Skip to main content
Version: 2.10.2

DNS Service Monitor (10004 / 20004)

Description

This Module monitors DNS servers and DNS traffic as follows:

  • It calculates an average DNS servers’ response time over a specified time interval and reports it for all observed DNS servers
  • It calculates an average DNS servers’ packet size (both in and out). DNS attacks are characterized by suspiciously large messages (packet size over 512 bytes)
  • It reports top DNS users
note

DNS users are reported by DNS Users Monitor Module (10005,20005)

Parameters

Parameter NameDescriptionComments
Data Collection Interval, secModule logic execution intervalmin = 30 sec, max = 600 sec, default = 60 sec

Input

NetFlow v5, v9, and IPFIX. Cisco ASA NSEL is not fully supported by this Module. Please contact support@netflowlogic.com for more information.

Required NetFlow Fields

Information Element (IE)IE idIE size, BDescription
sourceIPv4Address84The IPv4 source address in the IP packet header
destinationIPv4Address124The IPv4 destination address in the IP packet header
protocolIdentifier41The value of the protocol number in the IP packet header. The protocol number identifies the IP packet payload type. Protocol numbers are defined in the IANA Protocol Numbers registry.
sourceTransportPort72The source port identifier in the transport header. For the transport protocols UDP, TCP, and SCTP, this is the source port number given in the respective header.
destinationTransportPort112The destination port identifier in the transport header. For the transport protocols UDP, TCP, and SCTP, this is the destination port number given in the respective header.
octetDeltaCount14 or 8The number of octets since the previous report (if any) in incoming packets for this Flow at the Observation Point. The number of octets includes IP header(s) and IP payload.
packetDeltaCount24 or 8The number of incoming packets since the previous report (if any) for this Flow at the Observation Point.
flowStartSysUpTime224The relative timestamp of the first packet of this Flow. It indicates the number of milliseconds since the last (re-)initialization of the IPFIX Device (sysUpTime). sysUpTime can be calculated from systemInitTimeMilliseconds.
flowEndSysUpTime214The relative timestamp of the last packet of this Flow. It indicates the number of milliseconds since the last (re-)initialization of the IPFIX Device (sysUpTime). sysUpTime can be calculated from systemInitTimeMilliseconds.

Syslog/JSON Message Fields

KeyField DescriptionComments
nfc_idMessage type identifier"nfc_id=20004"
exp_ipNetFlow exporter IP addressIPv4_address
protocolTransport Protocol (TCP = 6, UDP = 17)number
dest_ipDNS server IPv4 addressIPv4_address
dest_ip6DNS server IPv6 addressIPv6_address
dest_host [^1]Destination host namestring, included when FQDN is on
min_timeMin DNS server response time, msecnumber
max_timeMax DNS server response time, msecnumber
avg_timeDNS server average response time, msecnumber
flow_countNumber of flowsnumber
bytes_inAverage packet size received by the host from DNS servernumber
packets_inPackets received by the host from DNS servernumber
bytes_outAverage packet size sent by the source host to DNS servernumber
packets_outPackets sent by the source host DNS server, packetsnumber
t_intObservation time interval, msecnumber

[^1] Host name field is optional and included only if FQDN Service is enabled