Network resolution data
Network resolution data refers to information generated or collected when resolving network-related identifiers, such as domain names, IP addresses, or hostnames, into their corresponding forms. This data is produced through processes like DNS (Domain Name System) resolution, reverse DNS lookups, or protocol-specific resolutions, enabling communication between devices and services across a network.
Network resolution data helps to resolve connectivity issues by analyzing DNS resolution failures or delays. You can also use cached resolution data to reduce latency and improve application performance. It help with security monitoring by detecting and blocking malicious domains or suspicious reverse DNS lookups, and it can help with scalability by monitoring load balancer resolution data to ensure optimal traffic distribution. Finally, you might log DNS queries and resolutions for auditing purposes.
Network resolution data typically includes:
- DNS resolution data: DNS resolution involves translating human-readable domain names (for example, `example.com`) into IP addresses (for example, `192.0.2.1`). Examples include:
- Forward DNS Lookup
- DNS Query Logs
- CNAME Resolution
- Reverse DNS resolution data: Reverse DNS resolution involves mapping an IP address to its corresponding domain name. Examples include:
- Reverse Lookup for Web Server
- Reverse DNS for Email Logs
- IP address resolution in local networks: Mapping hostnames to IP addresses within private or local networks. Examples include:
- Hostname Resolution in an Enterprise Network
- DHCP-Assigned IP Resolution
- Protocol-specific resolution data: Certain network protocols perform their own resolution processes as part of their functionality. Examples include:
- NetBIOS Name Resolution
- Service Discovery with mDNS (Multicast DNS)
- CDN and load balancer resolution**: Content Delivery Networks (CDNs) and load balancers often use DNS to resolve the same hostname to different IP addresses based on geographic location or load. Examples include:
- Geo-Based Resolution
- Load Balancer DNS Resolution
- Security and threat intelligence resolution: Resolution processes that provide insights for security monitoring and threat detection. Examples include:
- Malicious Domain Detection
- Suspicious IP Lookup
- Application-specific resolution data: Applications often rely on resolution data for connectivity and performance optimization. Examples include:
- API Endpoint Resolution
- Database Connection Resolution
- Proxy and VPN resolution data: Proxies and VPNs often resolve network requests on behalf of clients. Examples include:
- Proxy Server Log
- VPN Gateway Resolution
- Cached resolution data: Resolution data stored in caches to improve performance. Examples include:
- DNS Cache Data
- Local Application Cache
- Error or failure resolution data: Data generated during failed resolution attempts. Examples include:
- DNS Resolution Failure
- Timeout in Reverse DNS
The Splunk Common Information Model (CIM) add-on contains a Network resolution data model with fields that describe common computer infrastructure components from any data source, along with network infrastructure inventory and topology. You might also be interested in performance data.
Common data sources
- Splunk App for Stream
- Technology Add-on for Unbound DNS
- Splunk Add-on for ISC BIND
- Splunk Add-on for Sysmon
- CCX Add-on for Suricata
- Technology Add-On for Mikrotik RouterOS
- Add-On for DNS Lookup
- DNS App for Splunk
- Farsight DNSDB for Splunk
- DNSDB Connector
- DNS Insight
- BlueCat DNS Edge Technical Add-On for Splunk
- PAVO DNS App For Splunk
- DNS Connector
- Cloudflare DNS
- Gigamon - CIM
- DomainTools App For Splunk and Splunk ES