Infoblox
LogZilla App Store application: Infoblox
Overview
Infoblox NIOS (Network Identity Operating System) is a platform for automating DNS, DHCP, and IP Address Management (IPAM). The Infoblox app focuses specifically on processing DNS query and response logs to extract network traffic patterns and DNS resolution information.
App Function
The Infoblox app performs the following functions:
- Message Recognition: Identifies Infoblox DNS log messages and sets the
LogZilla event program to
Infoblox - Data Extraction: Parses DNS query information and creates user tags for analysis and filtering
Vendor Documentation
Incoming Log Format
Infoblox DNS logs use space-separated fields in the following structure:
text[timestamp] client [source_ip]#[port] [protocol]: query: [domain] IN [record_type] response: [response_code] [flags] [response_data]
The log format includes DNS query details, client information, and response data for comprehensive DNS traffic analysis.
Parsed Metadata Fields
| Tagged | Tag Name | Example | Description |
|---|---|---|---|
| ☑ | SrcIP | 11.22.33.44 | Source IP address of DNS client |
Query | 23-courier.push.apple.com | DNS query domain name | |
Query Type | A | DNS record type (A, AAAA, CNAME, etc.) | |
Response | NOERROR | DNS response code |
Log Examples
A Record Query
text07-Apr-2013 20:16:49.083 client 11.22.33.44#57398 UDP: query: a2.foo.com IN A response: NOERROR +AED a2.foo.com. 28800 IN A 1.1.1.2;
AAAA Record Query
text07-Apr-2013 20:16:49.083 client 11.22.33.44#57398 UDP: query: a4.foo.com IN AAAA response: NOERROR +AED a4.foo.com. 28800 IN AAAA ab::a;
IPv6 Client Query
text07-Apr-2013 20:16:49.083 client 2001::2#57398 UDP: query: a2.foo.com IN A response: NOERROR +AED a2.foo.com. 28800 IN A 1.1.1.2;
TCP Query
text07-Apr-2013 20:16:49.083 client 11.22.33.44#57398 TCP: query: a2.foo.com IN A response: NOERROR +ED a2.foo.com. 28800 IN A 1.1.1.2;
ANY Record Query
text07-Apr-2013 20:16:49.083 client 11.22.33.44#57398 UDP: query: a2.foo.com IN ANY response: NOERROR +ED a2.foo.com. 28800 IN A 1.1.1.2;
Multiple Address Response
text07-Apr-2013 20:16:49.083 client 11.22.33.44#57398 UDP: query: a1.foo.com IN A response: NOERROR +ED a1.foo.com. 28800 IN A 1.1.1.1; a1.foo.com. 28800 IN A 11.1.1.1;
CNAME Response
text07-Apr-2013 20:16:49.083 client 11.22.33.44#57398 UDP: query: c2.foo.com IN A response: NOERROR +ED c2.foo.com. 28800 IN CNAME a2.foo.com.; a2.foo.com. 28800 IN A 1.1.1.2;
NXDOMAIN Response
text07-Apr-2013 20:16:49.083 client 11.22.33.44#57398 UDP: query: non-exist.foo.com IN A response: NXDOMAIN +ED
NOERROR/No Data Response
text07-Apr-2013 20:16:49.083 client 11.22.33.44#57398 UDP: query: a1.foo.com IN SRV response: NOERROR +ED
REFUSED Response
text07-Apr-2013 20:16:49.083 client 11.22.33.44#57398 UDP: query: refused.com IN A response: REFUSED +ED
SERVFAIL Response
text07-Apr-2013 20:16:49.083 client 11.22.33.44#12345 UDP: query: servfail.com IN A response: SERVFAIL +E
DNSSEC Signed Zone
text07-Apr-2013 20:16:49.083 client 11.22.33.44#57398 UDP: query: a1.signed.com IN A response: NOERROR +ED a1.signed.com. 28800 IN A 1.1.1.1;
DNSSEC RRSIG Query
text07-Apr-2013 20:16:49.083 client 11.22.33.44#57398 UDP: query: a1.signed.com IN RRSIG response: NOERROR +ED a1.signed.com. 28800 IN RRSIG A 5 3 28800 20130616004903 20130611234903 4521 signed.com. [signature_data]