Configuring DNS servers in TrueSight

After you have installed the PATROL for Light Weight Protocols, you must configure a monitoring policy. You can use the information in this topic to configure a DNS monitoring policy with the TrueSight console.

This topic includes the following information:

Before you begin

You must download and install the PATROL for Light Weight Protocols.

To configure the monitor type

In the Add Monitoring Configuration panel, select the following parameters for the DNS monitor profile:

Parameter

Selection

Monitoring SolutionLight Weight Protocols
Monitor ProfileDNS
Monitor TypeDNS servers

To configure DNS

Click Add and enter the device details

Field

Description

Device details

Device name/IP

Enter the alias name, hostname or IP address of the network device that you want to monitor. Enter the Forced IP address if the alias name cannot get resolved to a valid IP address.

Forced IP Address

Enter the IP address of the network device you want to monitor. You can leave this field blank if you have provided the actual hostname or IP address as the alias name.

Category

Enter the category name of the configured device.

Port

Enter the port number of the DNS listening port. The default port number is 53.

Connection protocol

Specify the connection protocol:

  • TCP - Connection oriented protocol
  • UDP - Connectionless protocol

Timeout (sec)

Specify the time interval to map the device name to an IP address. The default value is 10 seconds.

Poll interval (sec)

Select the poll interval time in seconds to ping the device. The default value is 300 seconds. The minimum value you can select is 10 seconds. The maximum value you can select is 3600 seconds.

DNS Query

Click Add and enter the DNS query details

DNS Query details
Name

Specify the DNS display name. It is recommended to use a name associated with the DNS.

QueryEnter the DNS query. It can be a hostname or an IP address.
DNS Query type

Select the query type:

  • A - Address Mapping record
  • AAAA - IPv6 Address Mapping record
  • NS - Name Server records
  • CNAME - Canonical Name record
  • SOA - Start of Authority
  • PTR - Reverse-lookup Pointer records
  • MX - Mail exchanger record
  • SRV - Service Location
  • TXT - Text record
  • CERT - Certificate record
  • ANY - All records
Timeout (sec)

Specify the time interval to wait for the port to respond. The default value is 30 seconds.

Poll interval (sec)

Select the poll interval time in seconds to ping the device. The default value is 300 seconds.

String to scan for (REGEX)Specify a string to search or a Java regular expression. Use semicolon to separate multiple expressions or strings.

Configuring file-based monitoring

Field

Description

Import devices from file

Enable this option to configure devices and queries automatically from files. All the files must be located at %PATROL_HOME%KDN\Conf\ImportDevices directory. You can have multiple files for configuring devices and should specify appropriate name for the files. The devices are grouped below the file names. By default, this option is disabled. For more information, see Configuring DNS servers using file-based configuration.

If you have multiple PATROL Agents with different port numbers running on the same computer and each PATROL Agent wants to load a different file, then you can create subdirectories under the file location with the port number.

Default Configuration Settings

Default device configuration

Field

Description

PortEnter the port number of the DNS listening port. The default port number is 53.
Connection protocol

Specify the connection protocol:

  • TCP - Connection oriented protocol
  • UDP - Connectionless protocol

Timeout (sec)

Specify the time interval to map the device name to an IP address. The default value is 10 seconds.

Poll interval (sec)

Select the poll interval time in seconds to ping the device. The default value is 300 seconds. The minimum value you can select is 10 seconds. The maximum value you can select is 3600 seconds.

Default DNS configuration
DNS Query type

Select the query type:

  • A - Address Mapping record
  • AAAA - IPv6 Address Mapping record
  • NS - Name Server records
  • CNAME - Canonical Name record
  • SOA - Start of Authority
  • PTR - Reverse-lookup Pointer records
  • MX - Mail exchanger record
  • SRV - Service Location
  • TXT - Text record
  • CERT - Certificate record
  • ANY - All records

Timeout (sec)

Specify the time interval to map the device name to an IP address. The default value is 10 seconds.

Poll interval (sec)

Select the poll interval time in seconds to ping the device. The default value is 300 seconds. The minimum value you can select is 10 seconds. The maximum value you can select is 3600 seconds.

Administration

Root display name

Enter the root application class display name.

Device Mapping

Select any of the following monitoring modes:

  • FQDN — Monitors are created within a device according to the discovered FQDN of the monitored system. If the configured Device name/IP set with an alias name and the force IP address is configured, the device gets mapped to the TrueSight with the Device name/IP instead of the device FQDN although this option was selected.

  • User defined — Monitors are created within a monitored device using the name provided by the user (alias name).

  • Disable — Monitors are created within the device of the PATROL Agent(s).
Java path

Specify the path of the JRE directory ($JAVA_HOME environment variable) on the PATROL Agent host which is used by the KM.

If the JAVA_HOME environment variable of the PATROL Agent is set, you can use the default value $JAVA_HOME as the Java path.

If the feild is left blank, the KM uses the Java path installed on the PATROL Agent home directory in the following format: $PATROL_HOME/openjdk or $PATROL_HOME/jre64.

For example: Windows - C:\Program Files\Java\jdk-11.

Enable logging

Select this option to enable logging. The log files are created at %PATROL_HOME%\KDN\logs. By default, this option is disabled.

After entering all the required details, click OK and Close button and save the Policy.

Was this page helpful? Yes No Submitting... Thank you

Comments

  1. David Taggart

    Would it be possible to get an example of a legal and successful content match?

    EG: If I make an A record query to ns1.contoso.com for somehost.contoso.com using a command line tool, I expect to get a response of 12.34.56.78.

    If I put 12.34.56.78 into the content-match field, the match fails. If I put *12.34.56.78 into the content match field, the match succeeds. However if I modify the content to read *12.34.56.78.90ABCDEF, the content match STILL succeeds.

    Aug 13, 2019 03:49
  2. Yossi Zadok

    Hi,

    Once you setup a string to scan and the KM find such occurrences in the DNS query response then the content match parameter report on the value 1 (Not KM) with the exact message on which of the configured string to scan founds within the records.

    Based on your example, if the record contains the text "12.34.56.78" and you setup a string to scan as "12.34.56.78" then there suppose to be a match of course.

    If that is not the behavior, as explained by you, then please consider to open a BMC ticket and we will investigate it farther.


    Thanks,

    Yossi





    Aug 14, 2019 03:30