.na.pg.com

Usqasb01dnf102.na.pg.com

 

Your help is greatly appreciated

Re: Reporting on RPZ hits at caching layer

Adviser
Posts: 92
270     0

Hello Gentleman,

 

You can do that by including the ‘orig_host’ value like this :

 

index=ib_dns_summary report=si_dns_rpz_hits orig_host=" Usqasb01dnf101.na.pg.com" OR orig_host=" Usqasb01dnf102.na.pg.com" | eval MITIGATION_ACTION=case(MITIGATION_ACTION == "PT", "Passthru", MITIGATION_ACTION == "NX" or MITIGATION_ACTION == "ND", "Block", MITIGATION_ACTION == "SB" or MITIGATION_ACTION =="A1" or MITIGATION_ACTION =="A4" or MITIGATION_ACTION =="AA" or MITIGATION_ACTION =="DN", "Substitute") | fields _time  MITIGATION_ACTION   TOTAL_COUNT   | timechart bins=1000 avg(TOTAL_COUNT) by MITIGATION_ACTION  useother=f | interpolate 1200| fillnull | addtotals row=true col=false | rename Total as "ClientHits"

 

Exclusions can be done by using the following in the above string :

 

orig_host!="Usqasb01dnf101.na.pg.com" 

 

I hope you'll find that to be usefull.


All the best,

Mohammed Alman.

Showing results for 
Search instead for 
Do you mean 

Recommended for You