Filters - BlueCat DNS Edge

DNS Edge Deployment Guide

prodname
BlueCat DNS Edge

You can filter DNS query data using the filter menu or advanced filter command bar.

  1. Click the Advanced toggle to switch between the filter menu and advanced filter command bar.
  2. Select the time frame filter to return results between the specified period.
    • You can specify whether you want date returned within the Last 1 hour, Last 24 hours, Yesterday, Last 7 days, Last 30 days, or a Custom time frame.
    • When using Custom, select two dates on the calendar to specify the time frame. You can also manually enter the date and time in the Start and End fields. This can include both the date and time, or only a date or only a time. If no time is specified, results are returned from 00:00:00 (midnight).
      Note: If you are using keyboard navigation, you can use the Page Up and Page Down keys to navigate between months and years on the calendar.
    • By default, DNS Insights page is optimized to display data collected within the last 7 days. Changing the time frame doesn't modify this default period.
  3. Click to select additional filter parameters. For filters that accept input, once you have selected that filter, the input field auto completes values as you begin to type:
    • Site: Sets the data filter for the specified site name.
    • Source IP: Sets the data filter for the specified source IP address(es). Must be a valid IPv4 address or list of IPv4 addresses.
    • Query Name: Sets the data filter for the specified query name.
    • Query Type: Sets the data filter for the specified query type.
    • Response Code: Sets the data filter for the specified response code (for example, NXDOMAIN, NOERROR, SERVFAIL).
    • Policy Name: Sets the data filter for the specified policy name.
    • Policy Action: Sets the data filter for the specified policy action (Block, Monitor, Allow, Redirect, None).
    • Threat Type: Sets the data filter for the specified threat type (DGA, Tunneling).
    • Threat Indicator: Sets the data filter for the specified threat indicator (Entropy, Host Size, Suspect DNS, Suspect TLD, Uncommon Rec, Unique Char, Vol Tunnel).
    • Protocol: Sets the data filter for the specified query protocol (TCP, UDP).
    • Namespace: Sets the data filter for the specified namespace.
    • Latency: Sets the data filter for the specified latency range for DNS queries. Select None (0 - 1 ms), Low, (1- 20 ms), Medium (20 - 100 ms), High (100 and above ms), or Custom (in milliseconds). If you select Custom, FROM must be less than or equal to TO.
    • Response IP: Sets the data filter for the DNS events resolving to either of the specified IPv4 and/or IPv6 address(es). Must be valid IPv4 or IPv6 address(es).
    Click Save to save a filter parameter.

    You can edit filter parameters by selecting the name of the parameter or delete filter parameters by clicking the x icon next to the filter.

Filter commands

Use the following filter commands in the DNS Edge advanced filter command bar.

/from MM-DD-YYYY HH:MM:SS Sets the data filter start date and time. This can include both the date and time, or only a date or only a time. If no time is specified, results are returned from 00:00:00 (midnight). If no date is included, all DNS logs after the time specified are included.
/to MM-DD-YYYY HH:MM:SS Sets the data filter date and end time, exclusively. For example, if you set /to 08-09-2019 23:59:59, the filter returns data up to August 9, 2019 at 23:59:58.

If no time is specified, results are returned to 23:59:59. If no date is included, all DNS logs up to the time specified are included.

/at MM-DD-YYYY HH:MM:SS
  • If both date and time are specified, sets the data filter to a one-second interval at the specified date and time (for example, 03-17-2017 14:00:00 to 14:00:01).
  • If no time is specified, results are returned for the interval between 00:00:00 to 23:59:59 on the specified day.
  • If no date is included and the time is the current time or earlier, then the results are for the current day. If the time is later than the current time, you will receive an error message.
/site SiteName Sets the data filter for the specified site name.
/source SourceIp Sets the data filter for the specified source IP address(es). Must be a valid IPv4 address or a list of IPv4 addresses.
/querytype QueryType Sets the data filter for the specified query type.
/queryname QueryName Sets the data filter for the specified query name.
/protocol QueryProtocol Sets the data filter for the specified query protocol (TCP, UDP).
/namespace QueryNamespace Sets the data filter for the specified namespace.
/response ResponseCode Sets the data filter for the specified response code (for example, NXDOMAIN, NOERROR, SERVFAIL).
/policyname PolicyName Sets the data filter for the specified policy name.
/policyaction PolicyAction Sets the data filter for the specified policy action (none, allow, block, monitor, redirect).
/threattype threat Sets the data filter for the specified threat type (dga, tunneling).
/threatind indicator Sets the data filter for the specified threat indicator (entropy, hostSize, uniqueChar, uncommonRec, SusTLD, SusDNS).
/latency none Sets the data filter for the none (0 - 1 ms) latency range for DNS queries.
/latency low Sets the data filter for the low (1 - 20 ms) latency range for DNS queries.
/latency medium Sets the data filter for the medium (20 - 100 ms) latency range for DNS queries.
/latency high Sets the data filter for the medium (100 and above ms) latency range for DNS queries.
/latency [from <int>] [to <int>] Sets the data filter for the selected latency range for DNS queries. from must be less than or equal to to.
/responseip IPAddress Sets the data filter for the DNS events resolving to either of the specified IPv4 and/or IPv6 address(es). Must be valid IPv4 or IPv6 address(es).

Filter command tips

  • Enter times in 24-hour format (HH:MM:SS). All digits are required.
  • Enter dates in MM-DD-YYYY format (03-15-2017). All digits are required.
  • You can copy a list of filter values and paste them to advanced filter command bar.

    For example:

    If you copy the following list for the /queryname filter command:

    abc.com

    meow.com

    ham.com

    Then paste them to the advanced filter command bar, the list of items will display as comma separated:

  • If you enter the incorrect filter commands and values, a list of errors will display below the advanced filter command bar. The number on the error indicates the location of the error in the command bar. When you click on the error, the cursor moves to the location of the error.

  • Filters become active when you press Enter and remain active until you change the text in the command bar. Active filters are indicated by green text in the command bar.
  • You can extend your search for more than one item at a time by adding multiple items, separated by commas. For example:

    /policyaction block, redirect

    Note: The extended search is only available for the following filters:
    • /site
    • /source
    • /querytype
    • /queryname
    • /protocol
    • /namespace
    • /response
    • /policyname
    • /policyaction
    • /threattype
    • /threatind
  • You can use one or more filters at a time on the command line. For example, you can combine filters for date/time, policy action, and site name.
  • Using the DNS Edge dashboard, you can select a time range on the graph to filter DNS queries in the DNS Activity window. You can deselect one or more policy actions to filter both by the selected time range, and the visible policy actions.


    dashboard select time range