LogZilla

Overview

Infoblox NIOS (Network Identity Operating System) is a platform for automating DNS, DHCP, and IP Address Management (IPAM). The Infoblox app focuses specifically on processing DNS query and response logs to extract network traffic patterns and DNS resolution information.

App Function

Parse Infoblox DNS query and response logs
Extract client IP, query domain, record type, and response code
Set program to Infoblox for filtering
Provide dashboard for DNS traffic analysis
Alert on zone transfers, SERVFAIL, and suspicious query types

Vendor Documentation

Capturing DNS Queries and Responses

Device Configuration

Configure the Infoblox appliance to send DNS query logs to LogZilla:

Log in to the Infoblox Grid Manager
Navigate to Data Management > DNS > Members
Select the DNS member and click Edit
Under Logging, enable DNS query logging
Configure syslog destination with the LogZilla server IP
Click Save to apply the configuration

Verification

Generate a DNS query, then verify events appear in LogZilla with the Vendor tag set to Infoblox.

Incoming Log Format

Infoblox DNS logs use space-separated fields in the following structure:

text
[timestamp] client [source_ip]#[port] [protocol]: query: [domain] IN [record_type] response: [response_code] [flags] [response_data]

The log format includes DNS query details, client information, and response data for DNS traffic analysis.

Parsed Metadata Fields

Tag Name	Example	Description
`Vendor`	`Infoblox`	Vendor name
`Product`	`NIOS`	Product name
`Event Class`	`network`, `security`	Cross-vendor classification
`MitreId`	`T1071.004`	MITRE ATT&CK technique ID
`MITRE Tactic`	`Command and Control`	MITRE ATT&CK tactic
`SrcIP`	`11.22.33.44`	Source IP address of DNS client (HC)
`Query`	`23-courier.push.apple.com`	DNS query domain name (HC)
`Query Type`	`A`	DNS record type (A, AAAA, CNAME, TXT, etc.)
`Response`	`NOERROR`	DNS response code

Log Examples

A Record Query

text
07-Apr-2013 20:16:49.083 client 11.22.33.44#57398 UDP: query: a2.foo.com IN A response: NOERROR +AED a2.foo.com. 28800 IN A 1.1.1.2;

AAAA Record Query

text
07-Apr-2013 20:16:49.083 client 11.22.33.44#57398 UDP: query: a4.foo.com IN AAAA response: NOERROR +AED a4.foo.com. 28800 IN AAAA ab::a;

IPv6 Client Query

text
07-Apr-2013 20:16:49.083 client 2001::2#57398 UDP: query: a2.foo.com IN A response: NOERROR +AED a2.foo.com. 28800 IN A 1.1.1.2;

TCP Query

text
07-Apr-2013 20:16:49.083 client 11.22.33.44#57398 TCP: query: a2.foo.com IN A response: NOERROR +ED a2.foo.com. 28800 IN A 1.1.1.2;

ANY Record Query

text
07-Apr-2013 20:16:49.083 client 11.22.33.44#57398 UDP: query: a2.foo.com IN ANY response: NOERROR +ED a2.foo.com. 28800 IN A 1.1.1.2;

Multiple Address Response

text
07-Apr-2013 20:16:49.083 client 11.22.33.44#57398 UDP: query: a1.foo.com IN A response: NOERROR +ED a1.foo.com. 28800 IN A 1.1.1.1; a1.foo.com. 28800 IN A 11.1.1.1;

CNAME Response

text
07-Apr-2013 20:16:49.083 client 11.22.33.44#57398 UDP: query: c2.foo.com IN A response: NOERROR +ED c2.foo.com. 28800 IN CNAME a2.foo.com.; a2.foo.com. 28800 IN A 1.1.1.2;

NXDOMAIN Response

text
07-Apr-2013 20:16:49.083 client 11.22.33.44#57398 UDP: query: non-exist.foo.com IN A response: NXDOMAIN +ED

NOERROR/No Data Response

text
07-Apr-2013 20:16:49.083 client 11.22.33.44#57398 UDP: query: a1.foo.com IN SRV response: NOERROR +ED

REFUSED Response

text
07-Apr-2013 20:16:49.083 client 11.22.33.44#57398 UDP: query: refused.com IN A response: REFUSED +ED

SERVFAIL Response

text
07-Apr-2013 20:16:49.083 client 11.22.33.44#12345 UDP: query: servfail.com IN A response: SERVFAIL +E

DNSSEC Signed Zone

text
07-Apr-2013 20:16:49.083 client 11.22.33.44#57398 UDP: query: a1.signed.com IN A response: NOERROR +ED a1.signed.com. 28800 IN A 1.1.1.1;

DNSSEC RRSIG Query

text
07-Apr-2013 20:16:49.083 client 11.22.33.44#57398 UDP: query: a1.signed.com IN RRSIG response: NOERROR +ED a1.signed.com. 28800 IN RRSIG A 5 3 28800 20130616004903 20130611234903 4521 signed.com. [signature_data]

MITRE ATT&CK Mapping

Security-relevant DNS query types are mapped to MITRE ATT&CK techniques:

Query Type	MITRE ID	Tactic	Description
TXT	T1071.004	Command and Control	DNS tunneling / data exfiltration
NULL	T1071.004	Command and Control	DNS tunneling via NULL records
AXFR	T1595	Reconnaissance	Zone transfer enumeration
IXFR	T1595	Reconnaissance	Incremental zone transfer
ANY	T1595	Reconnaissance	Zone enumeration / amplification

Dashboards

The app includes one dashboard:

Infoblox: DNS Overview - Query counts, NXDOMAIN tracking, security events, MITRE tactics, top clients, response code trends

Triggers

Trigger	Description
`Infoblox: MITRE ATT&CK Threat Detected`	Catch-all for DNS-based threats
`Infoblox: Zone Transfer`	AXFR/IXFR queries (zone enumeration risk)
`Infoblox: DNS SERVFAIL`	DNS resolution failures
`Infoblox: DNS NXDOMAIN`	Non-existent domain responses
`Infoblox: DNS TXT Query`	TXT queries (potential DNS tunneling)
`Infoblox: DNS ANY Query`	ANY queries (reconnaissance/amplification)
`Infoblox: DNS REFUSED`	Access control or policy issues