DNS DGA and Tunneling Detection Details

To access this page, click Monitor > DNS.

You can view details about DNS DGA and tunnel detections.

DGA

You can perform the following action in the DGA tab:

View details about the DGA-based detections. See Table 1.
View the threat sources if there is a C&C hit for a domain. Click on domain name with DGA verdict to view the threat sources.
Report false positives. Choose this option to send a report to Juniper Networks, informing a false positive. Juniper will investigate the report; however, this does not change the verdict.
Export DGA detections as a CSV file to view and analyze the exported DGA detections as needed. You can either export all detections at once or for a specific timespan.
Select the time span to view the DGA detections for a specific period.

Table 1: Fields on the DGA Tab
Field	Description
Domain	Displays the domain name where DGA hit occurs.
DNS Record Type	Displays the DNS record type. Example: A (Host address), CNAME (Canonical name for an alias), SRV (location of service), and so on. A— DNS record is used to point a domain or subdomain to an IP address. CNAME—DNS record is used to point a domain or subdomain to another hostname. SRV—DNS record is used to point a domain or subdomain to a service location.
Last Hit Session ID	Displays the ID of the most recent domain hit.
Last Hit Source IP	Displays the source IP address of the most recent domain hit.
Last Hit Destination IP	Displays the destination IP address of the most recent domain hit.
Total Hits	Displays the total number of hits on the domain.
Verdict	Displays the confirmed DGA verdict provided by ATP Cloud. Clean DGA
Last Hit Time	Displays the date and time of the most recent domain hit.

Use the Tunnel tab to monitor the DNS tunneling metadata provided by SRX Series Firewalls. Table 2 displays the DNS tunneling metadata.

You can perform the following action in the Tunnel tab:

View details about the DNS tunneling metadata provided by SRX Series Firewalls. Table 2 displays the DNS tunneling metadata.
Export DNS Tunnel detections as a CSV file to view and analyze the exported DNS tunneling detections as needed. You can either export all detections at once or for a specific timespan.
Select the time span to view the DNS tunneling detections for a specific period.
View detailed information about a DNS tunnel. Click on a domain name. See Table 3
Download PCAP from the DNS Tunnel page. Select a client and click Download PCAP to download the packet capture details and view more information about the network.

Table 2: Fields on the Tunnel Tab
Field	Description
Domain	Displays the domain name
DNS Record Type	Displays the DNS record type. Example: A (Host address), CNAME (Canonical name for an alias), SRV (location of service), and so on. A— DNS record used to point a domain or subdomain to an IP address. CNAME—DNS record used to point a domain or subdomain to another hostname. SRV—DNS record used to point a domain or subdomain to a service location.
Last Hit Session ID	Displays the session ID of the most recent domain hit.
Tunnel Data	Displays the tunnel information shared by SRX Series Firewall.
Last Hit Source IP	Displays the source IP address of the most recent domain hit.
Last Hit Destination IP	Displays the destination IP address of the most recent domain hit.
Total Hits	Displays the total number of sessions that were hit.
Last Hit Time	Displays the date and time of the most recent domain hit.

Table 3: Fields on the DNS Tunnel page
Field	Description
Client IP Address	Displays the IP address of the host that has contacted the DNS domain.
Device Name	Displays the name of the SRX Series Firewall in contact with the DNS domain.
Incoming Bytes	Displays the number of incoming bytes to the DNS tunnel.
Outgoing Bytes	Displays the number of outgoing bytes from the DNS tunnel.
Last Seen	The date and time of the most recent DNS tunnel hit.

Note:

DNS DGA and tunnel detection is supported on Junos OS 21.2R1 and later releases.