DNS Service Monitor (10004 / 20004)

Description

This Module monitors DNS servers and DNS traffic as follows:
    It calculates an average DNS servers’ response time over a specified time interval and reports it for all observed DNS servers
    It calculates an average DNS servers’ packet size (both in and out). DNS attacks are characterized by suspiciously large messages (packet size over 512 bytes)
    It reports top DNS users
DNS users are reported by DNS Users Monitor Module (10005,20005)

Parameters

Parameter Name
Description
Comments
Data Collection Interval, sec
Module logic execution interval
min = 30 sec, max = 600 sec, default = 60 sec

Input

NetFlow v5, v9, and IPFIX. Cisco ASA NSEL is not fully supported by this Module. Please contact [email protected] for more information.

Required NetFlow Fields

Information Element (IE)
IE id
IE size, B
Description
sourceIPv4Address
8
4
The IPv4 source address in the IP packet header
destinationIPv4Address
12
4
The IPv4 destination address in the IP packet header
protocolIdentifier
4
1
The value of the protocol number in the IP packet header. The protocol number identifies the IP packet payload type. Protocol numbers are defined in the IANA Protocol Numbers registry.
sourceTransportPort
7
2
The source port identifier in the transport header. For the transport protocols UDP, TCP, and SCTP, this is the source port number given in the respective header.
destinationTransportPort
11
2
The destination port identifier in the transport header. For the transport protocols UDP, TCP, and SCTP, this is the destination port number given in the respective header.
octetDeltaCount
1
4 or 8
The number of octets since the previous report (if any) in incoming packets for this Flow at the Observation Point. The number of octets includes IP header(s) and IP payload.
packetDeltaCount
2
4 or 8
The number of incoming packets since the previous report (if any) for this Flow at the Observation Point.
flowStartSysUpTime
22
4
The relative timestamp of the first packet of this Flow. It indicates the number of milliseconds since the last (re-)initialization of the IPFIX Device (sysUpTime). sysUpTime can be calculated from systemInitTimeMilliseconds.
flowEndSysUpTime
21
4
The relative timestamp of the last packet of this Flow. It indicates the number of milliseconds since the last (re-)initialization of the IPFIX Device (sysUpTime). sysUpTime can be calculated from systemInitTimeMilliseconds.

Syslog/JSON Message Fields – Average DNS response time

Key
Field Description
Comments
nfc_id
Message type identifier
"nfc_id=20004"
exp_ip
NetFlow exporter IP address
<IPv4_address>
protocol
Transport Protocol (TCP = 6, UDP = 17)
<number>
dest_ip
DNS server IPv4 address
<IPv4_address>
[dest_host](1)
Destination host name
<string>, included when FQDN is on
min_time
Min DNS server response time, msec
<number>
max_time
Max DNS server response time, msec
<number>
avg_time
DNS server average response time, msec
<number>
flow_count
Number of flows
<number>
bytes_in
Average packet size received by the host from DNS server
<number>
packets_in
Packets received by the host from DNS server
<number>
bytes_out
Average packet size sent by the source host to DNS server
<number>
packets_out
Packets sent by the source host DNS server, packets
<number>
t_int
Observation time interval, msec
<number>
(1) Host name field is optional and included only if FQDN Service is enabled

Syslog/JSON Message Fields – Top DNS users

Key
Field Description
Comments
nfc_id
Message type identifier
“nfc_id=20005”
exp_ip
NetFlow exporter IP address
<IPv4_address>
src_ip
Source host IPv4 address
<IPv4_address>
dest_ip
DNS server IPv4 address
<IPv4_address>
flow_count
Number of flows
<number>
t_int
Observation time interval, msec
<number>
Last modified 5mo ago