Guide

Set up security analytics

Suggest Edits

You can analyze Edge DNS zones for nonexistent domain (NXDOMAIN) spikes and dangling canonical name (CNAME) records. A NXDOMAIN spike indicates an increase in nonexistent domain responses, while dangling CNAME detection checks whether a CNAME record points to a domain that does not exist. By identifying and detecting these threats, your organization can take the necessary steps to prevent denial-of-service attacks and stop threat actors from taking over subdomains.

After you enable the features, the Security Analytics page shows the number of NXDOMAIN spikes and dangling CNAME records that were detected in each of your zones. You can expand zone information to view when the zone was last scanned for NXDOMAIN spikes and dangling CNAME records.

📘

If you are using Shield NS53, you can also enable NXDOMAIN spike detection for a shield configuration.

The Security Analytics lets you download CSVs with specific information for a zone. You can:

  • View and download a CSV that contains dangling CNAME records that were detected.
  • View and download a CSV that contains NXDOMAIN spikes from the last 24 hours.
  • Generate and download a CSV that contains DNS records and the number of requests made to those domains.

You can also do the following:

  • Open these reports to view more data about DNS traffic and NXDOMAINs in your zones:

    • Infrastructure Security Analytics - Security Summary
    • Infrastructure Security Analytics - Edge DNS Summary
    • Infrastructure Security Analytics - Edge DNS Zone Details
    • Infrastructure Security Analytics - NXDOMAIN Spike Details

    For more information on these reports, see Infrastructure Security Analytics reports.

  • Enable Zone Protection. Zone Protection allows you to monitor zone traffic for domains that pose a threat to your organization. To learn more, see Monitor and protect zones.

NXDOMAIN spike detection

When you enable NXDOMAIN spike detection, you must configure a threshold that must be breached before an NXDOMAIN spike is tracked. You can configure a dynamic threshold or an absolute threshold.

  • A dynamic threshold is the z-score or standard score for the number of NXDOMAINs that need to be detected before traffic is considered part of an NXDOMAIN spike.
  • The absolute threshold is the number of responses per second from NXDOMAINs before traffic is considered part of an NXDOMAIN spike.

You can configure the dynamic and absolute thresholds for multiple zones or you can configure dynamic and absolute thresholds to a specific zone.

Enable and configure NXDOMAIN spike detection

Complete this procedure to enable NXDOMAIN spike detection.

📘

If you configured default NXDOMAIN spike thresholds, the threshold settings you set with this procedure take precedence over the default settings.

To enable NXDOMAIN spike detection:

  1. In Control Center, go to > DNS SOLUTIONS > Edge DNS. The Zone list page opens.
  2. Click Security analytics.
  3. If you are enabling NXDOMAIN spike detection in a zone, complete these steps:
    1. Go to the zone where you want to enable NXDOMAIN spike detection. If you need to apply a filter to find a zone, see Filter list of zones.
    2. From the Actions menu, select Zone Settings.
    3. In the window that appears, click the NXDOMAIN Spikes tab.
  4. If you are enabling NXDOMAIN spike detection for a shield, complete these steps:
    1. Go to the shield configuration for which you want to enable NXDOMAIN spike detection.
    2. From the Actions menu, select Shield Settings.
    3. In the window that appears, click the NXDOMAIN Spikes tab.
  5. Enable the toggle for NXDOMAIN Spike Detection.
  6. In the Threshold Type menu, select whether you want to apply a dynamic or absolute threshold. Based on the threshold type you select, do one of the following:
    • In the Dynamic Threshold field, enter a z-score or standard score value that must be met for traffic to be considered part of an NXDOMAIN spike.
    • In the Absolute Threshold field, enter a value for NXDOMAIN responses per second.
  7. Click Confirm.

Configure the default NXDOMAIN spike thresholds for multiple zones

The default NXDOMAIN spike thresholds apply to zones and shield configurations where a spike threshold is not configured.

If NXDOMAIN spike thresholds are already set for a specific zone or shield, those thresholds take precedence over the default settings. For more information, see Enable and configure NXDOMAIN spike detection.

To configure NXDOMAIN spike threshold to a zone:

  1. In Control Center, go to > DNS SOLUTIONS > Edge DNS. The Zone list page opens.
  2. Click Security analytics.
  3. At the top of the page, click Settings.
  4. In the window that appears, configure the default dynamic threshold and the default absolute threshold for a zone. If your organization is using Shield NS53, you can also configure these thresholds for a shield configuration.
    1. For a zone, In the Default Zone Dynamic Threshold field, enter a z-score or standard score value that must be met for zone traffic to be considered part of an NXDOMAIN spike.
    2. For a zone, in the Default Zone Absolute Threshold field, enter a value for NXDOMAIN responses per second.
    3. For a shield, in the Default Shield Dynamic Threshold field, enter a z-score or standard score value that must be met for traffic to be considered part of an NXDOMAIN spike.
    4. For a shield, In the Default Shield Absolute Threshold field, enter a value for NXDOMAIN responses per second.
  5. Click Confirm.

Download CSV with data on NXDOMAIN spikes

Complete this procedure to download a list of NXDOMAIN spikes that occurred for a zone within the last 24 hours.

To download a CSV with NXDOMAIN spikes:

  1. In Control Center, go to > DNS SOLUTIONS > Edge DNS. The Zone list page opens.
  2. Click Security analytics.
  3. To download a CSV with NXDOMAIN spikes that occurred in a zone:
    1. In the Zone tab, go to a zone where NXDOMAIN spikes were detected. If you need to filter the list of zones, see Filter list of zones. You can also sort the list in the table to view the zones that have NXDOMAIN spike detection enabled.
    2. If NXDOMAIN spikes were found in the last 24 hours, a View button is visible in the NXDOMAIN Spike Detection column of the table. Click View. You can also go to the Actions menu and select NXDOMAIN Spikes.
      A window that details scan results appears. You can see the total number of requests and the number of requests that contained NXDOMAINs.
  4. To view data on NXDOMAIN spikes for a shield:
    1. In the Shields tab, go to the shield where NXDOMAIN spikes were detected.
    2. If NXDOMAIN spikes were found in the last 24 hours, a View button is visible in the NXDOMAIN Spike Detection column of the table. Click View. You can also go to the Actions menu and select NXDOMAIN Spikes.
      A window that details scan results appears. You can see the total number of requests and the number of requests that contained NXDOMAINs.
  5. Click the download icon to download this list in a CSV file.

Next Steps:

To review and investigate data on the Security Analytics page, see View and investigate NXDOMAIN spikes.

View and investigate NXDOMAIN spikes

If an NXDOMAIN spike was detected in the last 24 hours, you can view and investigate these spikes from the Security Analytics page. To download a CSV that contains NXDOMAIN spike data, see Download CSV with data on NXDOMAIN spikes.

To view data on NXDOMAIN spikes:

  1. In Control Center, go to > DNS SOLUTIONS > Edge DNS.
  2. Click Security analytics at the top of the page.
  3. To view data on NXDOMAIN spikes for a zone:
    1. In the Zone tab, go to a zone where NXDOMAIN spikes were detected. If you need to filter the list of zones, see Filter list of zones. You can also sort the list in the table to view the zones that have NXDOMAIN spike detection enabled.
    2. If NXDOMAIN spikes were found in the last 24 hours, a View button is visible in the NXDOMAIN Spike Detection column of the table. Click View. You can also go to the Actions menu and select NXDOMAIN Spikes.
      A window that details scan results appears. You can see the total number of requests and the number of requests that contained NXDOMAINs.
  4. To view data on NXDOMAIN spikes for a shield:
    1. In the Shields tab, go to the shield where NXDOMAIN spikes were detected.
    2. If NXDOMAINs were found in the last 24 hours, a View button is visible in the NXDOMAIN Spike Detection column of the table. Click View. You can also go to the Actions menu and select NXDOMAIN Spikes.
      A window that details scan results appears. You can see the total number of requests and the number of these requests that contained NXDOMAINs.
  5. Expand a scan to view more details about the spike including the threshold that was exceeded and the number of average NXDOMAINs per second. You can click Investigate to view more data in a report. For an NXDOMAIN spike in a zone, you are directed to the Infrastructure Security Analytics - NXDOMAIN Spike Details report. For an NXDOMAIN spike that occurred for a shield, you are directed to the Shield NS53 Proxy Queries report.

View date and time of last NXDOMAIN spike scan

Complete this procedure to view the date of the last NXDOMAIN spike scan.

To view date and time of last NXDOMAIN spikes:

  1. In Control Center, go to > DNS SOLUTIONS > Edge DNS.
  2. Click Security analytics at the top of the page.
  3. Click the Zones or Shields tab to view data on zones or shields.
  4. Sort results to show the zones or shields that have NXDOMAINs spike detection enabled.
  5. Expand the zone or shield to see the date and time when the NXDOMAIN scan was completed. The page also indicates how long the last scan is current until another scan is run.

Dangling CNAME detection

Dangling CNAME detection allows you to find whether a CNAME record points to a domain that does not exist. You can have administrators receive email alert notifications about dangling CNAME records.

Enable dangling CNAME detection

Complete this procedure to enable dangling CNAME detection.

To enable dangling CNAME detection:

  1. In Control Center, go to > DNS SOLUTIONS > Edge DNS.
  2. Click Security analytics at the top of the page.
  3. Go to the zone where you want to enable dangling CNAME detection. If you need to filter the list of zones, see Filter list of zones.
  4. In the Actions menu, select Settings.
  5. If you would like administrators to receive email alerts about dangling CNAME records, in the General tab, enter email addresses in the Alerting Emails field.
  6. In the zone settings window, go to the Dangling CNAMEs tab.
  7. Enable Dangling CNAME Detection.
  8. To enable alerting for dangling CNAME records, enable Dangling CNAME Alerting.
  9. Click Confirm.

View and download list of dangling CNAME records

You can view and download a list of dangling CNAME records that were detected for a zone.

Before you begin:

Make sure you enable dangling CNAMEs. See Enable dangling CNAME detection.

To view and download a list of dangling CNAMES:

  1. In Control Center, go to > DNS SOLUTIONS > Edge DNS.
  2. Click Security analytics. A list of zones appears in a table.
  3. If you need to filter the list of zones, see Filter list of zones. You can also sort the Dangling CNAME Detection column of the table to show zones where Dangling CNAME detection is enabled.
  4. If dangling CNAMES were detected, do one of the following:
    • In the Actions for the zone, select Dangling CNAMEs.
    • Click the View button in the Dangling CNAME Detection column of the table.

      📘

      Neither of these options are available if no CNAMEs were detected in the zone.

  5. A window appears with dangling CNAME records. Click the download icon to download a CSV that contains CNAME record names and their corresponding aliases.

View date and time of last CNAME scan

Complete this procedure to view the date and time of the last CNAME scan.

To view the timestamp of last CNAME scan:

  1. In Control Center, go to > DNS SOLUTIONS > Edge DNS.
  2. Click Security analytics.
  3. Go to the zone where CNAME detection is enabled. If you need to filter the list of zones, see Filter list of zones. You can also sort the Dangling CNAME Detection column of the table to show zones where Dangling CNAME detection is enabled.
  4. Expand the zone. A date and time of the last dangling CNAME scan is shown.

Zone Protection

Zone Protection lets you monitor your zone for domains that are a risk to your organization. These domains may pose a phishing threat, be part of a phishing campaign, be used to create a fake website, and more.

After you enable Zone Protection, the Security Analytics gives you a high-level view of risky domains in a zone. However, you must go to the related domains report to view more details on these domains. In the related domains report, you can manage these domains, view the domains that are a critical or high risk to your organization, and take down fraudulent domains. For more information, see Monitor and protect zones and Take down fraudulent domains.

Enable Zone Protection

Complete this procedure to enable Zone Protection on the Security Analytics page. You can also enable this feature on the Zone Protection dashboard. For more information, see Monitor and protect zones.

To enable zone protection:

  1. In Control Center, go to > DNS SOLUTIONS > Edge DNS.
  2. Click Security analytics.
  3. Go to the zone where you want to enable Zone Protection. To filter zones, see Filter list of zones.
  4. Enable the Zone Protection toggle.

View data on related domains at a high level

After you enable zone protection, the Security Analytics page provides a graphical view and total number of domains for each risk level and priority level.

To view high-level data on related domains:

  1. In Control Center, go to > DNS SOLUTIONS > Edge DNS.
  2. Click Security analytics.
  3. Go to the zone where you enabled zone protection.
  4. In the Related Domains column, click View. A window appears that shows some data on related domains. Review this data.
  5. To view more data in the related domains report, click View report. You are directed to the related domains report. The report shows related domains detected in your zone. For more information on this report, see Related domains report.

Manage security analytics

Complete any of these tasks to help you manage the zones and shields where you set up security analytics.

Filter list of zones

You can filter the list of zones on the Security Analytics page based on this criteria:

  • Zone name
  • NXDOMAIN spike detection. You can filter based on whether NXDOMAIN spike detection is enabled, disabled, or in a pending state.
  • Dangling CNAME detection. You can filter based on whether dangling CNAME detection is enabled, disabled, or in a pending state.
  • Number of NXDOMAIN spikes in the last 24 hours.
  • Number of dangling CNAMEs

To filter the list of zones:

  1. In Control Center, go to > DNS SOLUTIONS > Edge DNS. The Zone list page opens.
  2. Click Security analytics.
  3. In the Zone tab, click the filter icon beside the search box. Options to define the filter criteria appear.
  4. In the Property menu, select the data that you want to use for your search. You can select:
    • Zone Name
    • NXDOMAIN spike detection
    • Dangling CNAME detection
    • # NXDOMAIN Spikes (24hrs)
    • # Dangling CNAMEs
  5. In the Action menu, select the operators that you want to use in the search. The options vary depending on the property you select. For example, when you select Zone name, you can select Match and Does not match for the name you provide. If you select # Dangling CNAME as the property, you can select from additional options that are appropriate for a numerical value, such as Less than and Greater than.
  6. In the value field, enter the value that you want to search by.
  7. To add more criteria to your filter, click Add row, and complete steps 4 to 6 for the new criteria.
  8. Click Apply. A filtered view of the zone list appears.

Download CSV with zone security analytics

You can download a CSV that contains this data for each zone:

  • Zone Name
  • Zone Type indicating whether it’s a primary or secondary zone
  • Status of NXDOMAIN spike detection. Indicates whether NXDOMAIN spike detection is enabled.
  • Number of NXDOMAIN spikes
  • Timestamp of last NXDOMAIN spike scan
  • Status of dangling CNAME detection. Indicates whether dangling CNAME detection is enabled.
  • Number of dangling CNAMEs
  • Timestamp of last dangling CNAME scan
  • Status of Zone Protection. Indicates whether zone protection is enabled. For more information on zone protection, see Monitor and protect zones.
  • Status of Zone Protection report. Indicates whether the related domains report was generated for the zone. For more information, see Monitor and protect zones.

If you apply a filter to your view on the Security Analytics page, the CSV shows zones in the filtered view.

To download CSV with zone security analytics:

  1. In Control Center, go to > DNS SOLUTIONS > Edge DNS. The Zone list page opens.
  2. Click Security analytics.
  3. If you want to narrow the list of zones, see Filter list of zones.
  4. Click the download icon. The CSV downloads to wherever your browser saves download files.

Generate and download a zone report

You can generate and download a report that shows the DNS records for a zone and the total number of requests made to a record.

For each zone, the last three reports you generate are saved in Control Center.

To generate and download a zone report:

  1. In Control Center, go to > DNS SOLUTIONS > Edge DNS.
  2. Click Security analytics. A list of zones appears in a table.
  3. If you want to narrow the list of zones, see Filter list of zones.
  4. Click the Actions menu for a zone and select Zone Reports.
  5. In the zone report window, click the calendar icon and select a range of time. You can select any time period that spans 31 days or less.
  6. Click Generate. Control Center generates the CSV report. Depending on the amount of data, the time it takes to generate the report may vary.
  7. When completed, click the download icon to download the report.
  8. Click Close.

View dashboards for a zone

From the Security Analytics page, you can show reports with zone data. You can access these reports from the Infrastructure Security Analytics section of Reports in Control Center. For more information, see Infrastructure Security Analytics in the Reporting documentation.

To view data dashboards for a zone:

  1. In Control Center, go to > DNS SOLUTIONS > Edge DNS.
  2. Click Security analytics.
  3. Click any of the metrics at the top of the page to view a related report.
  4. To view the Infrastructure Security Analytics - Edge DNS Summary report. Do one of the following:
    • Click DNS Summary Dashboard at the top of the page.
    • Select a zone from the list and click the DNS Summary Dashboard button.
  5. To view more details about a specific zone, you can access the Infrastructure Security Analytics - Edge DNS Zone Details report. Do the following:
    1. Select a zone. If you want to narrow the list of zones, see Filter list of zones.
    2. In the Action menu, select Zone Details Dashboard.

View data on shield traffic

If your organization uses Shield NS53, you can view more data on your shield configuration. This procedure lets you open the Shield NS53 Proxy report that is available from the Edge DNS section of Reports in Control Center. For more information on Shield NS53 reports, see Infrastructure Security Analytics in the Reporting documentation.

To view data on Shield traffic:

  1. In Control Center, go to >DNS SOLUTIONS> Edge DNS.
  2. Click Security analytics.
  3. Click the Shields tab. A list of shields appears.
  4. Click the Actions menu for a shield and select Shield Traffic Dashboard. You are directed to the Shield NS53 Proxy report where you can apply filters to show queries that were blocked and processed by Shield NS53.

Updated 5 months ago