DNS Reply Code by Client
Posts: 3
Here a dashboard which give you the opportunity to have a review of the DNS reply code when a client send a DNS request (NoError, NxDomain, ServFail, Refused).
This dashboard can alert you that a lot of DNS requests doesn't have the answer he expect and then, understand why and fix the problem (create the zone, the record, a forward zone...).
This dashboard will be functional with the pre requisites below:
- have the reporting installed and functional
- the Data Connector VM must be installed to have the query log report
- In the reporting properties, DNS query & DNS query capture index must be check (enable)
- In the DNS Grid properties, check that the DNS response capture is check and send to the Data Collector VM
<form>
<label>DNS Reply Code by clients</label>
<fieldset submitButton="false" autoRun="true">
<input type="time" token="time">
<label>Time</label>
<default>
<earliest>-24h</earliest>
<latest>now</latest>
</default>
</input>
<input type="text" token="client">
<label>Client</label>
<choice value="*">All</choice>
<fieldForLabel>client</fieldForLabel>
<fieldForValue>client</fieldForValue>
<default>*</default>
<prefix>(src_ip="</prefix>
<suffix>")</suffix>
<delimiter> OR </delimiter>
</input>
<input type="text" token="query">
<label>Domain</label>
<choice value="*">All</choice>
<fieldForLabel>query</fieldForLabel>
<fieldForValue>query</fieldForValue>
<default>*</default>
<prefix>(query="</prefix>
<suffix>")</suffix>
<delimiter> OR </delimiter>
</input>
<input type="multiselect" token="members">
<label>Members</label>
<choice value="*">All</choice>
<search>
<query>sourcetype=ib:dns:capture index=ib_dns_capture
| stats count by host</query>
<earliest>$time.earliest$</earliest>
<latest>$time.latest$</latest>
</search>
<fieldForLabel>host</fieldForLabel>
<fieldForValue>host</fieldForValue>
<default>*</default>
<prefix>(</prefix>
<suffix>)</suffix>
<valuePrefix>host="</valuePrefix>
<valueSuffix>"</valueSuffix>
<delimiter> OR </delimiter>
</input>
<input type="multiselect" token="query_type">
<label>Query Type</label>
<choice value="*">All</choice>
<search>
<query>sourcetype=ib:dns:capture index=ib_dns_capture
| stats count by query_type</query>
<earliest>$time.earliest$</earliest>
<latest>$time.latest$</latest>
</search>
<fieldForLabel>query_type</fieldForLabel>
<fieldForValue>query_type</fieldForValue>
<default>*</default>
<prefix>(</prefix>
<suffix>)</suffix>
<valuePrefix>query_type="</valuePrefix>
<valueSuffix>"</valueSuffix>
<delimiter> OR </delimiter>
</input>
<input type="multiselect" token="reply_code">
<label>Reply Code</label>
<choice value="*">All</choice>
<search>
<query>sourcetype=ib:dns:capture index=ib_dns_capture
| stats count by reply_code</query>
<earliest>$time.earliest$</earliest>
<latest>$time.latest$</latest>
</search>
<fieldForLabel>reply_code</fieldForLabel>
<fieldForValue>reply_code</fieldForValue>
<default>*</default>
<prefix>(</prefix>
<suffix>)</suffix>
<valuePrefix>reply_code="</valuePrefix>
<valueSuffix>"</valueSuffix>
<delimiter> OR </delimiter>
</input>
</fieldset>
<row>
<panel>
<table>
<search>
<query>sourcetype=ib:dns:capture index=ib_dns_capture message_type=response $client$ $query$ $members$ $reply_code$ $query_type$
| top 0 src_ip query query_type host reply_code
| rename src_ip as client, host as member, query as domain
</query>
<earliest>$time.earliest$</earliest>
<latest>$time.latest$</latest>
</search>
</table>
</panel>
</row>
</form>