- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Printer Friendly Page
Discovering client that queries non-FQDN according to DNS-suffix searchlist
11-15-2018 04:48 AM
The company have been using the DNS-suffixlist instead of using FQDN. The list have been rather a long one.
In an attempt to shorten the list for security and performance reasons we reconfigured clients and applications but would like to make sure that we have accomplished that clients are now using FQDN rather than using hostnames and leaving the suffix-query searching to the absolut minimum.
My question is regarding Reporting:
Is there a Splunk-query i could do to catch clients that queries the searchlist one by one, row by row, step by step for a hostname+domainsuffix?
Re: Discovering client that queries non-FQDN according to DNS-suffix searchlist
11-16-2018 12:33 PM
I'm sure there is, but would a simplier query just be to look at your high NXDOMAIN query source clients. Most of our suffix search list abusers are also on the top NXDOMAIN requests as well. The other search that jumps out is when they add the suffix onto a valid FQDN.
ie you wind up with "servername.2nd-level.infoblox.com.infoblox.com"
Those are usually pretty easy to sort to the top of the query list as well.