The Vision module in the VendorN OneDDI platform provides organizations with long-term access to enterprise DNS query history, providing an instant and unparalleled view of DNS data and context.
Vision receives DNS query and response logs from DNS servers. It aggregates and stores this data while also optionally sending events and aggregated DNS data to an organizations SIEM. An organization can also use its SOAR and other systems to query the Vision API to access DNS activity history data.
Vision integrates with the following DNS servers:
The Configuration section contains a sub-section documenting the intregation options with each of these DNS servers.
The OneDDI Agent provides support for Windows DNS Servers using the Enhanced DNS logging and diagnostics feature available in the Windows DNS Server. This method replaces the legacy DNS query log method and uses the Windows Event Log framework instead of writing to a log file on disk.
The OneDDI Agent is a light-weight agent which is installed on a Windows DNS Server. The Agent uses mininal CPU, memory and disk, and runs as a non-administratorive user. The Agent creates an Event Tracing for Windows session and registers to receive events from the Windows DNS Server, it then streams DNS query and response activity to a OneDDI Sensor in real-time using TCP port 8100. No configuration changes are needed to the Windows DNS Server, specifically the legacy DNS query log method which writes to a file on disk is not needed.
To integrate with Microsoft Windows DNS use the following steps:
windows-agent collection method.Following this, OneDDI Sensors will then accept connections from the OneDDI Agent on the DNS server and process DNS activity from them.
Infoblox NIOS provides several methods to integrate with Vision. These are documented in the Infoblox NIOS & Vision Deployment Guide.
NOTE VendorN currently recommend using the Infoblox Data Connector integration. This is available to all Infoblox NIOS customers and has proven to be stable and performs well.
When configuring Infoblox NIOS DNS servers in the OneDDI user interface one of the following data collection methods must be specified depending on which integration has been selected:
infoblox-syslog - Sysloginfoblox-data-connector - Infoblox Data Connectordnstap - DNSTAPThe BlueCat Integrity platform provides a HTTP hook method to forward DNS query and response activity to a HTTP server running on another host. In this scenario BlueCat BDDS devices which are processing DNS queries will frequently perform HTTP requests to a configured host to upload DNS activity formatted in JSON. A OneDDI Sensor listens for these HTTP requests on TCP port 8443.
To integrate with BlueCat Integrity use the following steps:
bluecat-http collection method - if HTTPS is to be used ensure the “Select to use HTTPS” field is selected when doing this.DNS Activity in the “SERVICE TYPE” dropdown and the DNS activity forwarding configuration will be displayed.HTTP in the “OUTPUT TYPE” dropdown.http://<oneddi-sensor-ip-or-fqdn>:8443 to forward to a OneDDI Sensor using TCP port 8443.Following this, OneDDI Sensors will then accept connections from the BlueCat BDDS DNS server and process DNS activity from it.
OneDDI Sensors listen on TCP port 8514 for inbound connections for Syslog data. ISC BIND can be configured to log to the local system log and then the system log configured to forward messages. In some cases dnstap is available on some ISC BIND DNS servers. See the Configuration / dnsstap section to use dnstap if it is available.
NOTE ISC BIND does not provide response logging via syslog, therefore detailed history about response codes for queries, record history and certain DNS activity events are not available when using the bind-syslog collection method.
To integrate with ISC BIND use the following steps:
bind-syslog collection method.Following this, OneDDI Sensors will then accept connections from the ISC BIND DNS server and process DNS activity from it.
Efficient IP provides different options for capturing DNS logs depending on which product features are being used. For non-Guardian DNS servers dnstap should be used. In this case refer to the Configuration / dnsstap section. The remainder of this section covers Guardian DNS servers.
OneDDI Sensors listen on TCP port 8514 for inbound connections for Syslog data. Guardian can can be configured to forward DNS query and response logs over Syslog.
NOTE By default, Efficient IP uses UDP to forward Syslog messages. OneDDI Sensors currently listen on TCP only. Therefore Efficient IP must be configured to use TCP and not UDP when sending messages to a OneDDI Sensor.
To integrate with Efficient IP Guardian use the following steps:
efficient-ip-syslog collection method.Following this, OneDDI Sensors will then accept connections from the Guardian DNS server and process DNS activity from it.
Many DNS servers support dnstap. dnstap is a flexible, structured binary log format for DNS software. It uses Protocol Buffers to encode events that occur inside DNS software in an implementation-neutral format. Query and response activity can be forwarded from DNS servers supporting dnstap.
OneDDI Sensors listen on TCP port 6000 for inbound connections using dnstap. Configuration of dnstap is unique for each DNS server. Refer to the DNS server documentation on how to configure dnstap to forward to a OneDDI Sensor.
The ISC BIND & Vision Deployment Guide contains an example of how to enable dnstap for BIND 9 on CentOS 8.
To integrate with DNS servers supporting dnstap use the following steps:
dnstap collection method.Following this, OneDDI Sensors will then accept connections from the DNS server using dnstap and process DNS activity from it.