Skip to content

Query DNS Protection data using Live Discover

You can query your DNS Protection data using Live Discover in the Threat Analysis Center. Live Discover lets you use SQL queries to get more granular data than the reports in Logs & Reports. For example, you can query DNS Protection data, such as the number of DNS queries by policy action, domain, or location.

To use Live Discover for DNS Protection, go to Threat Analysis Center > Live Discover and click DNS Protection. Live Discover has some built-in Data Lake queries for DNS Protection. You can use these queries, edit them, or create new ones. To edit these queries or create new ones, turn on Designer Mode.

Note

If you're creating a new query for DNS Protection, select Data Lake as the Source.

For information about how to use Live Discover, see Live Discover.

Data Lake schema

For information about the tables and data available, you can see the Data Lake schema in the schema viewer.

To open the schema viewer, do as follows:

  1. Go to Threat Analysis Center > Live Discover and click DNS Protection.
  2. Make sure Designer Mode is turned on.
  3. In the Query section, you can do as follows:

    • To edit a query, select the query you want to edit and click Edit.
    • To create a query, click Create new query.
  4. In the upper-right corner of the SQL dialog, click Schema.

    Open schema viewer.

    The schema viewer opens in a new tab.

  5. For DNS Protection, in the Data Lake drop-down list, select Firewall.

    Select the firewall schema.

    Currently, the DNS Protection field names are included in the firewall table (xgfw_data).

DNS Protection field names

The following table describes the DNS Protection field names in the Data Lake:

Field name Description
action Action taken on the DNS query according to the applied policy
bytes Sum of the DNS query size and DNS response size
dns_qid DNS query ID
dns_qname DNS query name
dns_qtype DNS query type
dns_duration Duration of the DNS request in milliseconds
domain Name of the queried domain
domain_category Category for the queried domain
domain_risk Risk level for the queried domain
hits Number of DNS requests
log_type "DNS" indicates that this is a DNS Protection log
log_component "FE-DNS" indicates that this is a DNS Protection log
object_name Name of the domain list if the policy action was "Reject", and "Reason" was "Custom Domain Block or Allow"
protocol Protocol used by the DNS query
policy_name Name of the policy used to take the action
query_class DNS query class, usually IN
query_flags DNS query flags associated with the DNS request
query_size DNS query size in bytes
reason Reason for which the action was applied by the policy
response_code Response code of the DNS query
response_records_num Number of records in the DNS response
response_ip_num Number of IP addresses returned for the DNS response
resolved_ip IP addresses which the DNS query resolved to
response_type DNS record type for each of the RRSets in the DNS response (for example, A, AAAA, CNAME)
response_name Domain names of the returned DNS records
response_class DNS query class for each of the RRSets in the DNS response
response_ttl_list List of the time-to-live (TTLs) of the records in the DNS response
response_size Total size of the DNS response in bytes
response DNS response text
riskscore Risk score associated with the queried domain
security_status Whether DNSSEC was validated for the responses to the DNS query
src_ip Source IP address from which the DNS query originated
src_port Source port from which the DNS query originated
src_location Location from which the DNS query originated
timestamp Timestamp of when the DNS query was processed