DNS explorer

Use this report to analyze DNS activity.

Use case: investigating a denial of service attack

DNS explorer can help you identify tunneling and hijacking when investigating a denial of service attack.

For example:

  • In the Errors vs Requests chart, find an unusual level of errors. Filter on that time slice.
  • In the DNS activity table, find an interesting query or server (most errors, for example) and click it to filter this report on just that server/query.
  • Look for queries with performance problems.
  • Look for an imbalance in bandwidth usage as a possible sign of a security issue such as a denial of service attack.

Access options

The DNS explorer isn't listed on the regular NAM Server Reports menu because it is most useful as a drilldown from other reports.

  • In the NAM Server search box, type "run dns explorer" and press enter to open it out of context
  • Drill down to this explorer in context from other reports. The Traffic discovery report is a typical starting point for a DNS explorer drilldown.

Overview tab

This tab offers a broad overview of DNS activity.

Charts

Locate an interesting time on any of the charts and then click the chart to zoom in on that time.

zoom

Latest errors

A chart of errors over time (broken down by timeouts, name, format, server failure, not implemented, refused, and other), with a baseline of requests.

Latest timeouts

A chart of timeouts over time, with a baseline of requests.

Latest responses messages

A chart of response messages over time, with a baseline of requests.

Latest unique users

A chart of unique users over time, with a baseline of requests.

DNS activity

Use the DNS activity table (per query or per server) to find a query or server from which to drill down.

  • per query: query, users, errors, total bandwidth usage with breakdown, and requests breakdown. Drill down from the Query column to examine the selected query in the Operation explorer.
  • per server: server name, server site, users, total bandwidth usage with breakdown, and requests breakdown. Drill down from the Server IP column to examine the selected server in the Operation explorer or Network explorer.

Click any query or server in the table to focus the report on the selected query or server.

filter
filter

Top queries by errors tab

This tab charts the top queries by error count, with a breakdown by:

  • timeouts
  • name
  • format
  • server failure
  • not implemented
  • refused
  • other

Using this tab:

  • To see details about a query, click its bar in the chart to display a pop-up window.

  • To focus the entire report on one query, click its bar in the chart and select Focus on this query. An operation filter will be added to the top of the report. This filter is persistent with the other tabs in this report unless you remove it:

  • In the DNS queries table under the chart, you can drill down from the Query column to the Network explorer or Operation explorer.

Top queries by bandwidth tab

This tab charts the top queries by bandwidth, with a breakdown by requests and responses.

The DNS queries table that follows lists queries with error statistics by:

  • query
  • server IP
  • server site
  • users
  • total bandwidth usage with breakdown
  • requests breakdown

Using this tab:

  • To see details about a query, click its bar in the chart to display a pop-up window.
  • To focus the entire report on one query, click its bar in the chart and select Focus on this query. An operation filter will be added to the top of the report. This filter is persistent with the other tabs in this report unless you remove it.
  • In the DNS queries table under the chart, you can drill down from the Query column to the Network explorer.