This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Fingerprint or solution for detecting external DNS activity

Fingerprint or solution for detecting external DNS activity

Go to solution
Peter_Majercak
New Contributor II

‎04-08-2021 09:07 PM

Hi team,

i am trying to find the best solution how to detect a clients, who are using external DNS in the network.

3rd party switches and mirror to PV FC 180, then Extreme Analytics. My DNS servers are in subnet 10.25.0.0/16 and i need to know both - Clients who are using my and Client who are using Extrenal, then create Alarm….

What type of fingeprint do you recommend me? 

Many thanks!

Regards,

--

peter

0 Kudos
1 ACCEPTED SOLUTION

Go to solution
StephanH
Valued Contributor III

‎04-09-2021 07:51 AM

Hello Peter,

the easiest way is the following:
Find a flow to the internal DNS server in the "Application Flows" tab, right-click on the flow and select "Add Fingerprint".

Now you have an entry consisting of port and IP. Give it a name. It is important that the "Confidence" is higher than the existing fingerprints for DNS (so your fingerprint is more specific).  You can check this in the tab "Fingerprints".

=> Requests to the internal DNS will be recognized with your new fingerprint.
=> All other DNS requests with the default fingerprint.

Regards Stephan

View solution in original post

0 Kudos
1 REPLY 1

Go to solution
StephanH
Valued Contributor III

‎04-09-2021 07:51 AM

Hello Peter,

the easiest way is the following:
Find a flow to the internal DNS server in the "Application Flows" tab, right-click on the flow and select "Add Fingerprint".

Now you have an entry consisting of port and IP. Give it a name. It is important that the "Confidence" is higher than the existing fingerprints for DNS (so your fingerprint is more specific).  You can check this in the tab "Fingerprints".

=> Requests to the internal DNS will be recognized with your new fingerprint.
=> All other DNS requests with the default fingerprint.

Regards Stephan
0 Kudos
GTM-P2G8KFN