OMS DNS Analytics available in Public Preview. Use DNS Analytics to get security, performance- and operations-related insights into DNS infrastructure.
By using Microsoft threat intelligence feeds, DNS Analytics can detect client IPs that are trying to access the malicious domains. In many cases, malware-infected devices “dial out” to the “command and control” center of a malicious domain by resolving the malware domain name. In the following example, DNS Analytics detected that the communication was done with an IRCbot.
The solution enables you to identify the client IP that initiated this communication, the domain name resolving to the malicious IP, the IP addresses the domain name resolves to, the malicious IP address, the severity of the issue, the reason for blacklisting the malicious IP, and the detection time.
Note: Live IP addresses were removed from this screenshot for privacy purpose.
Identify frequently queried domain names and talkative DNS clients
The solution provides a view into the domain names that DNS clients in the enterprise environment frequently query. You can view the list of all the queried domain names and drill-down into the lookup request details of a domain name in Log Search.
The DNS client blade reports clients that breach the threshold for number of queries in the chosen period of time. You can view the list of all DNS clients and the details of the queries that they make in Log Search.
Track dynamic DNS registrations
The solution tracks the DNS update requests from the different clients and whether the requests were successful.
You can then use this information to find the root cause of the registration failure: find the zone that is authoritative for the name that the client is trying to update, and use the solution to check the inventory information of that zone. Verify whether the dynamic update for the zone is enabled and check whether the zone is configured for secure dynamic update.
Pin-point stale resource records
The solution provides a list of all the stale resource records for the chosen period of time in Log Search. This list contains the resource record name, resource record type, the associated DNS server, record generation time, and the zone name. Based on this information, the DNS administrator can remove the stale entries from the DNS servers.
An understanding of the load is essential for capacity planning and performance of the DNS infrastructure. You can understand how the DNS load is distributed across your DNS servers and zones by observing the trends of DNS query rates for each server and zone.
View all the DNS events and inventory-related data of the DNS servers that the solution manages in Log Search.
Type=DnsEvents query will list the log data for all events that are related to lookup query, dynamic registration, and configuration change.
Type= DnsInventory query will list the log data for DNS servers, DNS zones, and resource records. Use the Log Search facet controls to analyze the data to generate actionable insights and construct meaningful reports.
How does the solution work?
The solution collects three types of data from the DNS servers on which the OMS agents are installed: DNS inventory, DNS events, and DNS performance counters. The inventory-related data (number of DNS servers, zones, resource records etc.) is collected by running the DNS PowerShell cmdlets. The event-related data (lookup queries, dynamic registrations, and configuration change) is collected from the Analytic and Audit logs provided by enhanced DNS logging and diagnostics available in Windows Server 2012 R2 and later.
This data is then uploaded to OMS, processed by the service, and presented to you on solution dashboard.
From Abhave Sharma.