DNS Activity - BlueCat Integrity - 9.4.0

Address Manager Administration Guide

Locale
English
Product name
BlueCat Integrity
Version
9.4.0

The DNS Activity service uses dnstap to provide visibility into the DNS queries and responses, and DDNS updates that are processed by a DNS/DHCP Server. You can use this information to analyze DNS activity, enabling you to monitor the health of your network and identify any anomalies that might indicate malicious activity. For more information on dnstap, refer to https://dnstap.info/.

When enabled, DNS query and response information is collected by the DNS/DHCP Server based on the configured parameters and sent to a configured destination. You can choose to send the information to a Splunkā„¢ server or HTTP endpoint, such as a data lake.
Attention:
  • You can only enable this service on DNS/DHCP Server v9.3.0 or greater.
  • Upon upgrading to DNS/DHCP Server v9.3.0 or greater, you must perform a full DNS deployment on the DNS/DHCP Servers that will be configured with the DNS Activity service.
  • Enabling the DNS Activity service can be resource intensive and might affect the performance of the DNS/DHCP Server; however, configuring filters by Queries or Responses can greatly improve the QPS performance of the DNS Activity service by up to two times. For more information on configuring filters, refer to Configuring DNS Activity.

Comparing DNS Activity and Querylogging

The following table outlines the differences between DNS Activity and Querylogging features on DNS/DHCP Server.

DNS Activity Querylogging
  • Drops messages in the event of extreme loads on the server.
  • Can be configured to filter queries based on certain criteria such as domain name, source address, and query type.
  • Events are written in JSON format with a predefined key value schema.
  • Captures DNS queries, responses, and updates.
  • Can be configured through the Address Manager UI and API.
  • Impacts DNS QPS performance in the event of extreme loads on the server.
  • Does not include filtering capabilities.
  • Events are not written in a standard format and do not have a key value schema.
  • Captures DNS queries only.
  • Can only be configured through the DNS/DHCP Server CLI.

For more information on Querylogging, refer to Querylogging.