Query DNS Protection data using Live Discover
You can query your DNS Protection data using Live Discover in the Threat Analysis Center. Live Discover lets you use SQL queries to get more granular data than the reports in Logs & Reports. For example, you can query DNS Protection data, such as the number of DNS queries by policy action, domain, or location.
To use Live Discover for DNS Protection, go to Threat Analysis Center > Live Discover and click DNS Protection. Live Discover has some built-in Data Lake queries for DNS Protection. You can use these queries, edit them, or create new ones. To edit these queries or create new ones, turn on Designer Mode.
Note
If you're creating a new query for DNS Protection, select Data Lake as the Source.
For information about how to use Live Discover, see Live Discover.
Data Lake schema
For information about the tables and data available, you can see the Data Lake schema in the schema viewer.
To open the schema viewer, do as follows:
- Go to Threat Analysis Center > Live Discover and click DNS Protection.
- Make sure Designer Mode is turned on.
-
In the Query section, you can do as follows:
- To edit a query, select the query you want to edit and click Edit.
- To create a query, click Create new query.
-
In the upper-right corner of the SQL dialog, click Schema.
The schema viewer opens in a new tab.
-
For DNS Protection, in the Data Lake drop-down list, select Firewall.
Currently, the DNS Protection field names are included in the firewall table (xgfw_data).
DNS Protection field names
The following table describes the DNS Protection field names in the Data Lake:
| Field name | Description |
|---|---|
| action | Action taken on the DNS query according to the applied policy |
| bytes | Sum of the DNS query size and DNS response size |
| dns_qid | DNS query ID |
| dns_qname | DNS query name |
| dns_qtype | DNS query type |
| dns_duration | Duration of the DNS request in milliseconds |
| domain | Name of the queried domain |
| domain_category | Category for the queried domain |
| domain_risk | Risk level for the queried domain |
| hits | Number of DNS requests |
| log_type | "DNS" indicates that this is a DNS Protection log |
| log_component | "FE-DNS" indicates that this is a DNS Protection log |
| object_name | Name of the domain list if the policy action was "Reject", and "Reason" was "Custom Domain Block or Allow" |
| protocol | Protocol used by the DNS query |
| policy_name | Name of the policy used to take the action |
| query_class | DNS query class, usually IN |
| query_flags | DNS query flags associated with the DNS request |
| query_size | DNS query size in bytes |
| reason | Reason for which the action was applied by the policy |
| response_code | Response code of the DNS query |
| response_records_num | Number of records in the DNS response |
| response_ip_num | Number of IP addresses returned for the DNS response |
| resolved_ip | IP addresses which the DNS query resolved to |
| response_type | DNS record type for each of the RRSets in the DNS response (for example, A, AAAA, CNAME) |
| response_name | Domain names of the returned DNS records |
| response_class | DNS query class for each of the RRSets in the DNS response |
| response_ttl_list | List of the time-to-live (TTLs) of the records in the DNS response |
| response_size | Total size of the DNS response in bytes |
| response | DNS response text |
| riskscore | Risk score associated with the queried domain |
| security_status | Whether DNSSEC was validated for the responses to the DNS query |
| src_ip | Source IP address from which the DNS query originated |
| src_port | Source port from which the DNS query originated |
| src_location | Location from which the DNS query originated |
| timestamp | Timestamp of when the DNS query was processed |