THE GAME HAS CHANGED

Introducing Infoblox Universal DDI ManagementTM

Watch the launch to discover the new era of management for critical network services. Watch Now

Reporting

Reply

Discovering client that queries non-FQDN according to DNS-suffix searchlist
njsvs
New Member
Posts: 1

‎11-15-2018 04:48 AM

8804     0

The company have been using the DNS-suffixlist instead of using FQDN. The list have been rather a long one. 

 

In an attempt to shorten the list for security and performance reasons we reconfigured clients and applications but would like to make sure that we have accomplished that clients are now using FQDN rather than using hostnames and leaving the suffix-query searching to the absolut minimum.

 

My question is regarding Reporting:

 

Is there a Splunk-query i could do to catch clients that queries the searchlist one by one, row by row, step by step for a hostname+domainsuffix?

 

Thanx

Labels:
Reply
0 Kudos

Re: Discovering client that queries non-FQDN according to DNS-suffix searchlist
DEvans
Expert
Posts: 12

‎11-16-2018 12:33 PM

8804     0

I'm sure there is, but would a simplier query just be to look at your high NXDOMAIN query source clients.   Most of our suffix search list abusers are also on the top NXDOMAIN requests as well.   The other search that jumps out is when they add the suffix onto a valid FQDN.   

 

ie you wind up with "servername.2nd-level.infoblox.com.infoblox.com"   

 

Those are usually pretty easy to sort to the top of the query list as well.


Reply
0 Kudos
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Recommended for You

Latest Annoucements