• State Not Answered
  • Locked Locked
  • Replies 4 replies
  • Subscribers 24 subscribers
  • Views 519 views
  • Users 0 members are here
Options
Related
This discussion has been locked. The information referenced herein may be inaccurate due to age, software updates, or external references.
You can no longer post new replies to this discussion. If you have a similar question you can start a new discussion in this forum.

Finding Unknown DNS Servers

lmartin05

I am looking for unknown dns servers. I'm attempting to use NetFlow to identify DNS traffic on Router1 and wanted to use endpoint filter for the ones I know about and noticed that there is an IP Address Group filter but it only offers RFC1918 groups. Is it possible to define a KITTIES group with 10.110.192.0/18 and a PUPPIES group that is 10.80.0.0/16 that would show up in the IP Address Group section for selection?

Or if you know of another way to find unknown DNS servers it would be appreciated.

Parents
  • 0

    The out of the box groups are just there as a placeholder or to give you a sense of what you can set up for yourself.  You are very much encouraged to create you own groups.  You would have to define them as a range rather than CIDR address blocks.  To your specific question about DNS, I could see building up a group with all approved dns and then filter for any traffic on port 53 that isn't sourced or destined for that group. Solarwinds LEM has a built in rule for this so i've never tried to do the same thing within NTA but I am sure it can be done with some poking around.

    The basic documentation on setting up IP Address groups is here

    SolarWinds NTA settings

  • 0 in reply to mesverrum

    Yes thank you. I was able to find the IP group settings shortly after I sent this message. I do have LEM, but have yet to utilize it. Any help with it? That may be worth looking into. Thanks for the suggestion.

  • 0 in reply to lmartin05

    To take advantage of the LEM rule you need to populate a user defined list of the allowed DNS servers, and you have to be getting the logs from your firewalls.Once you have those in place you just enable the built in DNS rule (can't recall the exact name off the top of my head unfortunately) 

Reply
  • 0 in reply to lmartin05

    To take advantage of the LEM rule you need to populate a user defined list of the allowed DNS servers, and you have to be getting the logs from your firewalls.Once you have those in place you just enable the built in DNS rule (can't recall the exact name off the top of my head unfortunately) 

Children
No Data

SolarWinds solutions are rooted in our deep connection to our user base in the THWACK® online community. More than 195,000 members are here to solve problems, share technology and best practices, and directly contribute to our product development process.

SolarWinds Customer Success Center Certification Media Vault Link Accounts
About THWACK Blogs For Government Edit Settings Free Tools & Trials
Legal Documents Terms of Use Privacy California Privacy Rights Security Information
©2024 SolarWinds Worldwide, LLC. All Rights Reserved.