The DNS activity screen displays DNS queries from the configured sites. Available information includes the date and time of the query, the source and site, the query name and type, the response, and policy action (block, allow, monitor, or redirect) that was taken. You can filter the DNS activity list by time, sites, site groups, and other criteria.
Viewing DNS activity
- In the BlueCat Edge window, click
. - Select the DNS Activity tab. For more information about viewing threat activity tab, see Identifying threat activity.
- Click
to refresh the DNS queries list. - Use the filter icons or the following filter commands to search for DNS queries by the following
criteria:
- date & time
- latency
- site
- source IP
- query type
- query name
- protocol
- response code
- response IP
- policy name
- policy action
- namespace
- threat type
- threat indicator
Criteria can be combined, and BlueCat Edge will only return queries when all of the specified conditions are met.
Examples
/sitename TorontoSite /from 08-17-2017 00:00:00 /to 08-17-2017 04:00:00
/at 03-17-2017 22:30:00 /sitename GlasgowSite
When you enter the filter command, the results display and the text in the command bar turns green. Results remain filtered until you begin typing another command.
- Click
to add another tab. In the Add Tab window, select the available
columns on the left, then click Add Tab. You must enter a
name for the tab in the Title field. You can add multiple
columns to the tab, and click and drag a selected column on the right to re-order
the columns. To delete the tab, click the delete button beside the tab
name.Note: The Date & Time column is selected by default. - Click
to select the columns you want displayed in the tab. In the
Update Tab window, select the available columns on the
left, then click Update Tab. You can click and drag a
selected column on the right to re-order the columns. To restore the default columns
and order, click Restore Defaults.
- To view detailed information about a DNS query, click the query.
In the DNS query information panel, you can click links to view sites, namespaces, policies, and (for Vol Tunnel threat indicators) system lists associated with the query. When you click a link, a new tab opens in the panel, allowing you to return to the query information easily.
Click
next to different fields to filter the DNS activity results based on the value
of that field.Click Inspect Client Activity to retrieve additional query information from the source IP of the current query. For more information, refer to Client activity.
- Click
to download a CSV file containing detailed query log
information about the DNS Activity based on the selected filters. The CSV
file contains up to 10,000 queries.Note: If a query contains multiple Answer and Authority records, only the first five of each record are returned. However, the CSV file displays the total count of Answer and Authority records for each query. - To return to the map view, click
.
Filter command tips
- Enter times in 24-hour format (HH:MM:SS). All digits are required.
- Enter dates in MM-DD-YYYY format (03-15-2023). All digits are required.
- You can copy a list of filter values and paste them to advanced
filter command bar.
For example:
If you copy the following list for the /queryname filter command:
abc.com
meow.com
ham.com
Then paste them to the advanced filter command bar, the list of items will display as comma separated:
- If you enter the incorrect filter commands and values, a list of
errors will display below the advanced filter command bar. The
number on the error indicates the location of the error in the
command bar. When you click on the error, the cursor moves to
the location of the error.
- Filters become active when you press Enter and remain active until you change the text in the command bar. Active filters are indicated by green text in the command bar.
- Click
to view the filter history. You can delete and pin items in the
list.Note: You can pin up to 10 items in the list.
- You can copy the URL of a filter by clicking ,
then right-clicking the filter > Copy Link
Address. You can also copy the URL in the URL
field of your browser.
- You can extend your search for more than one item at a time by
adding multiple items, separated by commas. For example:
/policyaction block, redirect
Note: The extended search is only available for the following filters:- /site
- /source
- /querytype
- /queryname
- /protocol
- /namespace
- /response
- /policyname
- /policyaction
- /threattype
- /threatind
- You can use one or more filters at a time on the command line. For example, you can combine filters for date/time, policy action, and site name.
- Using the BlueCat Edge dashboard, you can select
a time range on the graph to filter DNS queries in the DNS
Activity window. You can deselect one or more policy actions to
filter both by the selected time range, and the visible policy actions.
Identifying threat activity
The DNS activity screen displays all DNS queries that goes through a site but also flags suspect DNS queries as possible DGA or tunneling threats, based on certain indicators. Available information includes the date and time of the query, the source and site, the query name and type, threat type and indicator, and policy action (block, allow, monitor, or redirect) that was taken. You can filter the list by time, sites, site groups, threat types and indicators, and other criteria.
To view DNS queries that are
flagged as possible threat indicators, click and select the Threat Type and Threat
Indicator columns to be added to the DNS activity screen.
When a query comes in through a trusted policy, it may be flagged as Potential threat detected if the service point detects any threat indicators associated with the trusted domain.
Queries that are flagged as Potential threats detected contain additional information under the Threat Type and Threat Indicator columns.
- DGA: DGA (domain generation algorithm) is a technique used by malware
to generate large numbers of domain names which can be used as rendezvous
points with their (botnet) command and control servers.
Queries that match the entropy indicator (analysis of the registered domain name indicates the characteristics of a DGA domain) are flagged as a potential DGA threat.
- Tunneling: DNS tunneling is the ability to encode the data of other
programs or protocols in DNS queries and responses.Queries that match any of the following indicators will be flagged as a potential tunneling threat:
- uniqueChar: There are more than 27 unique characters in the host name.
- uncommonRec: The record type isn't A, AAAA, PTR, CNAME, TXT, SOA, or SRV.
- hostSize: The host name is more than 70 characters.
- volTunnel: Volumetric analysis of queries indicating DNS tunneling.
BlueCat Edge evaluates queries over a one-hour window. When a domain incurs more than 75 distinct queries that meet the tunneling criteria from a single client, BlueCat Edge adds it to a system-maintained domain list. The TTL (time to live) value indicates how long a domain will remain on the list after it's last observed. For each domain on the list, its last-observed date and time is indicated, including its expiry date and time, based on the TTL.
- Suspected threat indicators:
BlueCat Edge flags the following types of queries as
suspected threats:
- Suspect TLD: Queries that match a BlueCat Edge-maintained list of top-level domains known to be subject to abuse.
- Suspect DNS: Queries that match domains which are known to be suspect.
To find suspect queries in the DNS Activity list, filter by /threatind susdns or /threatind sustld.
You can't base a policy on a threat indicator, but if you want to monitor or block suspect TLD or suspect DNS queries, create a domain list that matches the flagged queries, and add that to a policy.