Fingerprint or solution for detecting external DNS activity

Peter_Majercak — Fri, 09 Apr 2021 04:07:23 GMT

Hi team,

i am trying to find the best solution how to detect a clients, who are using external DNS in the network.

3rd party switches and mirror to PV FC 180, then Extreme Analytics. My DNS servers are in subnet 10.25.0.0/16 and i need to know both - Clients who are using my and Client who are using Extrenal, then create Alarm….

What type of fingeprint do you recommend me?

Many thanks!

Regards,

peter

Re: Fingerprint or solution for detecting external DNS activity

StephanH — Fri, 09 Apr 2021 14:51:50 GMT

Hello Peter,

the easiest way is the following:
Find a flow to the internal DNS server in the "Application Flows" tab, right-click on the flow and select "Add Fingerprint".

Now you have an entry consisting of port and IP. Give it a name. It is important that the "Confidence" is higher than the existing fingerprints for DNS (so your fingerprint is more specific). You can check this in the tab "Fingerprints".

=> Requests to the internal DNS will be recognized with your new fingerprint.
=> All other DNS requests with the default fingerprint.

topic Re: Fingerprint or solution for detecting external DNS activity in ExtremeCloud IQ- Site Engine Management Center

Fingerprint or solution for detecting external DNS activity

Re: Fingerprint or solution for detecting external DNS activity