Collect DNS Queries with Lumu VA and Infoblox

Collect DNS Queries with Lumu VA and Infoblox

The Lumu Virtual Appliance (VA) offers a seamless way to integrate the network metadata of your entire enterprise into the Lumu cloud with the lowest impact on the network operation.

In the scenario where your company is not using the Virtual Appliance’s built-in DNS resolver, but still using the VA for collecting DNS metadata, you still have the option to configure third-party solutions to forward DNS queries to Lumu using VA Collectors. This approach does not require modifying the network configuration.

In this guide, we show how to configure Infoblox NIOS to forward all DNS packets to Lumu through Virtual Appliance.

Network diagram with Lumu VA Collector for InfobloxNetwork diagram with Lumu VA Collector for Infoblox

Requirements

  1. Infoblox NIOS version 8.4+.
  2. Admin access to specify syslog servers on Infoblox NIOS.
  3. The most recent version of the Lumu Virtual Appliance installed.
You can check the current version of the virtual appliance using the following command: lumu-appliance -v . For more information on how to upgrade the Lumu VA, consult Upgrade Virtual Appliances.
These are the general steps you should follow to configure Infoblox to send all DNS queries to Lumu without using Lumu as a primary DNS server in your network:
General steps to configure Infoblox

Deploy and Set Up a Virtual Appliance

All detailed steps to create, download, and install a virtual appliance on your preferred hypervisor or Cloud solution are available in our documentation:

Deploy and Set Up a Virtual Appliance

Once you have installed and configured a Lumu Virtual Appliance with the respective DNS Queries collector, go to the Lumu Virtual Appliance and refresh the VA collectors settings by running the command lumu-appliance collectors refresh.  If the appliance is running, it should be stopped for setting up collectors.

Example of screen when setting up a DNS Queries Collector Example of screen when setting up a DNS Queries Collector

Inform the port number and start the virtual appliance:

Example of screen when setting up a DNS Queries Collector Example of screen when setting up a DNS Queries Collector

Configure Infoblox to Send Metadata to Lumu VA

Once you have installed and configured a Lumu Virtual Appliance with the respective firewall collector, the next step is to set up Infoblox to forward firewall metadata to Lumu. Follow these steps to specify Infoblox syslog servers to send all DNS queries to Lumu without using Lumu as a primary DNS server in your network.

1. From the Grid tab, select the Licences tab and then click Grid Properties > Edit from the toolbar.

Infoblox Grid Properties Infoblox Grid Properties

2. In the Grid Properties editor, select the Monitoring tab, and then in the Basic section, complete the following:

  1. Syslog size (MB) : Specify the maximum size for a syslog file. The default is 300.
  2. Log to External Syslog Servers : select this to enable the appliance to send syslog messages to Lumu. To define a new syslog server, click the Add icon and complete the following:
    1. Address : Enter the IP address of the Lumu Virtual Appliance.
    2. Transport : Select whether the Infoblox uses TCP , Secure TCP , or UDP to connect to the Lumu VA.
    3. Interface : Select the interface through which Infoblox sends syslog messages to the Lumu VA.
    4. Node ID : Select LAN as the node identification string. This is the default.
    5. Source : Select Any for sending both internal and external syslog messages.
    6. Severity : Choose a severity filter from the drop-down list. When you choose a severity level, the appliance sends log messages with the selected level and the levels above it. We recommend setting it as Debug .
    7. Port : Enter the destination port number. This should be the UDP port you set up in the Lumu VA.
    8. Logging Category : Select Send all to log all syslog messages for all the events.
Infoblox Grid Properties Editor Infoblox Grid Properties Editor

For further details about syslog settings, consult the Infoblox documentation.

3. Save the configuration and click Restart if it appears at the top of the screen.

4. To confirm that the queries and responses are being logged as expected, navigate to Grid > Grid manager > Edit > Logging .

Infoblox Grid DNS Properties Infoblox Grid DNS Properties
    Still can’t find an answer?
    Send a message to our experts.
    Contact Us

        • Related Articles

        • Collect DNS Queries with Lumu Gateways and Infoblox

          In the scenario where your company uses Infoblox as a DNS server, you have the option to associate the traffic originating from your organization using Lumu's public IP addresses as DNS resolvers while illuminating threats, attacks, and adversaries ...

        • Virtual Appliance Collectors

          The Lumu Virtual Appliance (VA) offers the option to create VA Collectors, a seamless way to collect the network metadata of your entire enterprise and forward it to the Lumu cloud with the lowest impact on the network operation. In this quick guide, ...

        • Collect Metadata with Lumu VA

          The Lumu Virtual Appliance (VA) offers the option to create VA collectors, a seamless way to integrate the network metadata of your entire enterprise into the Lumu cloud with the lowest impact on the network operation.  Collecting metadata other than ...

        • Set Lumu as primary network DNS Resolver on Virtual Appliances

          The Lumu Virtual Appliance (VA) offers a seamless way to integrate the network metadata of your entire enterprise into the Lumu platform. You can easily deploy and set up a Lumu Virtual appliance to collect DNS network metadata through the Virtual ...

        • Manage Virtual Appliances and Collectors

          You have the option to manage Lumu Virtual Appliances (VA) directly from the Lumu Portal. The virtual appliance allows for full visibility into the compromises inside your network and is available for the most commom hypervisors. This document lists ...