10-27-2014 10:42 AM
I am looking for Infoblox customers that are using the Trinzic Reporting tool and the two reports:
DNS Top RPZ Hits
DNS Top RPZ Hits by Clients
These reports should be very helpful in finding your top RPZ problem clients. However, in or environment, they are not.
The backend for these reports summarize data once every 10 minutes. The reports themselves do not then aggregate the data over the timeframe in which the user selects within the report options. Here is an example that shows the issue with this design.
If I have 1 client that has an extreme issue where in every 10 minute window, it has the largest number of hits.
I have hundreds of other clients with issues, but they happen to hit the RPZ slightly less than this client in each 10 minute window.
I then run the DNS Top Hits by Client and choose a time frame of 1 day and 50 top clients.
What the report will generate is a list with the single client IP, hitting the same DNS server, asking for the same DNS name, 50 times. The only difference would be the time stamp on each line in the report. There would be no other clients listed in this report.
This is an extreme case, but in or environment, running this report generates few unique client IP and RPZ hit combinations. A top 500 list over 1 week, will generate a list of 30 unique client IP and DNS lookup lines. The rest of the 500 lines are when the same client “won” in a different 10 minute window. These clients are things like SPAM checking servers or other DNS servers forwarding queries so not something in need of "fixing". I expect them to be in the report but listed once, with a high count, not dominating the report.
Our support case (after 2 months) came back with:
“We have checked this multiple times with the engineering team and went up to the level of the design spec for that report to verify the behaviour you reported.
Based on the feedback from our sustaining team, this is how the report was designed, the report only shows the client with the highest number of hits for that specific 10 minutes time frame.
The Infoblox reporting solution is still being improved and we believe that the feedback you provided is invaluable and the behaviour of the report will be improved as a result of the feature request you filed in a future NIOS version.”
Questions to the other administrators in this forum:
Is the behavior useful in other environments that I have not considered?
Is this a behavior that other customers would expect?
Would you consider this report in need of enhancement or broken?
11-06-2014 05:13 AM
Agree with you David, I would like to see a report with the option to see only unique ip:s to be able to more easy identify each client querying for malware-domains. As for now, a client querying less frequently might not even end up in the RZP-reports.
12-21-2014 12:35 PM
This may not be helpful to you as I tend to go about with my own reports as no matter what. For obvious reasons, Infoblox or any vendor may never be able to know, meet or accommodate individual needs.
With respect to DNS firewall, this is what I found working:
1) set up your Syslog server
2) Let Infoblox send all alerts to the above syslog server
3) Process all the alerts coming into your syslog with your scripts (I use Perl). All RPZ related messages contains strings like "CEF:" etc. Filter on them.
Be aware, IP address changes in DHCP clients' case. If your DNS tracks them in real time, your RPZ reports should be keyed in DNS hostnames if possible.
09-17-2015 03:30 PM
I'm a security PM here at infoblox, and I've reviewed this RFE.
I agree completely with your point of view. I am determining next steps.