Forum Discussion

Benoit_C_'s avatar
Dec 05, 2018

DNS logging profile - response OK but query are empty

Hello,

 

as many other people, I need/want to keep track of DNS requests passing by our GTM/DNS (used for Wide IPs, but also for 'normal' DNS queries from servers).

 

I've been able to setup something working:

 

  • with a log destination attached to a publisher* this publisher being attached to a 'DNS logging' profile.* This 'DNS logging' profile being attached to a 'DNS' profile attached* This 'DNS' profile being attached to the DNS/Listener or LTM/VS.

I had issues with the destinations:

 

  • when using Splunk type 'attached' to a HSL Remote logging type, nothing is logged.

     

  • As I'm running v12, I so just went for a 'management port' type, and finally I got DNS requests appearing in my Splunk.

     

Very fine, I'm happy. Can share configurations is someone interested. But I still have a problem with what is sent from the GTM: as you see below, responses are fine but queries are considered as empty, the query field gives me 'null invalid invalid'.

 

2018-12-05 14:34:02 qid 47427 to 10.x.x.x62472: [NOERROR qr,rd,ra,do] response: mfg.dlb.worldpay.com. 30 IN A 195.35.90.22;

 

2018-12-05 14:34:02 qid 47427 from 10.x.x.x62472: view none: query: null invalid invalid + (10.y.y.y%0)

 

2018-12-05 14:34:02 qid 25220 to 10.x.x.x62349: [NOERROR qr,rd,ra,do] response: fdsbci.post.ch. 30 IN A 194.41.223.16;

 

2018-12-05 14:34:02 qid 25220 from 10.x.x.x62349: view none: query: null invalid invalid + (10.y.y.y%0)

 

I'm wondering if someone has an idea why ? Logging responses is already great, but the idea behind is to look for DNS data exfiltration queries, for which an answer is not always provided as basically not really needed to exfiltrate data.

 

Thanks in advance, Br,

 

Benoit

 

2 Replies

  • Hi Nathan,

     

    thx for your answer. The setting was already enabled ../

     

    2018-12-11 12:55:20 xxx qid 3880 to 10.61996: [NOERROR qr,rd,ra,do] response: insights.nutanix.com. 300 IN A 206.169.130.226; 2018-12-11 12:55:20 xxx qid 3880 from 10.061996: view none: query: null invalid invalid + (10.%0)

     

    I can anyway 'correlate' query and response via the QID. But I'm still wondering if it will work in case of attempts of data exfiltration via DNS, when an answer is not needed (if you query thisisthedataiwanttoexfiltrate.mydomainonlyusedtologdnsquery.com for example).

     

    I made an attempts to a non existing subdomain of an existing domain. The response with nxdomain is not logged :(

     

    Br,

     

    Ben