<< Click to Display Table of Contents >> Navigation:  Event and Object Analysis > Capture Results Filtering > Filtration Basics > Rules > Actions > DNS action

Resolves DNS names to IP addresses and IP addresses to names for unknown host addresses.

Description

This action resolves DNS names of hosts and IP addresses of the session.

Each session has a source (client) and a receiver (server) with corresponding names or IP addresses. Sometimes the client or server host name may be known and the IP address may be unknown for the message, or vice versa. The DNS action resolves the missing information on the client or server address.

For a known IP address and unknown host name the host name for this IP is resolved (if possible). The same is done for a known host name with an unknown IP address. If the message contains both the host name and the IP address then no action is taken.

If names are retrieved successfully then the X-Sensor-Src-Host and X-Sensor-Dst-Host headers are added to the metadata and can be used in the "header" condition (check the header value).

You should also remember that applying the "hostname" condition (check the host name) only makes sense after the DNS action is completed.

Format

<action name="dns" address="<address type for resolving>" />

The "name" attribute:

The name attribute contains the action name: name="dns".

The "address" attribute:

The address="..." attribute specifies the type of address for name resolving. Possible values:

"src" or "client"

Only resolve names for the source address

"dst" or "server"

Only resolve names for the destination address

"both" or "all" or *

Only resolve names for both addresses (source and destination).

If this attribute is not specified, the "both" action is assumed (resolve names for both addresses).

Example

Resolve names for a message.

<?xml version="1.0" encoding="utf-8"?>
<filter name="TEST" version="1.0">
 <comment>This is the comment for the filter.</comment>
 <table name="main">
 
   <rule enabled="true">
     <comment>
       Resolve names for the message.
     </comment>
     <action name="dns" address="server"/>
   </rule>
 
   <rule enabled="true">
     <match><c name="all"/></match>
     <action name="accept" />
   </rule>
 
 </table>
</filter>