The thing to know about BloxOne Threat Defense is that you can use DIG to get data on what is being resolved using
dig @52.119.41.100 <DOMAIN_YOU_WANT_DATA_ON>.debug.infoblox.com ch txt
DOMAIN=google.com dig @52.119.41.100 $DOMAIN.debug.infoblox.com ch txt | grep Ident | sed s/\"/\\n/g | grep CAT dig @52.119.41.100 $DOMAIN.debug.infoblox.com ch txt | grep Ident | sed s/\"/\\n/g | grep APP
DOMAIN=google.com
alias ibcat='dig @52.119.41.100 $DOMAIN.debug.infoblox.com ch txt | grep Ident | sed s/\"/\\n/g | grep CAT'
alias ibapp='dig @52.119.41.100 $DOMAIN.debug.infoblox.com ch txt | grep Ident | sed s/\"/\\n/g | grep APP'
ibcat() {
dig @52.119.41.100 $1.debug.infoblox.com ch txt | grep Ident | sed s/\"/\\n/g | grep CAT
}
ibapp() {
dig @52.119.41.100 $1.debug.infoblox.com ch txt | grep Ident | sed s/\"/\\n/g | grep APP
}
nslookup -type=txt -class=chaos outlook.office365.com.debug.infoblox.com 52.119.41.100
Also know that *.infoblox.com and ntp.ubuntu.com are on the PASSTHRU list in the cloud which means it is expected that the Web Category comes back as Unknown - not because it is actually unknown but because the web categorisation engine doesn't process it.
set expertmode on dig @127.0.0.1 -p 1024 google.com dig @127.0.0.1 -p 1024 google.com.debug.infoblox.com ch txt
dig @127.0.0.1 A my-ip.debug.infoblox.com
The TXT includes the region
dig @127.0.0.1 TXT my-ip.debug.infoblox.com
To see what region you are using
dig @52.119.41.100 TXT my-ip.debug.infoblox.com | grep TXT | grep 0 | awk -F "\"" '{print $2}' | awk -F "/" '{print $2}'
dig @52.119.41.100 google.com.debug.infoblox.com ch txt
;; ANSWER SECTION: csp.infoblox.com.debug.infoblox.com. 0 CH TXT "Ident: eu-west-2/coredns-5dc6c84d54-nmzjs" "Passthrough: yes"
dig @52.119.41.100 ntp.ubuntu.com.debug.infoblox.com ch txt
;; ANSWER SECTION: ntp.ubuntu.com.debug.infoblox.com. 0 CH TXT "Ident: eu-west-2/coredns-c75744d56-n8xbb" "Passthrough: yes"
NSlookup is
nslookup server 52.119.40.100 set class=chaos set type=txt login.microsoftonline.com.debug.infoblox.com
dig @52.119.41.100 outlook.office365.com.debug.infoblox.com ch txt
to get
Ident: eu-west-2/coredns-c123123aa-aaaaa
PDP response
{
Effect: Permit,
Obligations:
[
policy_action: allow,
ttype: 1,
tag: APP_Microsoft Outlook,
policy_id: 012345ab,
customer_id: 123456780abcdefg1234567890abcdef,
revision: 01234,
ecs: 1,
all_tags: \"CAT_Web-based Email\",\"APP_Microsoft Outlook\"
]
}
Domain resolution: resolved
PDP response
{
Effect: Permit,
Obligations:
[
policy_action: allow,
ttype: 1,
tag: APP_Microsoft Outlook,
policy_id: 012345ab,
customer_id: 123456780abcdefg1234567890abcdef,
revision: 01234,
ecs: 1,
all_tags: \"APP_Uncategorized\"
]
}
PDP response
{
Effect: Permit
Obligations:
[
policy_action: allow,
ttype: 1,
tag: APP_Microsoft Outlook,
policy_id: 012345ab,
customer_id: 123456780abcdefg1234567890abcdef,
revision: 01234,
ecs: 1,
all_tags: \"APP_Uncategorized\"
]
}
PDP response
{
Effect: Permit,
Obligations:
[
policy_action: allow,
ttype: 1,
tag: APP_Microsoft Outlook,
policy_id: 012345ab,
customer_id: 123456780abcdefg1234567890abcdef,
revision: 01234,
ecs: 1,
all_tags: \"APP_Uncategorized\"
]
}
PDP response
{
Effect: Permit,
Obligations:
[
policy_action: allow,
ttype: 1,
tag: APP_Microsoft Outlook,
policy_id: 012345ab,
customer_id: 123456780abcdefg1234567890abcdef,
revision: 01234,
ecs: 1,
all_tags: \"APP_Uncategorized\"
]
}
and
tracert -d 52.119.41.100
In a tech support file, run the following on iptables.txt (note the two spaces). to find the list of Grid Members that are not the GM.
cat iptables.txt | grep "LOGACCEPT all"
Disable STP, Trunking, EtherChannel, IGMP Snooping, DHCP Snooping, Port Channeling.
To show detected DNS threats in the NIOS Logs (Administration > Logs > Syslog > View Member), apply the following filters
To show DNS queries that worked from a specific client
To show DNS queries that worked from a specific client
To Show Dynamic DNS
To Show Renew Requests
DHCPDISCOVER from 10:0b:a9:11:11:11 via <DHCP RELAY IP> TransID 13c8cab7 DHCPOFFER on <OFFERED IP> to 10:0b:a9:11:11:11 (HOSTNAME) via eth1 relay <DHCP RELAY IP> lease-duration 119 offered-duration 3600 r-l-e:192.168.1.123,Issued,HOSTNAME,10:0b:a9:11:11:11,1644784034,1644787634,505,$default,192.168.99.192,27,192.168.99.194-192.168.99.222 DHCPREQUEST for <OFFERED IP> from 10:0b:a9:11:11:11 (HOSTNAME) via <DHCP RELAY IP> TransID 13c8cab7 DHCPACK on <OFFERED IP> to 10:0b:a9:bc:11:11 (HOSTNAME) via eth1 relay <DHCP RELAY IP> lease-duration 3600
Added reverse map from 11.1.168.192.in-addr.arpa. to hostname.example.com Added new forward map from hostname.example.com to 192.168.1.11
DHCPDISCOVER from 10:0b:a9:11:11:11 via <IP OF RELAY> TransID 13c8c111: load balance to peer NAME-OF-FAILOVER-ASSOCIATION (1601720004ps) DHCPREQUEST for <REQUESTED IP> (IP of DHCP Peer Server) from 10:0b:a9:11:11:11 via <IP OF RELAY> TransID 13c8cab7 uid 01:00:04:30:11:11:11: lease owned by peer
DHCPREQUEST for 192.168.1.11 from c6:38:38:11:11:11 (HOSTNAME) via eth1 TransID b1e9a111 uid 01:c6:38:38:11:11:11 (RENEW) DHCPACK on 192.168.1.11 to c6:38:38:11:11:11 (HOSTNAME) via eth1 relay eth1 lease-duration 3600 (RENEW) uid 01:c6:38:38:11:11:11
Reverse map update for 192.168.1.11 abandoned because of non-retryable failure: REFUSED Unable to add forward map from hostname.domain.com to 192.168.1.11: REFUSED
Reverse map update for 192.168.1.11 abandoned because of non-retryable failure: NXRRSET Forward map from hostname.domain.com to 192.168.1.11 FAILED: Has an address record but no DHCID, not mine.
DHCPRELEASE of 192.168.11.11 from 10:0b:a9:11:11:11 (HOSTNAME) via eth1 (found) TransID 21881111