Docs

DNS in Fusion

Suggest Edits

Recursive DNS request and response logs are a valuable data source for network forensics.

Fusion supports DNS log ingestion from Amazon Web Services (AWS) Route 53 and Google Cloud Platform (GCP). Support for Infoblox NIOS, Cisco Umbrella, and Azure Firewall DNS Proxy are on the product roadmap - if you are using one of these and would like to ingest it, reach out to Support for Early Access to these sources.

Combined with network flow metadata, Fusion becomes an even more robust system for network forensics, compromise detection, and network visibility.

By analyzing the DNS requests made in your network, you can use Fusion to:

  • Reconstruct event timelines post-incident.
  • Improve mean time to resolve events through enhanced DNS and Flow data visualization.
  • Highlight patterns of communications with suspicious or malicious domains.
  • Identify DNS patterns indicative of malware or command and control servers.
  • Add DNS-specific fields in NQL for traffic forensic analysis.
  • Use detection models based on DNS traffic.
  • See dashboard visualizations and metrics for DNS activity in the network.

Setup DNS Log Ingest from a Supported DNS Traffic Source

GCP Cloud DNS

GCP Cloud DNS Logs via Pub/Sub Setup

AWS Route 53

AWS Route 53 DNS Logs via S3 Setup (Console)

Configure internal domains in Traffic Classification

Fusion has a new DNS tab in the Settings > Traffic Classification page.

In this page's Internal Domains section, you can create a list of internal domains.

A DNS query that matches one of these domains will be flagged as internal.

Using DNS in the Fusion Portal

Terminology: Flow, DNS, and Traffic

Throughout the Portal, you may notice that fields that previously had the label Flow now have two new values. DNS only relates to the DNS records. Traffic is the term used for the combination of Flow and DNS.


Using DNS in the Global filter

Click the filter button to change the filter to DNS or Traffic.

Changing the filter to DNS permits Fusion to perform operations related to DNS records.

Changing the filter to Traffic permits Fusion to perform operations related to DNS and Flow records.


Using DNS in Detection Models

When you create or edit a detection model, a new Traffic Type field is present. Selecting DNS lets you build DNS-based detections.



Using DNS in Events

When a Detection Model with Traffic Type DNS generates an event, the traffic column displays DNS.


Using DNS in Dashboards

A new system dashboard named DNS Overview is now available.

DNS can be used in Dashboard Widgets by selecting the category DNS or Traffic.

Updated about 1 month ago