For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Benoit_C_'s avatar
Benoit_C_
Dec 05, 2018

DNS logging profile - response OK but query are empty

Hello,   as many other people, I need/want to keep track of DNS requests passing by our GTM/DNS (used for Wide IPs, but also for 'normal' DNS queries from servers).   I've been able to setup so...
application delivery
BIG-IP
BIG-IP DNS
security
Benoit_C_'s avatar
Benoit_C_
Dec 11, 2018

Hi Nathan,

 

thx for your answer. The setting was already enabled ../

 

2018-12-11 12:55:20 xxx qid 3880 to 10.61996: [NOERROR qr,rd,ra,do] response: insights.nutanix.com. 300 IN A 206.169.130.226; 2018-12-11 12:55:20 xxx qid 3880 from 10.061996: view none: query: null invalid invalid + (10.%0)

 

I can anyway 'correlate' query and response via the QID. But I'm still wondering if it will work in case of attempts of data exfiltration via DNS, when an answer is not needed (if you query thisisthedataiwanttoexfiltrate.mydomainonlyusedtologdnsquery.com for example).

 

I made an attempts to a non existing subdomain of an existing domain. The response with nxdomain is not logged :(

 

Br,

 

Ben