The DNS Activity service uses dnstap to provide visibility into the DNS queries and responses, and DDNS updates that are processed by a DNS/DHCP Server. You can use this information to analyze DNS activity, enabling you to monitor the health of your network and identify any anomalies that might indicate malicious activity. For more information on dnstap, refer to https://dnstap.info/.
When enabled, DNS query and response information is collected by the DNS/DHCP Server
based on the configured parameters and sent to a configured destination. You can choose
to send the information to an HTTP endpoint, Splunk server, Kafka cluster, or
Elasticsearch server.
Attention:
- You can only enable this service on DNS/DHCP Server v9.3.0 or greater.
- Upon upgrading to DNS/DHCP Server v9.3.0 or greater, you must perform a full DNS deployment on the DNS/DHCP Servers that will be configured with the DNS Activity service.
- Output to Kafka clusters and Elasticsearch servers can only be configured on DNS/DHCP Server v9.5.0.
- Enabling the DNS Activity service can be resource intensive and might affect the performance of the DNS/DHCP Server; however, configuring filters by Queries or Responses can greatly improve the QPS performance of the DNS Activity service by up to two times. For more information on configuring filters, refer to Configuring DNS Activity.
Comparing DNS Activity and Querylogging
The following table outlines the differences between DNS Activity and Querylogging features on DNS/DHCP Server.
DNS Activity | Querylogging |
---|---|
|
|
For more information on Querylogging, refer to Querylogging.