Bluecat Dns

LogZilla App Store application: Bluecat Dns

Overview

BlueCat DNS/DHCP Server (BDDS) is an enterprise DDI (DNS, DHCP, IPAM) appliance that provides authoritative and recursive DNS services. BDDS supports DNSTAP telemetry for real-time DNS transaction logging, delivering structured JSON records of all client queries, server responses, and recursive resolution activity.

App Function

  • Parse BlueCat DNSTAP telemetry events delivered as JSON via HTTP
  • Extract DNS query metadata: domain names, query types, response codes
  • Classify events by query type (standard network vs. security-relevant)
  • Apply MITRE ATT&CK mappings for DNS-based threats (tunneling, recon)
  • Provide dashboards for DNS traffic analysis and threat monitoring
  • Alert on zone transfer attempts, DNS tunneling indicators, and service failures

Vendor Documentation

Prerequisites

BlueCat BDDS must be configured to send DNSTAP telemetry to LogZilla via the HTTP receiver.

Device Configuration

  1. Log into the BlueCat Address Manager (BAM) web interface
  2. Navigate to the BDDS server configuration
  3. Enable DNSTAP data collection under DNS > DNS Data Collection
  4. Configure the DNSTAP output to send JSON events to the LogZilla HTTP receiver endpoint:
    • URL: http://<logzilla-server>/incoming/raw
    • Format: JSON
    • Authentication: LogZilla ingest token
  5. Save and deploy the configuration

Verification

After enabling DNSTAP, generate DNS queries against the BDDS server and verify events appear in LogZilla with Vendor: BlueCat and Product: DNS tags.

Incoming Log Format

BlueCat DNSTAP events are structured JSON objects:

text
{
  "messageType": "<ClientQuery|ClientResponse|ResolverQuery|ResolverResponse>",
  "payloadType": "dnstap",
  "serverId": "<bdds-hostname>",
  "socketProtocol": "<UDP|TCP>",
  "sourceAddress": "<client-ip>",
  "requestData|responseData": {
    "question": [{"domainName": "<fqdn>", "questionType": "<A|AAAA|...>"}],
    "rcodeName": "<NoError|NXDomain|ServFail|Refused>",
    "answers": [{"rData": "<resolved-value>", "recordType": "<A|AAAA|...>"}]
  },
  "timestamp": "<ISO-8601>"
}
  • messageType - Direction of DNS transaction
  • payloadType - Always "dnstap" for this format
  • serverId - BDDS appliance hostname
  • socketProtocol - Transport protocol (UDP or TCP)
  • sourceAddress - Client IP for client messages, 0.0.0.0 for resolver messages
  • requestData/responseData - DNS question, answers, and response code
  • timestamp - Event timestamp in ISO 8601 format

Parsed Metadata Fields

Tag NameExampleDescription
VendorBlueCatVendor identifier
ProductDNSProduct identifier
Event ClassNetworkEvent classification
Event TypeThreatEvent type (security events only)
SrcIP10.60.2.92Client IP making the DNS query
Domaingoogle.comQueried domain name
BC Message TypeClientQueryDNSTAP message type
BC Query TypeADNS record type being queried
BC Response CodeNoErrorDNS response code
ProtocolUDPTransport protocol
MitreIdT1071.004MITRE ATT&CK technique ID
MITRE TacticCommand and ControlMITRE ATT&CK tactic

High-Cardinality (HC) Tags

  • SrcIP
  • Domain

Log Examples

Client Query (A Record)

text
ClientQuery UDP google.com A NoError from 10.60.2.92

Client Response (A Record)

text
ClientResponse UDP google.com A NoError from 10.60.2.92

Resolver Query (Upstream Lookup)

text
ResolverQuery UDP azure.example.com A NoError

NXDomain Response

text
ClientResponse UDP nonexistent.example.com A NXDomain from 10.60.2.39

TXT Query (Potential DNS Tunneling)

text
ClientQuery UDP c2beacon.malware.example.com TXT NoError from 10.60.2.200

Zone Transfer Attempt (AXFR)

text
ClientQuery TCP internal.corp.example.com AXFR NoError from 10.60.2.200

Dashboards

The BlueCat DNS Overview dashboard provides:

  • DNS event volume and rate monitoring
  • Top queried domains and client IPs
  • Query type and response code distribution
  • Security event tracking (TXT/AXFR queries)
  • NXDomain analysis for DGA detection
  • Live event stream

Triggers

TriggerDescription
BlueCat DNS: MITRE ATT&CK Threat DetectedAny event with a MITRE technique ID
BlueCat DNS: Potential DNS TunnelingTXT or NULL query types
BlueCat DNS: Zone Transfer / Recon QueryAXFR, IXFR, or ANY query types
BlueCat DNS: DNS Service FailureServFail response codes
BlueCat DNS: Queries RefusedRefused response codes
Bluecat Dns | LogZilla Documentation