DNS metadata can be captured from log files or passively using the out of box Insight Network Sensor. The sensor approach has the added advantage of providing visibility into external DNS server use. These queries are ideal for building dashboards for focusing on DNS activity
Total DNS Traffic over time
where(public_suffix ) calculate(count) timeslice(60)
DNS Query Types
groupby(query_type)
Top Systems Based on DNS Queries
groupby(source_address)
DNS Queries to Uncommon Domains by User
where((public_suffix != com AND public_suffix != net AND public_suffix != org) AND user!=unknown) groupby(user)
DNS Queries to Uncommon Domains By Asset
where((public_suffix != com AND public_suffix != net AND public_suffix != org) AND asset!=unknown) groupby(asset)
DNS Queries to Uncommon Domains by Public Suffix
where(public_suffix != com AND public_suffix != net AND public_suffix != org) groupby(public_suffix)
Top External DNS Servers
where(dns_server_address!=IP(10.0.0.0/8) AND (dns_server_address!=IP(192.168.0.0/16)) AND (dns_server_address!=IP(172.16.0.0/12))) groupby(dns_server_address)