Auditing specific domains via DNS

Learn more about the IOTA solution at profitap.com/iota

Troubleshooting dashboards

This step-by-step guide provides an example of how an analysis of DNS traffic for specific domain names can be done using Profitap IOTA. DNS traffic, including the associated data flow, will be analyzed based on the resolved fully qualified domain name (FQDN).

Starting the capture

The first step is to configure the physical interface. To do this, we navigate to the “Capture” page using the left menu tree, and then to the “Interface Configuration” section. The interface is configured as SPAN (out-of-band) with 10/100/1000 Mbit/s Auto Negotiation as shown below, meaning both physical interfaces can receive the traffic to be analyzed from a SPAN port or a TAP. If the IOTA is to be integrated in-line into the data stream, the checkbox next to “Inline Mode” must be ticked and the “Save” button clicked.


Figure 1: Configuration of the physical interfaces. In this case, 10/100/1000 Mbit/s Auto-Negotiation in SPAN Mode.

After we have prepared the physical interface and positioned the IOTA, we connect to the appropriate cable and start the capture process on the “Capture Control” page by clicking the “Start Capture” button at the bottom of the page. Alternatively, we can start the capture process by pressing the physical “Start Capture” button on the IOTA device. This speeds up the process and can be done by untrained or non-privileged persons.


Figure 2: Start the capture using the “Start Capture” button in the “Capture Control” submenu.

DNS Overview dashboard

After starting the capture, we switch from the Overview dashboard to the DNS Overview dashboard via the Navigate menu in the upper right-hand corner of the screen.


Figure 3: Switching from the “Overview” to the “DNS Overview” dashboard via the “Navigate” menu.

The DNS Overview dashboard first gives us an overview of the DNS activities, as shown in Figure 4. Displayed are the number of DNS queries and the DNS servers used, and fully qualified domain names requested with absolute and percentage usage statistics.


Figure 4: DNS Overview dashboard as a first overview of DNS activities.

A table with the flow data is located at the bottom of the dashboard. We can set a filter to evaluate the traffic to a specific domain. There are two variants for this purpose. In our example, we want to evaluate the flows to the profitap.com domain. Therefore, we enter the domain name “profitap.com” in the Search DNS field and confirm the entry by pressing Enter.


Figure 5: Filters via the “Search DNS” function to the profitap.com domain.

After activating the filter, we see the previous statistics and flows for the profitap.com domain. Now we take a look at the flow table. We look for the flow to be evaluated based on the query/response time, the client IP, or the exact fully qualified domain name in the query column.

Whether there is a corresponding communication relationship to the DNS query and response, we can see in the columns “Protocols” and “Applications”, as well as the number of “Flows” in the column of the same name.


Figure 6: Flow table in DNS Overview dashboard with download option of DNS resolution and corresponding data flow.

In the bottom row of the flow table, we see that the client 192.168.178.22 received the IP address 217.160.0.226 as a response for its DNS A record request to the FQDN www.profitap.com from the DNS server 192.168.178.1.

Additionally, TCP is listed as Protocol and TLS as Application. A simple click on the download button on the very left in the bottom line leads to a download of the PCAPNG file with the complete DNS resolution and the following TCP and TLS handshake, followed by the encrypted payload transmission. On this basis, we can perform an even deeper analysis.


Figure 7: Downloaded PCAPNG file with DNS resolution, TCP and TLS handshake, and payload transfer.

Overview of applications in use

If we want to analyze which applications are used in correlation to a specific target domain, we can also analyze this with IOTA. To do this, we switch to the Application Overview dashboard via the Navigate menu.


Figure 8: Switching dashboard with the Navigate menu, to the Application Overview dashboard.

The Application Overview dashboard first gives us an overview of the services and service categories used with the associated data volumes.


Figure 9: Application Overview dashboard with an overview of used services and service categories.

In this dashboard's lower section, we find the “Clients / Servers” area. Here, we see the used bandwidth per client based on its IP address. The table below shows the servers used and the corresponding column for the fully qualified domain name (FQDN).

In this column, we get the possibility via a mouseover event to set a filter with the “+” symbol on the FQDN, in this case, mp-prod-de-image.s3-eu-central-1.amazonaws.com. In addition, we already recognize the associated IP address here, and from this, we determine the target country and the name of the autonomous system.


Figure 10: Filter option based on the fully qualified domain name mp-prod-de-image.s3-eu-central-1.amazonaws.com in the “Application Overview” dashboard.

Clicking on the “+” icon creates a filter with the attribute “SERVER_HOST_NAME_DNS”, the operand “EQUALS (=)” and the value “mp-prod-de-image.s3-eu-central-1.amazonaws.com”.

As a result, on the left side of the pie chart, in the middle dark blue part, we get the service category; in this case, “Cloud CDN Services”. In the light blue area, we can see the Amazon Cloud application. At peak, the client reached a used bandwidth of 24.9 Mbit/s. In the right area, we can use the button in the table's Download column to download the associated flows in PCAPNG format.


Figure 11: Application detection for FQDN and bandwidth used, including download option.

Correlation of client names to IP addresses / list of network devices

There is also another option available in the Application Overview dashboard shown before. There, in the left area of the client table, we can see the client IP address, and, if available, the corresponding FQDN, the mDNS name, and the recorded data volume.

Especially when using DHCP, this can show us the correlation between IP address and FQDN at the time of recording to perform targeted analysis of individual clients. The same is also available for servers, as described above.


Figure 12: Client table in the Application Overview dashboard.

IOTA benefits

Profitap IOTA offers various possibilities to use the Domain Name System (DNS) data to recognize and analyze correlating data like associated flows. Using easy-to-set-up search filters, the corresponding data flows can be downloaded in PCAPNG format for further analysis.

IOTA offers in-depth analysis of the data flows following the DNS, such as TCP and TLS, including evaluating the associated performance indicators. This simplifies and accelerates the troubleshooting process.

Learn more about the IOTA solution at profitap.com/iota

  • Last modified: February 29, 2024

© 2024 Profitap HQ B.V. and its licensors. All Rights Reserved — Profitap HQ B.V., High Tech Campus 84, 5656 AG Eindhoven, The Netherlands | Privacy Policy | Terms and Conditions