DNS & DHCP Activity Monitor (DDAM)
DNS & DHCP Activity Monitor (DDAM)

DNS & DHCP Activity Monitor (DDAM)

With the Accumuli Security DNS & DHCP Activity Monitor (DDAM), managing and reporting of logging and audit data is easy

The Accumuli Security DNS & DHCP Activity Monitor (DDAM) enables network administrators to gain visibility of core DDI services by efficiently collecting DNS and DHCP activity and presenting the information within an intuitive web-based user interface.

A number of built-in reports provide details such as the busiest DNS or DHCP clients, the most common DNS lookups, and DNS or DHCP server throughput. Especially useful are the garbage collection reports; a series of reports that identify which DNS resource records within a zone file are NOT being queried, or which DHCP scopes within a DHCP configuration are not being used. These will help administrators identify redundant configuration options that can be removed from the DNS & DHCP configurations, thus improving efficiency.

DDAM also supports the use of domain watch lists to help organisations combat the rising threats of APT, malware, spyware, botnets, viruses etc. that attempt to communicate with "command and control" servers located on the Internet. By configuring your own domain watch lists or using lists available from sites such as malwaredomainlist.com you can use DDAM to alert you if any queries are seen for hosts or domains listed in the watch list.  DDAM can then be used to locate the infected client so that it may be quarantined or cleansed.

Reports can be run on-demand or scheduled to run at regular intervals (e.g. produce a report at 8am every Monday morning listing the most common DNS lookup the previous week).

DDAM Reporting Screenshot

Example DDAM Report

Recent DNS and DHCP activity can be searched within the GUI to help troubleshoot specific issues, and alerts can be configured that are triggered whenever a certain condition is met, i.e. a specific DNS query is seen (e.g. version.bind), or the DNS/DHCP packet rate increases by an abnormal amount (eg. DDoS attack).

DNS and DHCP activity can be archived for long periods by regularly uploading the collected data to a FTP/SFTP server. Additionally the data can be formatted so that it can be uploaded into a 3rd party solution, such as a SIEM (Security Information and Event Management) product in order to complement other network related information.


DDAM Architecture

DDAM Architectural Overview

By utilising a mixture of agent-based and agent-less technologies, DDAM is compatible with all major DDI platforms. For example, server based DDI solutions running Unix/Linux/Windows and n3k runIP appliances benefit from the ability to support an agent that performs protocol capture, thus requiring no further configuration of the DDI services.

Appliance based platforms, such as Infoblox and Alcatel-Lucent AMM, can be supported by configuring syslog to redirect messages to a DDAM collector. BIND DNS servers can then be configured to send querylogs via syslog and ISC DHCP servers will send output to syslog by default. DDAM supports syslog collection over both UDP and TCP protocols to support the highest throughput available with no dropped packets.

DNS & DHCP Activity Monitor Agent Graphic

DNS & DHCP Activity Monitor Agentless Graphic

Agent based DNS/DHCP Activity Collection

Agentless DNS/DHCP Activity Collection


For more information contact us here or call us on +44 (0)1256 303 700