/v2/api/customer/dnsQueryLog/stream - BlueCat DNS Edge

DNS Edge API Guide

Locale
English (United States)
Product name
BlueCat DNS Edge

Retrieves DNS queries matching active policies logged in the last 5 minutes to an external SIEM, if configured. Note that this API is only accessible with an applicable API access key. For more information, contact your BlueCat representative.

Note: v1/api/customer/dnsQueryLog/stream has been deprecated.

To learn how to install and configure the BlueCat DNS Edge for Splunk app, see BlueCat DNS Edge for Splunk app.

GET https://api-<DNS.Edge.URL>/v2/api/customer/dnsQueryLog/stream
Authorization: Basic passphrase

ETag: <etag from previous call>
Note: ETag is optional, and has the following results:
  • If no value is sent, then the API returns query data for the last five minutes.
  • When an ETag referencing a point in time beyond five minutes ago, the API still returns query data for the last five minutes.
  • When an ETag referencing a point in time less than five minutes ago, the API returns query data logged since that point.

Successful response

200 OK
Content-Type: application/JSON
{
    "actionTaken": "block",
    "matchedPolicies: [
        {
            "id":<id>,
            "name":<name>,
        },
        ....
    ],
    "source":"192.168.100.101", 
    "time": 1464278471000,
    "site":"BlueCat Headquarters",
    "query":"test.uat.local.",
    "queryType":"A",
    "response":"NXDOMAIN",
    "recordId":"1464278471000XXXXXXXXXXXXXXXXXXXX",
    "threats: [
        {
            "type": "dga",
            "indicators": ["UNIQUE_CHARACTERS",...]
        },
        ....
    ],
    "answers: [
        {
            "domainName": "example.domain.name.",
            "recordType": "A",
            "rData": "127.0.0.1",
            "parsed": "true",
        },
        ....
    ],
    "latency": 0
}
Returns the following information:
  • Time: Unix time (in milliseconds) when the DNS query was made. (This is the request time, not the response time or logging time.)
  • Source: The IP address of the client making the DNS query.
  • Site: The site name of the service point handling the query.
  • Query: The domain name being queried.
  • QueryType: The query type.
  • Response: The response code (for example NXDOMAIN, NOERROR or SERVFAIL).
  • Record ID: An identifier that can be passed to key in subsequent requests (used for paging through lots of data).
  • Action Taken: If no policy was matched, this will be "query-response", otherwise this will be either block, redirect, or monitor.
  • Matched Policies: List of policy IDs and names that matched the given query.
  • Latency: The latency (in milliseconds) of the DNS query measured.

The number of entries in the list depends on the number of queries within specified period. The list returned may be empty.

Response on unsuccessful authorization

401 Unauthorized
Content-Type: application/JSON
{"code": "UNAUTHORIZED", "brief": "You are not authorized to perform this action"}
Possible error codes
  • CANNOT_GET_SITES
  • UNEXPECTED_ERROR