Welcome Serena Central users! CLICK HERE
The migration of the Serena Central community is currently underway. Be sure to read THIS MESSAGE to get your new login set up to access your account.
Highlighted
george.cossins Absent Member.
Absent Member.
352 views

Cyclic DNS Requests

Hi all,

If:

1) You log DNS requests

and

2) The DNS logs that you recieve contain the requested URL but not the IP address that this URL resolves to

and

3) You configure a connector to have name resolution enabled

and

4) You configure that connector to query the same DNS server that you are logging from step 1

Could this cause a cyclic DNS request (i.e. a 'legitimate' DNS request from a client that causes a DNS request from the connector that in turn causes a DNS request from the connector that.... etc)?

If so, how do you deal with this?

1) Attempt to change step 2 so that the response IP address is logged at the time of the initial event generation?

2) Configure the connectors not do to name resolution?

3) Configure the connectors to use a different DNS server, which only responds to the connectors and isn't logged.

or some other way?

I'm interested in all opinions, especially if you've had to deal with something similar....

George

Labels (2)
0 Likes
Reply
1 Reply
gregcmartin Absent Member.
Absent Member.

Re: Cyclic DNS Requests

George,

If a field comes in as a hostname or DNS name and there is not an IP the

default behavior of the connector is to do name resolution. Yes it will

potentially hit the same DNS resolver but DNS resolvers will have a cached

entry for that IP address already.

My recommendation is evaluating the use case behind why you want DNS

logging and if you need the associated IP address (might not be necessary).

If you do determine you want the IP it is better to populate that from the

event itself instead of relying on the connector to do a DNS resolution for

you.

#1 Yes disable IP resolution on the connector if the connector is only

accepting DNS events.

#2 Configure the connector to ignore or filter all events from your DNS

server that contain no IP. Only import the DNS resolver "Replies" which

should have an IP and Domain in one event.

#3 Also filter out DNS requests from IP's belonging to your connector

environment and any other ArcSight device for that matter. Your use-case

should only be concerned with DNS traffic from users (i'm assuming).

So to summarize you can achieve all that you want by making some simple

filter and applying it to your connector, you can do this by double

clicking the connector in ESM and accessing the Conditions tab.

Regards,

Greg

0 Likes
Reply
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.