Contents

DNS Servers & Vision Deployment Guide

Integrations latest-release
  1. Introduction
  2. Configuration
    1. Microsoft Windows DNS
    2. Infoblox NIOS
    3. BlueCat Integrity
    4. ISC BIND
    5. dnstap

Introduction

The Vision module in the VendorN OneDDI platform provides organizations with long-term access to enterprise DNS query history, providing an instant and unparalleled view of DNS data and context.

Vision receives DNS query and response logs from DNS servers. It aggregates and stores this data while also optionally sending events and aggregated DNS data to an organizations SIEM. An organization can also use its SOAR and other systems to query the Vision API to access DNS activity history data.

Vision integrates with the following DNS servers:

  • Microsoft Windows DNS
  • Infoblox NIOS
  • BlueCat Integrity
  • ISC BIND
  • dnstap - Other DNS servers

The Configuration section contains a sub-section documenting the intregation options with each of these DNS servers.

Configuration

Microsoft Windows DNS

The OneDDI Agent provides support for Windows DNS Servers using the Enhanced DNS logging and diagnostics feature available in the Windows DNS Server. This method replaces the legacy DNS query log method and uses the Windows Event Log framework instead of writing to a log file on disk.

The OneDDI Agent is a light-weight agent which is installed on a Windows DNS Server. The Agent uses mininal CPU, memory and disk, and runs as a non-administratorive user. The Agent creates an Event Tracing for Windows session and registers to receive events from the Windows DNS Server, it then streams DNS query and response activity to a OneDDI Sensor in real-time using TCP port 8100. No configuration changes are needed to the Windows DNS Server, specifically the legacy DNS query log method which writes to a file on disk is not needed.

To integrate with Microsoft Windows DNS use the following steps:

  1. Create a DNS server in the OneDDI user interface and specify the windows-agent collection method.
  2. Install the OneDDI Agent as per the OneDDI Installation Guide which also contains the steps required to configure the Agent to forward events to a OneDDI Sensor.

Following this, OneDDI Sensors will then accept connections from the OneDDI Agent on the DNS server and process DNS activity from them.

Infoblox NIOS

Infoblox NIOS provides several methods to integrate with Vision. These are documented in the Infoblox NIOS & Vision Deployment Guide.

NOTE VendorN currently recommend using the Infoblox Data Connector integration. This is available to all Infoblox NIOS customers and has proven to be stable and performs well.

When configuring Infoblox NIOS DNS servers in the OneDDI user interface one of the following data collection methods must be specified depending on which integration has been selected:

  • infoblox-syslog - Syslog
  • infoblox-data-connector - Infoblox Data Connector
  • dnstap - DNSTAP

BlueCat Integrity

The BlueCat Integrity platform provides a HTTP hook method to forward DNS query and response activity to a HTTP server running on another host. In this scenario BlueCat BDDS devices which are processing DNS queries will frequently perform HTTP requests to a configured host to upload DNS activity formatted in JSON. A OneDDI Sensor listens for these HTTP requests on TCP port 8443.

To integrate with BlueCat Integrity use the following steps:

  1. Create a DNS server in the OneDDI user interface and specify the bluecat-http collection method - if HTTPS is to be used ensure the “Select to use HTTPS” field is selected when doing this.
  2. Once the BlueCat Integrity user interface has been accessed navigate to the Servers page.
  3. Click through to a DNS server which is to be configured.
  4. Click the dropdown menu that is the servers name and selected “Service Configuration”.
  5. In the Server Service Configuration page select DNS Activity in the “SERVICE TYPE” dropdown and the DNS activity forwarding configuration will be displayed.
  6. In the DNS activity forwarding configuration make the following changes:
    1. Check the “Enable DNS Activity Logging” box.
    2. Select HTTP in the “OUTPUT TYPE” dropdown.
    3. Set the “OUTPUT URI” to http://<oneddi-sensor-ip-or-fqdn>:8443 to forward to a OneDDI Sensor using TCP port 8443.
    4. Leave the “BEARER TOKEN” field empty.
    5. If HTTPS is to be used:
      1. Check the “TLS Options” checkbox.
      2. Review and configure the other options as required.
    6. Click the “Update” button to save the changes,

Following this, OneDDI Sensors will then accept connections from the BlueCat BDDS DNS server and process DNS activity from it.

ISC BIND

OneDDI Sensors listen on TCP port 8514 for inbound connections for Syslog data. ISC BIND can be configured to log to the local system log and then the system log configured to forward messages. In some cases dnstap is available on some ISC BIND DNS servers. See the Configuration / dnsstap section to use dnstap if it is available.

NOTE ISC BIND does not provide response logging via syslog, therefore detailed history about response codes for queries, record history and certain DNS activity events are not available when using the bind-syslog collection method.

To integrate with ISC BIND use the following steps:

  1. Create a DNS server in the OneDDI user interface and specify the bind-syslog collection method.
  2. Configure BIND to log DNS queries to the local system log.
  3. Configure the local system log framework to forward DNS queries to a OneDDI Sensor using TCP port 8514.

Following this, OneDDI Sensors will then accept connections from the ISC BIND DNS server and process DNS activity from it.

dnstap

Many DNS servers support dnstap. dnstap is a flexible, structured binary log format for DNS software. It uses Protocol Buffers to encode events that occur inside DNS software in an implementation-neutral format. Query and response activity can be forwarded from DNS servers supporting dnstap.

OneDDI Sensors listen on TCP port 6000 for inbound connections using dnstap. Configuration of dnstap is unique for each DNS server. Refer to the DNS server documentation on how to configure dnstap to forward to a OneDDI Sensor.

The ISC BIND & Vision Deployment Guide contains an example of how to enable dnstap for BIND 9 on CentOS 8.

To integrate with DNS servers supporting dnstap use the following steps:

  1. Create a DNS server in the OneDDI user interface and specify the dnstap collection method.
  2. Configure DNS server to forward dnstap messages to a OneDDI Sensor using TCP port 6000.

Following this, OneDDI Sensors will then accept connections from the DNS server using dnstap and process DNS activity from it.