Let me start by saying, I hope that everyone had a great Thanksgiving. At our house, we fried two turkeys this year. It was the first time that we attempted this, and after reading all the warnings that came with the new fryer, I guess the fact that no one got hurt means that the holiday was a success.
As a Network Administrator, I’m sure that you spend some of your time trying to identify hosts on your networks that may be infected with some kind of mailer worm. Mailer worms have to do DNS lookups for a mail server for a particular domain when sending out spam.
The DNS violation looks for a large number of DNS lookups coming from a single host. Any host that is sending out large numbers of DNS queries in a short period of time should be looked at.
The threshold is simple and can be set within the Flow Analytics Overview gadget “inbound threshold”. This number reflects the number of DNS lookups a host does within a 5 minute period.
Of course, there are exceptions. Even Scrutinizer itself does large numbers of lookups to build a large DNS cache of the IP addresses it sees. In this case, you want to exclude the Scrutinizer server’s IP from this algorithm to avoid false positives.
All of these models are intended to help our customers with improved network traffic analysis and network traffic monitoring. I will be blogging about more of the new features and reports available in Scrutinizer v7.3 in the upcoming days, so be sure to check in.
-ScottTags: DNS Lookup, DNS Violation, Network Traffic Analysis