Infoblox Exchange Cybersecurity Roadshow 2020 – Join us!
North America | Europe | Middle East/Africa | Asia-Pacific

Security

Reply
Highlighted

Trinzic Reporting and RPZ (DNS Firewall)

Expert
Posts: 181
5020     0

I am looking for Infoblox customers that are using the Trinzic Reporting tool and the two reports:

DNS Top RPZ Hits

DNS Top RPZ Hits by Clients

 

These reports should be very helpful in finding your top RPZ problem clients.   However, in or environment, they are not.

 

The backend for these reports summarize data once every 10 minutes.   The reports themselves do not then aggregate the data over the timeframe in which the user selects within the report options.   Here is an example that shows the issue with this design.  

 

If I have 1 client that has an extreme issue where in every 10 minute window, it has the largest number of hits.

I have hundreds of other clients with issues, but they happen to hit the RPZ slightly less than this client in each 10 minute window.

I then run the DNS Top Hits by Client and choose a time frame of 1 day and 50 top clients.

What the report will generate is a list with the single client IP, hitting the same DNS server, asking for the same DNS name, 50 times. The only difference would be the time stamp on each line in the report. There would be no other clients listed in this report.

 

This is an extreme case, but in or environment, running this report generates few unique client IP and RPZ hit combinations.   A top 500 list over 1 week, will generate a list of 30 unique client IP and DNS lookup lines.   The rest of the 500 lines are when the same client “won” in a different 10 minute window.  These clients are things like SPAM checking servers or other DNS servers forwarding queries so not something in need of "fixing".   I expect them to be in the report but listed once, with a high count, not dominating the report.

 

Our support case (after 2 months) came back with:

“We have checked this multiple times with the engineering team and went up to the level of the design spec for that report to verify the behaviour you reported.

Based on the feedback from our sustaining team, this is how the report was designed, the report only shows the client with the highest number of hits for that specific 10 minutes time frame.

The Infoblox reporting solution is still being improved and we believe that the feedback you provided is invaluable and the behaviour of the report will be improved as a result of the feature request you filed in a future NIOS version.”

 

Questions to the other administrators in this forum:

Is the behavior useful in other environments that I have not considered?

Is this a behavior that other customers would expect?

Would you consider this report in need of enhancement or broken?

 

 

Highlighted

Agree with you David, I would

Techie
Posts: 6
5021     0

Agree with you David, I would like to see a report with the option to see only unique ip:s to be able to more easy identify each client querying for malware-domains. As for now, a client querying less frequently might not even end up in the RZP-reports.

Regards,

Fredrik

 

Highlighted

RFE-5283  has been opened for

Expert
Posts: 181
5021     0

RFE-5283  has been opened for this issue.

Highlighted

Build custom reports

Techie
Posts: 1
5021     0

This may not be helpful to you as I tend to go about with my own reports as no matter what.  For obvious reasons,  Infoblox or any vendor may never be able to know, meet or accommodate individual needs.

With respect to DNS firewall,  this is what I found working:

1) set up your Syslog server

2) Let Infoblox send all alerts to the above syslog server

3) Process all the alerts coming into your syslog with your scripts (I use Perl).   All RPZ related messages contains strings like "CEF:" etc.   Filter on them.

Be aware,  IP address changes in DHCP clients' case.   If your DNS tracks them in real time,  your RPZ reports should be keyed in DNS hostnames if possible.

 

Highlighted

Re: RFE-5283  has been opened for

Techie
Posts: 10
5021     0

Hello - 

 

I'm a security PM here at infoblox, and I've reviewed this RFE.   

 

I agree completely with your point of view.  I am determining next steps.

Highlighted

Re: RFE-5283  has been opened for

Expert
Posts: 181
5021     0

I was wondering if you had gotten any where with this issue.  This is still a report that I would like to see.

Showing results for 
Search instead for 
Do you mean 

Recommended for You