DNS Service Monitor (10004 / 20004)
Description
This Module monitors DNS servers and DNS traffic as follows:
- It calculates an average DNS servers’ response time over a specified time interval and reports it for all observed DNS servers
- It calculates an average DNS servers’ packet size (both in and out). DNS attacks are characterized by suspiciously large messages (packet size over 512 bytes)
- It reports top DNS users
note
DNS users are reported by DNS Users Monitor Module (10005,20005)
Parameters
| Parameter Name | Description | Comments |
|---|---|---|
| Data Collection Interval, sec | Module logic execution interval | min = 30 sec, max = 600 sec, default = 60 sec |
Input
NetFlow v5, v9, and IPFIX. Cisco ASA NSEL is not fully supported by this Module. Please contact support@netflowlogic.com for more information.
Required NetFlow Fields
| Information Element (IE) | IE id | IE size, B | Description |
|---|---|---|---|
| sourceIPv4Address | 8 | 4 | The IPv4 source address in the IP packet header |
| destinationIPv4Address | 12 | 4 | The IPv4 destination address in the IP packet header |
| protocolIdentifier | 4 | 1 | The value of the protocol number in the IP packet header. The protocol number identifies the IP packet payload type. Protocol numbers are defined in the IANA Protocol Numbers registry. |
| sourceTransportPort | 7 | 2 | The source port identifier in the transport header. For the transport protocols UDP, TCP, and SCTP, this is the source port number given in the respective header. |
| destinationTransportPort | 11 | 2 | The destination port identifier in the transport header. For the transport protocols UDP, TCP, and SCTP, this is the destination port number given in the respective header. |
| octetDeltaCount | 1 | 4 or 8 | The number of octets since the previous report (if any) in incoming packets for this Flow at the Observation Point. The number of octets includes IP header(s) and IP payload. |
| packetDeltaCount | 2 | 4 or 8 | The number of incoming packets since the previous report (if any) for this Flow at the Observation Point. |
| flowStartSysUpTime | 22 | 4 | The relative timestamp of the first packet of this Flow. It indicates the number of milliseconds since the last (re-)initialization of the IPFIX Device (sysUpTime). sysUpTime can be calculated from systemInitTimeMilliseconds. |
| flowEndSysUpTime | 21 | 4 | The relative timestamp of the last packet of this Flow. It indicates the number of milliseconds since the last (re-)initialization of the IPFIX Device (sysUpTime). sysUpTime can be calculated from systemInitTimeMilliseconds. |
Syslog/JSON Message Fields
| Key | Field Description | Comments |
|---|---|---|
| nfc_id | Message type identifier | "nfc_id=20004" |
| exp_ip | NetFlow exporter IP address | IPv4_address |
| protocol | Transport Protocol (TCP = 6, UDP = 17) | number |
| dest_ip | DNS server IPv4 address | IPv4_address |
| dest_ip6 | DNS server IPv6 address | IPv6_address |
| dest_host [^1] | Destination host name | string, included when FQDN is on |
| min_time | Min DNS server response time, msec | number |
| max_time | Max DNS server response time, msec | number |
| avg_time | DNS server average response time, msec | number |
| flow_count | Number of flows | number |
| bytes_in | Average packet size received by the host from DNS server | number |
| packets_in | Packets received by the host from DNS server | number |
| bytes_out | Average packet size sent by the source host to DNS server | number |
| packets_out | Packets sent by the source host DNS server, packets | number |
| t_int | Observation time interval, msec | number |
[^1] Host name field is optional and included only if FQDN Service is enabled