The following section outlines the steps to configure DNS Activity. If you are configuring DNS Activity to send data to a Splunk server, ensure that you have the Splunk HTTP Event Collector (HEC) host and token information.
To configure DNS Activity on a DNS/DHCP Server:
- From the configuration drop-down menu, select a configuration.
- Select the Servers tab. Tabs remember the page you last worked on, so select the tab again to ensure you're on the Configuration information page.
- Under Servers, click the name of a BDDS. The Details tab for the server opens.
- Click the server name menu and select Service Configuration.
- From the Service Type drop-down menu, select DNS Activity. Address Manager queries the server and returns the current values for the service settings.
Under General Settings, set the following
- Enable DNS Activity—select this check box to
enable DNS Activity service; deselect this check box to disable DNS
Activity service.Note: When you enabled DNS Activity, the firewall rules on the DNS/DHCP Server are modified to allow egress to the specified URI endpoint. Outbound traffic is allowed for the specified IP address.Attention: Enabling the DNS Activity service can be resource intensive and might affect the performance of the DNS/DHCP Server.
- Output Type—select where the DNS Activity data
will be logged. You can select HTTP to log data to an HTTP
endpoint or Splunk to log data to a Splunk server.If you select HTTP, the following fields appear:
If you select Splunk, the following fields appear:
- Output URI—enter the URI of the HTTP
endpoint that will be consuming the DNS query and response
- BlueCat recommends entering the IP address of the endpoint in this field. If you are entering a hostname, you must use a different DNS server as the resolver for that host. The DNS/DHCP server you are configuring DNS activity on can still be used as a resolver for clients, but cannot be used as a resolver for its own OS related lookups.
- If the domain name is used in the URI, you must ensure that the domain name can be resolved on the DNS/DHCP Server.
- If you change the IP address associated to the URI after you have configured DNS Activity, you must disable and re-enable the DNS Activity service to ensure that the firewall rules on the DNS/DHCP Server are updated to allow egress to the new IP address.
- Bearer Token (Optional)—enter the bearer token used to authenticate with the HTTP endpoint.
- Healthcheck—select this check box to enable health check service; deselect this check box to disable health check service. Upon initialization, the healthcheck ensures that the downstream service is accessible and can accept the DNS query data.
- Healthcheck URI—enter the URI of the HTTP endpoint that will be consuming the health check information.
Note: The URI of the Output URI, Healthcheck URI, and Host fields must follow the format outlined in RFC2396.
- Host—enter the URI of the Splunk HEC
host. The standard format of the HEC URI in Splunk
Enterprise is as follows:
<protocol>://<FQDN of the host only>:<port>Note:
- Ensure that the HEC URI format is followed exactly as described above without adding or omitting any pieces. The port is required, even if default. Do not include extra slashes or folders in the URI.
- Token—enter the Splunk HEC token.
- Healthcheck—select this check box to
enable health check service; deselect this check box to
disable health check service. Upon initialization, the
healthcheck ensures that the downstream service is
accessible and can accept the DNS query data. Note: When selecting this check box, the DNS/DHCP Server uses the default Splunk healthcheck endpoint at
- Output URI—enter the URI of the HTTP endpoint that will be consuming the DNS query and response information.
- TLS Options—select this check box to configure
TLS options. Attention: If you enter a HTTPS endpoint in the Output URI or Healthcheck URI field when configuring HTTP as the Output Type, or enter a HTTPS URI in the Host field when configuring Splunk as the Output Type, you must select this check box and enter TLS information.
- Under CA Certificate Upload, click
Browse and locate the CA certificate
(trusted third party or self-signed) that will be used to
authenticate the CA signature on the TLS server certificate of
the remote host.Note: The file containing the CA certificate or certificate bundle must be in PEM format. To ensure a successful TLS handshake, the CA certificate uploaded to the client (BAM) should be the same CA certificate (and intermediate certificates if applicable) used by the server to authenticate the CA signature of its TLS server certificate. The CA certificate can be acquired via browser export or other trusted source, and converted to PEM format.
- Click Upload to upload the CA certificate.
- Select the Verify Certificate check box
to attempt a TLS handshake using the uploaded CA certificate
with the remote host's TLS server
certificate.Note: Verify Certificate does not verify the authenticity of the uploaded certificate. Verify Certificate in this context only checks if the CA certificate matches correctly with the TLS server certificate to create a successful handshake.Note: If encountering errors with Verify Certificate, the CA/chain-CA certificates may have to be installed manually on the DNS/DHCP Server. Refer to KB-17944 on the BlueCat Customer Care portal for manual installation instructions.
- Select the Verify Hostname check box to
validate the hostname part of the URI against the CN (Common
Name) or SAN (Subject Alternative Name) of the server
certificate during the TLS handshake.Note: If using self-signed certificates, users are advised to add a subject alternative name with the IP address (see RFC 5280 22.214.171.124), or disable the Verify Hostname check.
- Under CA Certificate Upload, click Browse and locate the CA certificate (trusted third party or self-signed) that will be used to authenticate the CA signature on the TLS server certificate of the remote host.
- Enable DNS Activity—select this check box to enable DNS Activity service; deselect this check box to disable DNS Activity service.
Under Buffer Settings, set the following
- Buffer Type—select the buffer type where DNS
events are stored until they are processed. Once the buffer is full, the
newest events are dropped. The buffer type can be one of the following:
- Memory—DNS activity that has not been processed is
stored in the memory of the DNS/DHCP Server. This is the
default Buffer Type selection. If you
select Memory, the following field appears:
- Max Events—enter the maximum
number of DNS events to be stored in the buffer. The
maximum value is 64,000,000 events.Note: You can enter a value for this field based on the highest possible queries per second (QPS) that can be sent to the DNS/DHCP Server and how quickly the endpoint processes events. For example, if the highest possible QPS for your environment is 20,000 QPS, the value of this field can be set to 200,000 to ensure that 10 seconds of events are stored in the DNS Activity buffer in the event that the endpoint processes queries slowly.
- Max Events—enter the maximum number of DNS events to be stored in the buffer. The maximum value is 64,000,000 events.
- Disk—DNS activity that has not been processed is
stored on the disk of the DNS/DHCP Server. If you select
Disk, the following field appears:
- Max Size—enter the maximum amount of disk space (in bytes) to allocate to the buffer. The maximum value is 7,500,000,000 bytes.
- Memory—DNS activity that has not been processed is stored in the memory of the DNS/DHCP Server. This is the default Buffer Type selection. If you select Memory, the following field appears:
- Buffer Type—select the buffer type where DNS events are stored until they are processed. Once the buffer is full, the newest events are dropped.
Under Filters (Optional), set the following
Note: You can configure a maximum of 10 exclusion filters.
- Categories to Exclude—select the categories of
DNS events to exclude from logging. You can exclude DNS events based on
Domain name, Queries, Responses, or Source
- You cannot configure the Queries exclusion category with a subcategory set to All and the Responses exclusion category with a subcategory set to All in the same DNS Activity configuration.
- When filtering content using the Queries or Responses categories, there are certain scenarios where event messages are not generated. For more information, refer to Scenarios: DNS Activity event messages are not generated.
- Subcategory—select the DNS message types that are
to be excluded from being logged. This field appears when you select
Queries or Response as the Categories to
Exclude. The DNS message types that can be configured to be excluded are as follows:
- All—excludes all queries or responses, regardless of message type.
- Client—excludes client queries or responses.
- Auth—excludes authoritative queries or responses.
- Resolver—excludes resolver queries or responses.
- Forwarder—excludes forwarder queries or responses.
- Update—excludes update queries or responses.
For more information on DNS message types, refer to Reference: DNS Activity event message examples.
- Domain Name—enter domain names that are to be
excluded from being logged. This field appears when you select Domain
name as the Categories to
Exclude.Note: Domain names only support wildcard characters at the left-most position. For example, *.example.com or *-host.example.com.
- Source address—enter the IPv4 or IPv6 block in CIDR notation to be excluded from being logged. For example, 192.0.2.0/24 or 2001:6789::/64. This field appears when you select Query address as the Categories to Exclude.
- Filter exclusions are enacted based on the order that they appear in. You can use the Move Up, Move Down, and Remove to modify the content of the list and the order in which exclusions are enacted. BlueCat recommends excluding content from a granular to a broad scope. For example, exclusions of queries should appear higher on the list before exclusions of top-level domains and sub-domains.
- Filter exclusions of the same Category to
Exclude are grouped together when they are applied
based on the first occurrence of the exclusion category. For
example, if the following filters are added in the
Filters (Optional) section:
- Source Address
- Domain Name
- Source Address
- Source Address
- Domain Name
- Source Address
- Categories to Exclude—select the categories of DNS events to exclude from logging. You can exclude DNS events based on Domain name, Queries, Responses, or Source address.
If you do not have DNS service deployed to the DNS/DHCP Server, after you click Update, you must perform a DNS deployment on the DNS/DHCP Server for DNS Activity events to be generated. If DNS service is already configured on the DNS/DHCP Server, the DNS Activity service is enabled upon clicking Update.
Under DNS Activity Status, you can verify whether the DNS Activity log service is running on the DNS/DHCP Server.
The service batches data that is sent to the configured destination. Batches are flushed from the system and sent to the configured destination when the age of the batch reaches 1 second, or when the size of the batch reaches 1049000 bytes.
If the service receives an HTTP response status code of 429 or greater than 500 except for 501, the service attempts to retry sending the failed request 5 times. If the service still cannot send the failed request after 5 attempts, the event message is dropped and an error message is logged.
In the event of a service disruption, such as a network error or the system crashes, DNS Activity service attempts to mitigate event loss. If you enable the Disk buffer type, in the event that the system goes down, the messages are copied to disk and sent when the service is restored. In the event of network connectivity issues, the service retries failed requests. There might be a loss of data if the DNS Activity process stops on the DNS/DHCP Server while DNS service is running and processing DNS queries.