The DNS activity screen displays DNS queries from the configured sites. Available information includes the date and time of the query, the source and site, the query name and type, the response, and policy action (block, trust, or monitor) that was taken. You can filter the DNS activity list by time, sites, site groups, and other criteria.
Viewing DNS activity
- In the BlueCat Edge window, click
. - Select the DNS Activity tab. For more information about viewing threat activity tab, see Identifying threat activity.
- Click
to refresh the DNS queries list. - Click Add filter to select additional filter parameters. For
filters that accept input, once you have selected that filter, the input field auto
completes values as you begin to type:
- Time: Sets the data filter for the specified time
frame.
- You can specify whether you want date returned within the Last 10 minutes, Last 1 hour, Last 24 hours, Yesterday, Last 7 days, or a Custom time frame. By default, the DNS activity page returns all queries logged.
- When using Custom, select two dates on the calendar to
specify the time frame. You can also manually enter the date and
time in the Start and End fields. This can include
both the date and time, or only a date or only a time. If no time is
specified, results are returned from 00:00:00 (midnight).Note: If you are using keyboard navigation, you can use the Page Up and Page Down keys to navigate between months and years on the calendar.
- By default, DNS Insights tab is optimized to display data collected within the last 7 days. Changing the time frame doesn't modify this default period.
- Site: Sets the data filter for the specified site name.
- Source IP: Sets the data filter for the specified source IP address(es). Must be a valid IPv4 or IPv6 address, or list of IPv4 or IPv6 addresses.
- Query name: Sets the data filter for the specified query name.
- Query type: Sets the data filter for the specified query type.
- Response code: Sets the data filter for the specified response code (for example, NXDOMAIN, NOERROR, SERVFAIL).
- Response IP: Sets the data filter for the DNS events resolving to either of the specified IPv4 and/or IPv6 address(es). Must be valid IPv4 or IPv6 address(es).
- Policy: Sets the data filter for the specified policy name.
- Policy action: Sets the data filter for the specified policy action (Trust, Block, Monitor, Redirect, None).
- DNS resolver service: Sets the data filter for the specified DNS resolver service that the query passed through.
- GSLB rule: Sets the data filter for a specified GSLB
rule. When the filter is enabled, select one of the following GSLB rule
filter options:
- All queries: Sets the data filter to display all queries, regardless of GSLB rule.
- Queries matching any rule: Sets the data filter to display all queries that matched any GSLB rule.
- Queries matching specific rules: Sets the
data filter to display queries that matched against specified GSLB
rules. When selected, enter the GSLB rule names that you
would like to display matching queries for.Note: If a GSLB rule name has been updated multiple times, filtering by name may return results for all queries that mated the previous names associated with that rule. GSLB rule filtering is based on the GSLB rule ID which remains constant regardless of name changes.
- Threat Type: Sets the data filter for the specified threat type (DGA, Tunneling).
- Threat Indicator: Sets the data filter for the specified threat indicator (Entropy, Advanced DGA, Host Size, Suspect DNS, Suspect TLD, Uncommon Rec, Unique Char, Vol Tunnel).
- Protocol: Sets the data filter for the specified query protocol (TCP, UDP).
- Namespace: Sets the data filter for the specified namespace.
- Latency: Sets the data filter for the specified latency range for DNS queries. Select None (0 - 1 ms), Low, (1- 20 ms), Medium (20 - 100 ms), High (100 and above ms), or Custom (in milliseconds). If you select Custom, FROM must be less than or equal to TO.
- User ID: Sets the data filter for the specified User ID that initiated the DNS query. The User ID information is only returned when you enable the Add identity information to queries option on a site. For more information, refer to Creating a site.
You can edit filter parameters by selecting the name of the parameter or delete filter parameters by clicking the x icon next to the filter.
- Time: Sets the data filter for the specified time
frame.
- Click
to add another tab. In the Add Tab window, select the available
columns on the left, then click Add Tab. You must enter a
name for the tab in the Title field. You can add multiple
columns to the tab, and click and drag a selected column on the right to re-order
the columns. To delete the tab, click the delete button beside the tab
name.Note: The Date & Time column is selected by default. - Click
to select the columns you want displayed in the tab. In the
Update Tab window, select the available columns on the
left, then click Update Tab. You can click and drag a
selected column on the right to re-order the columns. To restore the default columns
and order, click Restore Defaults. - To view detailed information about a DNS query, click the query.
In the DNS query information panel, you can click links to view sites, namespaces, policies, and (for Vol Tunnel threat indicators) system lists associated with the query. When you click a link, a new tab opens in the panel, allowing you to return to the query information easily.
Click
next to different fields to filter the DNS activity results based on the value
of that field.Click Inspect Client Activity to retrieve additional query information from the source IP of the current query. For more information, refer to Client activity.
- Click
to download a CSV file containing detailed query log
information about the DNS Activity based on the selected filters. The CSV
file contains up to 10,000 queries.Note: If a query contains multiple Answer and Authority records, only the first five of each record are returned. However, the CSV file displays the total count of Answer and Authority records for each query.