04-08-2021 09:07 PM
Hi team,
i am trying to find the best solution how to detect a clients, who are using external DNS in the network.
3rd party switches and mirror to PV FC 180, then Extreme Analytics. My DNS servers are in subnet 10.25.0.0/16 and i need to know both - Clients who are using my and Client who are using Extrenal, then create Alarm….
What type of fingeprint do you recommend me?
Many thanks!
Regards,
--
peter
Solved! Go to Solution.
04-09-2021 07:51 AM
Hello Peter,
the easiest way is the following:
Find a flow to the internal DNS server in the "Application Flows" tab, right-click on the flow and select "Add Fingerprint".
Now you have an entry consisting of port and IP. Give it a name. It is important that the "Confidence" is higher than the existing fingerprints for DNS (so your fingerprint is more specific). You can check this in the tab "Fingerprints".
=> Requests to the internal DNS will be recognized with your new fingerprint.
=> All other DNS requests with the default fingerprint.
04-09-2021 07:51 AM
Hello Peter,
the easiest way is the following:
Find a flow to the internal DNS server in the "Application Flows" tab, right-click on the flow and select "Add Fingerprint".
Now you have an entry consisting of port and IP. Give it a name. It is important that the "Confidence" is higher than the existing fingerprints for DNS (so your fingerprint is more specific). You can check this in the tab "Fingerprints".
=> Requests to the internal DNS will be recognized with your new fingerprint.
=> All other DNS requests with the default fingerprint.