The DNS Statistics service uses BIND statistics to provide insights into the health of the views and zones configured on a DNS/DHCP Server. You can use this information to analyze DNS configuration and processing information to identify any anomalies or misconfiguration in your DNS environment.
When enabled, DNS statistics information is collected by the DNS/DHCP Server based on the
configured parameters, and sent to a configured destination. You can choose to send the
information to a Splunk server or HTTP endpoint, such as a data lake. If you are
configuring DNS Statistics to send data to a Splunk server, ensure that you have the
Splunk HTTP Event Collector (HEC) host and token information.
Attention:
- You can only enable this service on DNS/DHCP Server v9.4.0 or greater.
- DNS Statistics service listens on port 8053 locally.
- If you are configuring DNS Statistics to send event messages to a Splunk
host, the Splunk server might truncate the DNS Statistic JSON event messages
due to default size settings on the Splunk server. If this occurs, BlueCat
recommends updating the truncation level set in the
props.conffile. For more information, refer to the Splunk documentation.
Example HTTP endpoint configuration
{
"version": "1.1.0",
"services": {
"dnsStatistics": {
"configurations": [
{
"dnsStatisticsConfiguration": {
"sources": [
{
"pollingInterval": 350,
"type": "bind"
}
],
"sinks": [
{
"type": "http",
"uri": "https://10.0.0.1:9002/endpoint",
"token": "<bearer_token>",
"healthCheck": true,
"healthCheckUri": "https://10.0.0.1:9002/endpoint/healthcheck",
"buffer": {
"type": "memory",
"maxEvents": 500
},
"tls": {
"caCert": "<certificate_content>",
"verifyCertificate": true,
"verifyHostname": true
}
}
],
"enable": true
}
}
]
}
}
}Example Splunk endpoint configuration
{
"version": "1.1.0",
"services": {
"dnsStatistics": {
"configurations": [
{
"dnsStatisticsConfiguration": {
"sources": [
{
"pollingInterval": 350,
"type": "bind"
}
],
"sinks": [
{
"type": "splunk_hec",
"host": "https://10.0.0.1:9002",
"token": "MghrvMTU4NjIyMzA0NjYxMzpwb3J0YWxVc2Vy",
"healthCheck": true,
"buffer": {
"type": "memory",
"maxEvents": 500
},
"tls": {
"caCert": "<certificate_content>",
"verifyCertificate": true,
"verifyHostname": true
}
}
],
"enable": true
}
}
]
}
}
}Parameters
- Under
sources, enter the following information:pollingInterval—enter the frequency at which the DNS/DHCP Server is polled for DNS Statistics. By default, the DNS/DHCP Server is polled every 5 minutes.type—enter the type of statistics to retrieve. For DNS Statistics service, enter bind.
- Under
sinks, enter the following information:type—enter where the DNS Statistics data will be logged. You can enter http to log data to an HTTP endpoint or splunk_hec to log data to a Splunk server.If you enter http, enter the following additional parameters:uri—enter the URI of the HTTP endpoint that will be consuming the DNS statistics information.Note:- BlueCat recommends entering the IP address of the endpoint in this field. If you are entering a hostname, you cannot use this DNS/DHCP Server as a DNS resolver.
- If the domain name is used in the URI, you must ensure that the domain name can be resolved on the DNS/DHCP Server.
token—enter the bearer token used to authenticate with the HTTP endpoint. This field is optional.healthCheck—set to true to enable health check service; set to false to disable health check service. Upon initialization, the healthcheck ensure that the downstream service is accessible and can accept the DNS statistics data.healthCheckUri—enter the URI of the HTTP endpoint that will be consuming the health check information.
If you enter splunk_hec, enter the following additional parameters:host—enter the URI of the Splunk HEC host. The standard format of the HEC URI in Splunk Enterprise is as follows:<protocol>://<host>:<port>Note:- BlueCat recommends entering the IP address of the endpoint in this field. If you are entering a hostname, you cannot use this DNS/DHCP Server as a DNS resolver.
- If the domain name is used in the URI, you must ensure that the domain name can be resolved on the DNS/DHCP Server.
token—enter the Splunk HEC token.healthCheck—set to true to enable health check service; set to false to disable health check service. Upon initialization, the healthcheck ensure that the downstream service is accessible and can accept the DNS statistics data.Note: When selecting this check box, the DNS/DHCP Server uses the default Splunk healthcheck endpoint at/services/collector/health/1.0.
Note: The URI of theuri,healthCheckUri, andhostfields must follow the format outlined in RFC2396.- When configuring
buffersettings, enter the following parameters:type—enter the buffer type where DNS statistics events are stored until they are processed. Once the buffer is full, the newest events are dropped.memory—DNS statistics events that have not been processed are stored in the memory of the DNS/DHCP Server. If you select memory, enter the following additional parameter:maxEvents—enter the maximum number of DNS statistics events to be stored in the buffer. The maximum value is 36,436,000 events.
- When configuring
tlssettings, enter the following parameters:caCert—enter the content of CA certificate used to verify the server certificate during the TLS handshake. ThecaCertmust be in PEM format.verifyCertificate—set to true to force verification of the server certificate during the TLS handshake using the CA certificate that was entered; set to false if you do not want to verify the server certificate.verifyHostname—set to true to validate the hostname section of the URI against the CN (Common Name) or SAN (Subject Alternative Name) of the server certificate during the TLS handshake; set to false if you do not want to perform this validation.
enable—set to true to enable DNS statistics service; set to false to disable DNS statistics service.Note: When you enabled DNS Statistics, the firewall rules on the DNS/DHCP Server are modified to allow egress to the specified URI endpoint. Outbound traffic is allowed for the specified IP address.