Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

DNS DGA and Tunneling Detection Details

To access this page, click Monitor > DNS.

You can view details about DNS DGA and tunnel detections.

DGA

You can perform the following action in the DGA tab:

  • View details about the DGA-based detections. See Table 1.

  • View the threat sources if there is a C&C hit for a domain. Click on domain name with DGA verdict to view the threat sources.

  • Report false positives. Choose this option to send a report to Juniper Networks, informing a false positive. Juniper will investigate the report; however, this does not change the verdict.

  • Export DGA detections as a CSV file to view and analyze the exported DGA detections as needed. You can either export all detections at once or for a specific timespan.

  • Select the time span to view the DGA detections for a specific period.

Table 1: Fields on the DGA Tab

Field

Description

Domain

Displays the domain name where DGA hit occurs.

DNS Record Type

Displays the DNS record type.

Example: A (Host address), CNAME (Canonical name for an alias), SRV (location of service), and so on.

  • A— DNS record is used to point a domain or subdomain to an IP address.
  • CNAME—DNS record is used to point a domain or subdomain to another hostname.
  • SRV—DNS record is used to point a domain or subdomain to a service location.

Last Hit Session ID

Displays the ID of the most recent domain hit.

Last Hit Source IP

Displays the source IP address of the most recent domain hit.

Last Hit Destination IP

Displays the destination IP address of the most recent domain hit.

Total Hits

Displays the total number of hits on the domain.

Verdict

Displays the confirmed DGA verdict provided by ATP Cloud.

  • Clean
  • DGA

Last Hit Time

Displays the date and time of the most recent domain hit.

Tunnel

Use the Tunnel tab to monitor the DNS tunneling metadata provided by SRX Series devices. Table 2 displays the DNS tunneling metadata.

You can perform the following action in the Tunnel tab:

  • View details about the DNS tunneling metadata provided by SRX Series devices. Table 2 displays the DNS tunneling metadata.

  • Export DNS Tunnel detections as a CSV file to view and analyze the exported DNS tunneling detections as needed. You can either export all detections at once or for a specific timespan.

  • Select the time span to view the DNS tunneling detections for a specific period.

  • View detailed information about a DNS tunnel. Click on a domain name. See Table 3

  • Download PCAP from the DNS Tunnel page. Select a client and click Download PCAP to download the packet capture details and view more information about the network.
Table 2: Fields on the Tunnel Tab

Field

Description

Domain

Displays the domain name

DNS Record Type

Displays the DNS record type.

Example: A (Host address), CNAME (Canonical name for an alias), SRV (location of service), and so on.

  • A— DNS record used to point a domain or subdomain to an IP address.
  • CNAME—DNS record used to point a domain or subdomain to another hostname.
  • SRV—DNS record used to point a domain or subdomain to a service location.

Last Hit Session ID

Displays the session ID of the most recent domain hit.

Tunnel Data

Displays the tunnel information shared by SRX Series device.

Last Hit Source IP

Displays the source IP address of the most recent domain hit.

Last Hit Destination IP

Displays the destination IP address of the most recent domain hit.

Total Hits

Displays the total number of sessions that were hit.

Last Hit Time

Displays the date and time of the most recent domain hit.

Table 3: Fields on the DNS Tunnel page

Field

Description

Client IP Address

Displays the IP address of the host that has contacted the DNS domain.

Device Name

Displays the name of the SRX device in contact with the DNS domain.

Incoming Bytes

Displays the number of incoming bytes to the DNS tunnel.

Outgoing Bytes

Displays the number of outgoing bytes from the DNS tunnel.

Last Seen

The date and time of the most recent DNS tunnel hit.