03-07-2018 08:20 AM
Hi as newbie in this field i like to create a repport about the amount of queries per domain which we host.
So i can see which domain is still used and which not. This to cleanup our domain on our Auth. Server.
We are running version 8.2 does someone has this kined of report and whant it to share?
thanks on for hand
03-07-2018 11:00 AM
Hello & Welcome,
You may start by using the ‘DNS Top Requested Domain Names’ report which would give you the top most requested domain names, their counts and the percentage of request over a given time frame. In case if you are expecting results more than 10000, you can simply open this report in search using the following steps :
Go to Reporting -> Reports -> Select ‘DNS Top Requested Domain Names’ -> ‘Open in search’ -> Remove the ‘head 10000’ from search string. If you are not expecting results more than 10000, you may open this report directly & adjust the time to fit as per your need.
Note : Do not customize any of the predefined reports & make sure that you clone them before making any changes to the string. You may review ‘Cloning Reports’ section from chapter ‘Infoblox Reporting and Analytics’ of the NIOS administrator guide for instructions.
A perfect approach to meet your requirement would be to make use of the ‘DNS Domain Query Trend’ dashboard. The ‘DNS Domain Query Trend’ dashboard shows the trend of DNS queries for specific domains. This dashboard displays the DNS query trends for queries generated from both the internal and external sources. But this would need a Data collection VM in your grid. The Infoblox Data Connector VM (virtual appliance) is a utility that is designed to collect DNS query and response data from the Infoblox Grid members, filter out based on user criteria thus reducing the quantity of data, convert the data to a format that can be securely transferred to the NIOS reporting server for report generation, Infoblox ActiveTrust cloud destination, or to third-party Splunk Indexer .If you do not have one setup in your Grid as of now, you may read through the documentation available at https://support.infoblox.com -> ‘Tech Docs’ -> ‘Data Connector’.
03-10-2018 07:23 AM
but this is all the domains requested in caching and auth. I like to know the usage of my domains on my authoritive servers only in this case the ns1. and ns2. how can i do this
03-12-2018 03:34 AM - edited 03-12-2018 03:42 AM
The ‘DNS Top Requested Domain Names’ report indeed lists both the authoritative/recursive domains. It may not be possible to separate recursive/authoritative queries from this specific report. In case if you have a data collector VM configured in your Infoblox infrastructure, we could get this requirement done by crafting a custom search string. In case if you do, you could use the following search string in order to retrieve just the authoritative queries made to your server & the numbers would be accurate as well based on the responses given out by the server :
sourcetype=ib:dns:capture index=ib_dns_capture | search host = emea-gm.lab.inbe.infoblox.com OR host = emea-vadp1.lab.inbe.infoblox.com | search flag_aa=Y | stats sum(query_count) as TOTAL_QUERIES by query | sort -TOTAL_QUERIES | rename query as FQDN | table FQDN TOTAL_QUERIES
While, you could replace the names ‘emea-gm.lab.inbe.infoblox.com OR emea-vadp1.lab.inbe.infoblox.com’ with the FQDNs of your authoritative DNS servers (ns1 & ns2). In case if you don’t mention the ‘host’ filter(the entire search part for the hosts), the search is going to pull data indexed by all the authoritative DNS Servers.
Please find an example of how this works below :
The ‘DNS Top Requested Domain Names’ report for a particular time frame (This lists data from all the DNS servers):
Now the report pulled by the string that I have mentioned above :
This is how my authoritative DNS data looks like :
I hope this helps!
03-13-2018 08:41 AM
Thanks for your help
The query doesn't work directly here are no entries
I think i need to configure the folowing on the infoblox
How to configure this, where is this hidden ;-)?
03-13-2018 09:45 AM
Thank you for the feedback.
To configure your reporting server to index data for ib_dns_capture, you just need to enable ‘DNS Query Capture’ category under Grid reporting properties. But, ib_dns_capture data is indexed only if you have a data collection VM in your grid. As I have mentioned in my last response, the string would work only if you have a data collection VM in place configured to collect query/response from the grid DNS members. We’re basically making use of the ‘flag_aa=Y’ field in the DNS responses to meet your requirement, which would be available only in the data forwraded by a DCVM.
In case if you do not have a data collection VM configured as of now, you may find the instruction for deployment from https://support.infoblox.com -> ‘Tech docs’ -> ‘Data connector’ -> ‘Deployment guide’. Its free & would be useful for such use cases.
All the best!