DNS Insure

DNS.Insure application controls the DNS blacklist features and the DNS.Insure service that automatically maintains that blacklist. . It facilitates the functionality of banning a website URL and any other content that relies on the DNS for delivery, such as email. The category lists of banned websites are updated automatically and are reflected in the Blacklist section of the Content Filter Engine application. Using this application, the administrator can add any website manually to the banned lists of URLs as well.

Left-hand Navigation Panel > Security Configuration > DNS Insure

The DNS Sinkhole Updates are drawn periodically from dedicated Red Piranha servers playing a vital role in preventing a user in the Crystal Eye network to access a malicious domain name. DNS Sinkholing action ensures that the response to a DNS query is forged because of which the malicious domain name resolves to a different IP address and not the actual IP address. This also means that the user would see a warning message generated by Crystal Eye stating that the accessed website is malicious.

How to Refresh DNS Sinkhole Updates?

Step 1: In the DNS Insure application page, click Refresh button and the Check for Updates button wait for the webpage to refresh automatically.

Note: On refreshing the DNS Sinkhole Updates you would be able to see the date and time of the latest updates and the status of the update.

The administrator can add a list of websites to be blocked by Crystal Eye with the help of a user friendly add banned sites feature.

Note: Only http website can be blocked using the Banned Sites feature of the Crystal Eye's Content Filter application. However, if there is a requirement to block https websites throughout the Crystal Eye network then we would recommend the usage of Banned Sites feature of the DNS Insure application. But if there is a requirement to ban https websites for a particular group of users then we would recommend enabling Crystal Eye's Deep Packet Inspection and then add the site that needs to be blocked in the Banned Sites section of the Content Filter application.

How to Manually Ban Websites on the Crystal Eye Network?

Step 1: In the DNS application page, click the Add button in the Banned Sites section. Step 2: Add the website name to the Site box and click the Add button.

The DNS.Insure DNS server keeps records of all DNS requests made through the Crystal Eye DNS system and the responses to those queries. This data can provide many useful insights into usage patterns on your network. It can be useful when diagnosing DNS problems or other patterns of unusual network behaviour. Several different reports are available on DNS Request and responses. Reports may be filtered. You may filter by using a search string, or by changing the period of time over which reports are made. The search string only applies to reports where it is relevant.

This report simply indicates the number of DNS requests over time, and is useful as an indicator of activity levels on the network (though very different to bandwidth). It is formatted as a smoothed graph of the number of DNS requests over time.

This report lists the top ten most requested names, and the number of times each was requested. The term RRNAME is just an abbreviation for Resource Record Name, and is the domain name part of a DNS query. If the query was for a domain name it will record the domain name asked for, if the query was a reverse DNS lookup for an address is will record the .arpa domain name, which can be read in reverse order to discover the IP address that was the subject of the query.

This report should list the most commonly returned data from a request. This should be equivalent to the ANSWER part of a query response. So if the most common queries are Fully Qualified Domain Names, then the Response Data will contain the IP numbers.

This report lists the top ten DNS servers from which data is requested. In normal operation, the Crystal Eye device itself will be the majority of the DNS services in this list, usually as its external IP address. You may see the Crystal Eye device showing up under multiple IP addresses in some configurations.

This report lists the top ten querying DNS clients. This report may include both internal and external IP addresses. The reasons for external DNS queries should be considered, as many may be probes of the DNS system by potential external attackers. Many requests from internal clients may reveal if some systems are querying at a very high rate, possibly due to a misconfiguration.

Request types are taken directly from the type part of a query for a Resource Record, and can reveal information about DNS load and network usage patterns. The most common queries are likely to be for A records (attempts to resolve a domain name to an IPv4 address), AAAA records (attempts to resolve a domain name to an IPv6 address – note a single domain name may resolve to both forms of address, and be queried for both), PTR records (reverse DNS queries that attempt to obtain a domain name for an address). You will also see requests for NS (address of name servers for a sub-domain) and SOA (the Start of Authority record for a domain name containing information including how long data may be cached for), both of which are a normal part of recursive domain name resolution. And you may see requests for other queries related to other services. For example, MX requests (for mail servers for a domain), SRV requests (which are used by a range of services in including SIP services for VOIP applications), and TXT requests (for text records in the DNS, that have uses that include the SPF and DMARC standards for increased email security). You may also see requests for ANY records, this query originally gave out all record types for a particular hostname, and was useful for debugging purposes. It is extremely rare to see valid ANY requests in normal use, and many DNS services have deprecated their use and do not return a response with the full data.

This report lists the number of times each response code has been seen in DNS responses. There are a limited number of response codes. Crystal Eye reports the number of NOERROR, NXDOMAIN (Non-existent domain), SERVFAIL (the server failed), and REFUSED (the server refused to answer for another reason) responses.