DNS Users Monitor (10005, 20005)
Description
This Module reports DNS users by monitoring DNS traffic (dest_port=53). It consolidates NetFlow records over a period of time (Data Collection Interval) which all have the same combination of the following fields:
- Source IP address
- Destination IP address
- Destination port number
- Layer 3 protocol
This information is provided per NetFlow exporter.
Parameters
| Parameter Name | Description | Comments |
|---|---|---|
| Data Collection Interval, sec | Module logic execution interval | min = 30 sec, max = 600 sec, default = 60 sec |
| How many most active DNS requestors do you want to report? | Top N (number of reported hosts) | min = 0, max = 100000, default = 0 (0 indicates all hosts are reported) |
Input
NetFlow v5, v9, IPFIX, Cisco ASA NSEL, Palo Alto Networks NetFlow v9, sFlow, AWS GCP VPC Flow logs, Azure NSG Flow logs.
Required NetFlow fields
| Information Element (IE) | IE id | IE size, B | Description |
|---|---|---|---|
| IPv4 | | | |
| sourceIPv4Address | 8 | 4 | The IPv4 source address in the IP packet header |
| destinationIPv4Address | 12 | 4 | The IPv4 destination address in the IP packet header |
| IPv6 | | | |
| sourceIPv6Address | 27 | 16 | The IPv6 source address in the IP packet header |
| destinationIPv6Address | 28 | 16 | The IPv6 destination address in the IP packet header |
| protocolIdentifier | 4 | 1 | The value of the protocol number in the IP packet header. The protocol number identifies the IP packet payload type. Protocol numbers are defined in the IANA Protocol Numbers registry. |
| sourceTransportPort | 7 | 2 | The source port identifier in the transport header. For the transport protocols UDP, TCP, and SCTP, this is the source port number given in the respective header. |
| destinationTransportPort | 7 | 2 | The destination port identifier in the transport header. For the transport protocols UDP, TCP, and SCTP, this is the destination port number given in the respective header. |
Syslog/JSON Message Fields
| Key | Field Description | Comments |
|---|---|---|
| nfc_id | Message type identifier | “nfc_id=20005” |
| exp_ip | NetFlow exporter IP address | <IPv4_address> |
| protocol | Transport Protocol (TCP = 6, UDP = 17) | <number> |
| src_ip | Source host IPv4 address | <IPv4_address> |
| src_ip6 | Source host IPv6 address | <IPv6_address> |
| dest_ip | DNS server IPv4 address | <IPv4_address> |
| dest_ip6 | DNS server IPv6 address | <IPv6_address> |
| dest_port | Destination port number | 53 |
| packets_in | Packets in the flow | <number> |
| bytes_in | Bytes in the flow | <number> |
| flow_count | Number of flows | <number> |
| t_int | Observation time interval, msec | <number> |