DNS & DHCP Activity Monitor (DDAM)
The Accumuli Security DNS and DHCP Activity Monitor enables network administrators to gain visibility of core DDI services by efficiently collecting DNS and DHCP activity and presenting the information within an intuitive web-based user interface.
A number of built-in reports provide details such as the busiest DNS or DHCP clients, the most common DNS lookups, and DNS or DHCP server throughput. Especially useful are the garbage collection reports; a series of reports that identify which DNS resource records within a zone file are NOT being queried, or which DHCP scopes within a DHCP configuration are not being used. These will help administrators identify junk that can be removed from the DNS/DHCP configurations, thus improving efficiency.
Reports can be run on-demand or scheduled to run at regular intervals (e.g. produce a report at 8am every Monday morning listing the most common DNS lookup the previous week).
Example DDAM Report
Recent DNS and DHCP activity can be searched within the GUI to help troubleshoot specific issues, and alerts can be configured that are triggered whenever a certain condition is met, i.e. a specific DNS query is seen (e.g. version.bind), or the DNS/DHCP packet rate increases by an abnormal amount (eg. DDoS attack).
DNS and DHCP activity can be archived for long periods by regularly uploading the collected data to a FTP/SFTP server. Additionally the data can be formatted so that it can be uploaded into a 3rd party solution, such as a SIEM (Security Information and Event Management) product in order to complement other network related information.
DDAM Architectural Overview
By utilising a mixture of agent-based and agent-less technologies, DDAM is compatible with all major DDI platforms. For example, server based DDI solutions running Unix/Linux/Windows and n3k runIP appliances benefit from the ability to support an agent that performs protocol capture, thus requiring no further configuration of the DDI services.
Appliance based platforms, such as Infoblox and Alcatel-Lucent AMM, can be supported by configuring syslog to redirect messages to a DDAM collector. BIND DNS servers can then be configured to send querylogs via syslog and ISC DHCP servers will send output to syslog by default. DDAM supports syslog collection over both UDP and TCP protocols to support the highest throughput available with no dropped packets.
|Agent based DNS/DHCP Activity Collection||
Agentless DNS/DHCP Activity Collection
DDAM also supports integration with network inventory products such as Porttracker and PortIQ to enable a DNS/DHCP client to be physically located on the network. A simple right-click in the DDAM user interface will reveal the switch, switch port and VLAN that a particular client is located on. If a client needs to be urgently quarantined from the network, this information is invaluable to a network administrator who needs to know quickly which switch to connect to and which port to shut down.
NEW IN DDAM V2.2
DDAM v2.2 now supports the use of domain watch lists to help organisations combat the rising threat of malware, spyware, botnets, viruses etc. that attempt to communicate with "command and control" servers located on the Internet. By configuring your own domain watch lists or using lists available from sites such as malwaredomainlist.com you can now configure DDAM to alert you if any queries are seen for hosts or domains listed in the watch list. DDAM can then be used to locate the infected client so that it may be quarantined or cleansed.
Please see below for further information regarding DDAM.