/v3/api/dnsQueryLogs (GET) - BlueCat Edge - Service Point v4.x.x

BlueCat Edge User Guide

Locale
English
Product name
BlueCat Edge
Version
Service Point v4.x.x

Returns a total count of logged DNS queries for a given siteName. You can use optional filters, such as record key (search for records older or newer than the specified key), start time, and end time.

GET https://api-<BlueCat.edge.url>/v3/api/dnsQueryLogs?siteId={siteId}&batchSize={size}&key={key}
&order={DESC | ASC}&startTime={utc}&endTime={utc}&hasMatchedPolicy=
{true|false}&sourceIp={sourceIp1, sourceIp2}&queryType={queryRecordType}&
queryName={queryDomainName}&policyAction={policyAction1, policyAction2}&policyType=
{policyType}&policyId={policyId}&threatType={threatType}&threatIndicator=
{threatIndicator}&responseCode={responseCode1, responseCode2}&protocol={queryProtocol1, 
queryProtocol2}&namespaceId={namespaceId1, namespaceId2}&latencyFrom={latencyFrom}&latencyTo=
{latencyTo}&responseIp={responseIp1, responseIp2}
Authorization: Bearer token

Parameters

Name Description Type Required
siteId The ID of the site for which you want to query logs. If no site ID is provided, an error is returned. If there is no site with that ID, an empty list is returned. List of strings Optional
batchSize The maximum number of records to return. If this isn't included, the response will be limited to 400 entries.
Note: The maximum configurable batchSize is 10000.
String Optional
key The key is the record ID of the DNS Query Log record for which you want to receive older or newer records. String Optional
order Specify whether to retrieve results in DESC (most recent records first) or ASC (oldest records first) order. If this isn't included, the records will be listed in descending order. String Optional
startTime To filter results for a specific time period, including the start time, in milliseconds since the Unix Epoch. String Optional
endTime To filter results for a specific time period, in milliseconds since the Unix Epoch. The filter results will only include DNS queries with a timestamp leess than the endTime value. String Optional
hasMatchedPolicy If hasMatchedPolicy is true then only DNS queries matching policies will be displayed. String Optional
sourceIp Filters results for the specified source IP address(es). List of strings Optional
queryType The query record type you want to search for. List of strings Optional
queryName The domain name you want to search for queries on. List of strings Optional
policyAction If one or more policy actions are provided, then only policies matching the actions are returned. Valid actions are allow, block, redirect, and monitor. List of strings Optional
policyName If a policy name is provided, then only policies matching the name are returned. List of strings Optional
policyId If a policy ID is provided, then only policies matching the ID are returned. List of strings Optional
threatType Returns queries that match the specified threat type. Valid threat types are DGA and DNS_TUNNELING. List of strings Optional
threatIndicator Returns queries that match the specified threat indicator. Valid threat indicators are ENTROPY, UNIQUE_CHARACTER, EXCEEDING_LENGTH, UNCOMMON_QUERY_TYPE, VOLUMETRIC_TUNNELING, SUSPECT_DNS, and SUSPECT_TLD. List of strings Optional
responseCode Returns DNS queries that match the specified response codes. List of strings Optional
protocol Returns DNS queries that match the specified protocol (usually UDP or TCP). List of strings Optional
namespaceId Returns DNS queries that were queried against the specified namespace IDs. List of strings Optional
latencyFrom Returns DNS queries with latencies greater than or equal to this value (in milliseconds). String Optional
latencyTo Returns DNS queries with latencies less than or equal to this value (in milliseconds). String Optional
responseIp Returns the DNS events resolving to either of the specified IPv4 and/or IPv6 address(es). Must be valid IPv4 or IPv6 address(es). List of Strings Optional

Successful response

200 OK
Content-Type: application/JSON
[
  {
    "time": 1588863296043,
    "source": "197.210.227.230",
    "siteId": "91d9e73b-c5ce-4f92-a419-5d421e8fef25",
    "query": "VERSION.BIND.",
    "queryType": "TXT",
    "actionTaken": "query-response",
    "response": "NOERROR",
    "id": "1588863296043BF913F410812953C6909E622C4702754",
    "matchedPolicies": [],
    "answers": [
        {
            "domainName": "VERSION.BIND.",
            "recordType": "TXT",
            "parsed": true,
            "rData": "1.0.0"
        }
    ],
    "authority": [],
    "queryProtocol": "UDP",
    "threats": [],
    "queriedNamespaces": [
      {
            "id": "9bba84cc-00eb-4a6a-985b-b9cadb9de93a",
            "name": "Umbrella",
            "rCode": "NOERROR",
            "responseData": null,
            "latency": 0,
            "cycle": 0
      },
      ....
    ],
    "latency": 2,
    "queryId": 18157,
    "queryClassId": 1,
    "queryEdnsOptions": [
        {
            "code": 8, 
            "value": "2600:1f18:1321:3900::/64/0"
        }
    ],
    "responseEdnsOptions": [
        {
            "code": 8, 
            "value": "2600:1f18:1321:3900::/64/0"
        }
    ],
    "identity": 
        {
            "identityId": "identity_id_example",
            "userId": "example@test.bluecat.com"
        },
    "appliedPolicyId": null,
    "redirectDomain": null
 }
Returns the following information:
  • Time: Unix time (in milliseconds) when the DNS query was made. (This is the request time, not the response time or logging time.)
  • Source: The IP address of the client making the DNS query.
  • Site: The site name of the service point handling the query.
  • Query: The domain name being queried.
  • Query Type: The query type.
  • Response: The response code (for example NXDOMAIN, NOERROR or SERVFAIL).
  • ID: An identifier that can be passed to key in subsequent requests (used for paging through lots of data)
  • Action Taken: If no policy was matched, this will be "query-response", otherwise this will be either block,redirect, or monitor
  • Matched Policies: List of policy IDs and names that matched the given query

    The number of entries in the list depends on the number of queries within specified period. The list returned may be empty.

  • Authority: The authority assigned to the DNS query.
  • Query Protocol: The protocol of the DNS query (usually UDP or TCP).
  • Threats: The list of possible threats detected during the query analysis.
  • Queried Namespaces: The list of namespaces the DNS query was queried against. This includes the ID of the namespace, name of the namespace, the response code that was returned, the rdata of the response, and the latency of the response.
  • Latency: The latency (in milliseconds) of the DNS query.
  • Query ID: The query ID.
  • Query Class ID: The ID of the DNS record class.
  • Query EDNS Options: A list of EDNS query options returned. Currently, only EDNS Client Subnet (ECS) query option information is returned.
  • Response EDNS Options: A list of EDNS response options returned. Currently, only EDNS Client Subnet (ECS) response option information is returned.
  • Identity: Contains information about the user that initiated the query. This information is only available if you have the identity service enabled and the Add identity information to queries option enabled on the site.
  • Applied Policy ID: The policy that took action on the query.
  • Redirect Domain: The domain that the query was redirected to.

Response on unsuccessful authorization

401 Unauthorized
Content-Type: application/JSON
{"code": "UNAUTHORIZED", "brief": "You are not authorized to perform this action"}
Possible error codes
  • INPUT_ERROR
  • ANALYTICS_UNEXPECTED_ERROR