Identify Clients submitting NXDomains in Infoblox

How do you identify clients submitting requests for invalid domains using Infoblox Reporting Server
 

1. Navigate to AdministrationReportingGrid Reporting PropertiesDNS sidetab, Enable and configure the “Monitor queries made to the following domains” section with the domain names to be monitored. Once done, you can later review the “DNS Top Clients Per Domain” report/dashboard to understand the top list of clients querying that domain.
2. Navigate to Data ManagementDNSGrid DNS PropertiesLogging sidetabAdvanced section, you can capture DNS Queries/Responses/Both for either All Domains/Specified domain names and can also have that information exported to a remote FTP/SCP location. This captured/exported data would be in standard query/response format and would definitely contains the Client IP information. Some of the complications with this approach is mentioned below.

•    Data collection for all DNS Queries/Responses, though not as intensive as logging all queries/responses into syslogs, will increase the load on your DNS appliances. If your DNS servers are currently under low/moderate load, then this should not be a problem at all. Additionally, as mentioned above, you do not have to capture data for all domains but do have the option to specify the domains for which, data needs to be captured.
•    Since the captured data would be in standard query/response format, you would want to make use of bash shell/similar apps or commands to properly filter and sort the required information.

1. Kindly refer to Infobox Data Collector VMs which can be used in the latest NIOS versions to capture query, response data from grid members and forward them to the reporting server on the grid. DCVMs are standalone machines that can deployed and configured on an ESXi server. For installation, configuration, best practices and deployment guidelines, you may want to get in touch with your Infoblox account team. Integration of DCVMs will produce data for predefined reports such as “DNS Domain Query Trend”, “DNS Domains Queried by Client” etcetera which would by default contain the information you are looking for
2. Data ManagementDNSGrid DNS PropertiesLogging sidetab provides you the option to log DNS queries/responses/Both to syslogs. Every Infoblox appliance would store current + 10 rotated syslogs each of a max-size 300MB. A support bundle would give you access to all these logs under the location /var/log/. Please note that the complications applicable to method #2 is applicable here as well.
3. If you DNS members are already logging queries/responses into syslogs, NIOS version 8.0 and above provides you the ability to forward syslogs into the reporting server. Syslog data on the reporting server can be access using a search of “index=ib_syslog” which would also contain the information you are looking for. The only complication here, would be that adding Syslog to the indexing categories would significantly increase the amount of per day data that is being indexed on the reporting server and you would want to validate that this does not exceed your reporting license limits.