DNS Users Monitor (10005, 20005)

Description

This Module reports DNS users by monitoring DNS traffic (dest_port=53). It consolidates NetFlow records over a period of time (Data Collection Interval) which all have the same combination of the following fields:
    Source IP address
    Destination IP address
    Destination port number
    Layer 3 protocol
This information is provided per NetFlow exporter.

Parameters

Parameter Name
Description
Comments
Data Collection Interval, sec
Module logic execution interval
min = 30 sec, max = 600 sec, default = 60 sec
How many most active DNS requestors do you want to report?
Top N (number of reported hosts)
min = 0, max = 100000, default = 0 (0 indicates all hosts are reported)

Input

NetFlow v5, v9, IPFIX, Cisco ASA NSEL, Palo Alto Networks NetFlow v9, sFlow, AWS GCP VPC Flow logs, Azure NSG Flow logs.

Required NetFlow fields

Information Element (IE)
IE id
IE size, B
Description
IPv4
sourceIPv4Address
8
4
The IPv4 source address in the IP packet header
destinationIPv4Address
12
4
The IPv4 destination address in the IP packet header
IPv6
sourceIPv6Address
27
16
The IPv6 source address in the IP packet header
destinationIPv6Address
28
16
The IPv6 destination address in the IP packet header
protocolIdentifier
4
1
The value of the protocol number in the IP packet header. The protocol number identifies the IP packet payload type. Protocol numbers are defined in the IANA Protocol Numbers registry.
sourceTransportPort
7
2
The source port identifier in the transport header. For the transport protocols UDP, TCP, and SCTP, this is the source port number given in the respective header.
destinationTransportPort
7
2
The destination port identifier in the transport header. For the transport protocols UDP, TCP, and SCTP, this is the destination port number given in the respective header.

Syslog/JSON Message Fields

Key
Field Description
Comments
nfc_id
Message type identifier
“nfc_id=20005”
exp_ip
NetFlow exporter IP address
<IPv4_address>
protocol
Transport Protocol (TCP = 6, UDP = 17)
<number>
src_ip
Source host IPv4 address
<IPv4_address>
src_ip6
Source host IPv6 address
<IPv6_address>
dest_ip
DNS server IPv4 address
<IPv4_address>
dest_ip6
DNS server IPv6 address
<IPv6_address>
dest_port
Destination port number
53
packets_in
Packets in the flow
<number>
bytes_in
Bytes in the flow
<number>
flow_count
Number of flows
<number>
t_int
Observation time interval, msec
<number>
Last modified 5mo ago