Setting DNS Server Properties
You can set properties for the DNS server, along with those you already set for its zones. These include:
-
General server properties—See Setting General DNS Server Properties
-
Log Settings—See Specifying Log Settings
-
Packet Logging—See Enabling Packet Logging
-
Activity Summary Settings—See Specifying Activity Summary Settings
-
Top Names Settings—See Specifying Top Names Settings
-
Security events settings—See Security Events Settings
-
TLS Settings—See Specifying TLS Settings
-
Round-Robin server processing—See Enabling Round-Robin
-
Enabling Weighted Round-Robin—See Enabling Weighted Round-Robin
-
Enabling incremental zone transfers—See Enabling Incremental Zone Transfers (IXFR)
-
Restricting Zone Queries—See Restricting Zone Queries
-
Enabling NOTIFY packets—See Enabling NOTIFY
Note
To enable GSS-TSIG support, you must set tsig-processing to none, and gss-tsig-processing to 'ddns, query' to support both ddns and query.
-
Blocking recursive queries—See Blocking Recursive Queries from Authoritative Server
Setting General DNS Server Properties
You can display general DNS server properties, such as the name of the server cluster or host machine and the version number of the Cisco Prime Network Registrar DNS server software. You can change the internal name of the DNS server by deleting the current name and entering a new one. This name is used for notation and does not reflect the official name of the server. Cisco Prime Network Registrar uses the server IP address for official name lookups and for DNS updates (see the "Managing DNS Update" chapter in Cisco Prime Network Registrar 11.2 DHCP User Guide).
The following subsections describe some of the more common property settings. They are listed in Setting DNS Server Properties.
Local Web UI
Procedure
Step 1 |
To access the server properties, from the Deploy menu, choose DNS Server under the DNS submenu to open the Manage DNS Authoritative Server page. The page displays all the DNS server attributes. |
Step 2 |
Modify the attributes as per your requirements. |
Step 3 |
Click Save to save the DNS server attribute modifications. |
CLI Commands
Use dns show to display the DNS server properties.
Specifying Log Settings
The server-log-settings attribute determines which events to log in the DNS log files. Default flags are activity-summary, config, update, xfr-in, xfr-out, scp, scavenge, server-operations, and ha.
Logging additional detail about events can help analyze a problem. However, leaving detailed logging enabled for a long period can fill up the log files.
- activity-summary —This setting enables logging of DNS statistic messages at the interval specified by activity-summary-interval. The type of statistics logged can be controlled with activity-counter-log-settings and activity-summary-type.
- config —This setting enables logging of DNS server configuration and de-initialization messages.
- config-detail —This setting enables logging of detailed configuration messages (that is, detailed zone configuration logging).
- db —This setting enables logging of database processing messages. Enabling this flag provides insight into various events in the server's embedded databases.
- dnssec —This setting enables log messages associated with DNSSEC processing.
- ha —This setting enables logging of HA DNS messages.
- host-health-check —This setting enables logging associated with DNS Host Health Check.
- notify —This setting enables logging of messages associated with NOTIFY processing.
- query —This setting enabled logging of messages associated with QUERY processing.
- scavenge —This setting enables logging of DNS scavenging messages.
- scp —This setting enabled logging associated with SCP messages handling.
- server-operations —This setting enables logging of general server events, such as those pertaining to sockets and interfaces.
- tsig —This setting enables logging of events associated Transaction Signature (TSIG).
- update —This setting enables logging of DNS Update message processing.
- xfr-in —This setting enables logging of inbound full and incremental zone transfers.
- xfr-out —This setting enables logging of outbound full and incremental zone transfers.
Enabling Packet Logging
Use the following server level attributes to enable packet logging for the Authoritative DNS server:
Attribute |
Description |
||
---|---|---|---|
Packet Logging (packet-logging) |
Determines the type of packet logging that is logged to the DNS logs. The type of DNS packets logged can be controlled with the packet-log-settings attribute.
Note that while packet logging can be helpful for debugging and troubleshooting, it does have an impact on DNS server performance. Therefore, Cisco does not recommend leaving packet logging enabled in production environments. |
||
Packet Logging File (packet-logging-file) |
Determines the destination log of packet log messages when packet logging is enabled.
|
||
Packet Log Settings (packet-log-settings) |
Determines the type of DNS messages to log if packet logging has been enabled. Packet logging can be enabled by configuring the packet-logging attribute.
|
Local Advanced Web UI
Procedure
Step 1 |
On the Manage DNS Authoritative Server page, under the Packet Logging section, select the value for packet-logging from the drop-down list. The value can be summary or detail. |
Step 2 |
For the packet-log-settings attribute, check the desired check boxes. |
Step 3 |
Click Save to save the changes. |
CLI Commands
Use dns set packet-logging=summary to enable one line summary packet logging.
Use dns set packet-logging=detail to enable detailed packet tracing.
Use dns set packet-log-settings=value to set the type of packets to log when packet logging is enabled.
Note |
Reloading of Authoritative DNS server is not required for the packet-logging and packet-log-settings attributes to take effect immediately (similar to log settings). However, the packet-logging-file attribute requires a Authoritative DNS server reload. |
Specifying Activity Summary Settings
Note |
To specify the activity summary settings, you have to check activity-summary under the Log Settings. |
You can specify the interval at which to log activity summary information using the Statistics Interval (activity-summary-interval) attribute. Enable the activity-summary attribute in the Log Settings (server-log-settings) attribute to set the seconds between DNS activity summary log messages. The activity-summary-interval attribute has a default value of 60 seconds.
The Authoritative DNS server logs sample and/or total statistics based on the option you check for the Statistics Type (activity-summary-type) attribute. The default value is "sample".
The option checked for the Statistics Settings (activity-counter-log-settings) attribute controls what activity counters a DNS server uses for logging.
Note |
activity-summary-type and activity-counter-log-settings take effect without a reload as soon as the DNS server object or the session is saved. |
The possible settings are:
-
cache—Log query cache related counters.
For the list of activity summary statistics that are displayed in the logs for the cache setting, see Cache Statistics.
-
db—Log database counters.
For the list of activity summary statistics that are displayed in the logs for the db setting, see DB Statistics.
-
errors—Log error related counters.
For the list of activity summary statistics that are displayed in the logs for the errors setting, see Errors Statistics.
-
ha—Log HA related counters.
For the list of activity summary statistics that are displayed in the logs for the ha setting, see HA Statistics.
-
host-health-check—Log DNS Host Health Check counters.
For the list of activity summary statistics that are displayed in the logs for the host-health-check setting, see Host Health Check Statistics.
-
ipv6—Log IPv6 related counters.
For the list of activity summary statistics that are displayed in the logs for the ipv6 setting, see IPv6 Statistics.
-
maxcounters—Log maxcounters related counters.
For the list of activity summary statistics that are displayed in the logs for the maxcounters setting, see Maxcounters Statistics.
-
performance—Log performance related counters.
For the list of activity summary statistics that are displayed in the logs for the performance setting, see Performance Statistics.
-
query—Log query related counters.
For the list of activity summary statistics that are displayed in the logs for the query setting, see Query Statistics.
-
security—Log security related counters.
For the list of activity summary statistics that are displayed in the logs for the security setting, see Security Statistics.
-
system—Log system related counters.
For the list of activity summary statistics that are displayed in the logs for the system setting, see System Statistics.
-
top-names—Log the top names queried and hit count.
For the list of activity summary statistics that are displayed in the logs for the top-names setting, see Top Names Statistics.
-
update—Log DNS Update related counters.
For the list of activity summary statistics that are displayed in the logs for the update setting, see Update Statistics.
Activity Summary Statistics
Following sections describe the list of activity summary statistics that are displayed in the logs under each of the activity-counter-log-settings category.
Cache Statistics
The cache activity-counter-log-settings logs query cache related counters.
The cache activity summary statistics are logged under the Query-Cache sub category.
Sample log message:
10/22/2021 16:47:05 name/dns/1 Activity Stats 0 21333 [Query-Cache] Sample since Fri Oct 22 16:46:05 2021: size=number, #-records=number, #-rrs=number, nxdomain=number, hits=number, misses=number, full=number, collisions=number
Activity Summary Name |
|
Description |
---|---|---|
size |
cache-size |
Reports the size of in-memory query cache in bytes. |
#-records |
cache-records |
Reports the total number of RR name sets stored in the query cache. |
#-rrs |
cache-rrs |
Reports the total number of RRs stored in the query cache. |
nxdomain |
cache-nxdomain |
Reports the total number of NXDOMAIN entries in the query cache. |
hits |
cache-hits |
Reports the number of times incoming client queries were found in the query cache. |
misses |
cache-misses |
Reports the number of times incoming client queries were not found in the query cache. |
full |
cache-full |
Reports the number of times the query cache was found to be at its configured limit (mem-cache-size). |
collisions |
N/A |
Reports the number of times different FQDNs mapped to the same memory cache index. A high number of collisions indicates that the configured cache size may be too small. |
The statistics listed in this column are the server statistics displayed in the web UI and CLI. The REST API calls will have the statistic name camel-cased without dashes (that is, queries-total is queriesTotal in the REST API). Note that the activity summary and statistics are keyed off the same server data, but the activity-summary names are shortened to conserve space in the log message. For the complete list of Authoritative DNS server statistics, see the "DNS Statistics" section of the "Server Statistics" appendix in Cisco Prime Network Registrar 11.2 Administration Guide.
DB Statistics
The db activity-counter-log-settings logs database counters.
Sample log message:
10/22/2021 16:44:05 name/dns/1 Activity Stats 0 21344 [Cset-DB] Sample since Fri Oct 22 16:43:05 2021: reads=number, writes=number, deletes=number, csets-trimmed=number, conflicts=number, insufficient-history=number, txns=number, txn-commits=number, txn-aborts=number, txn-locked=number, txn-unlocked=number, check-pts=number, log-purges=number, #-logs-purged=number
10/22/2021 16:44:05 name/dns/1 Activity Stats 0 21345 [RR-DB] Sample since Fri Oct 22 16:43:05 2021: reads=number, writes=number, deletes=number, check-pts=number, log-purges=number, #-logs-purged=number, txns=number, txn-commits=number, txn-aborts=number
10/22/2021 16:44:05 name/dns/1 Activity Stats 0 21352 [Cset-Queue] Sample since Fri Oct 22 16:43:05 2021: cset-count=number, cset-queue-max-size=number, commits=number, commits-failed=number
Activity Summary Name |
Logging Sub Category |
|
Description |
---|---|---|---|
txn |
RR-DB |
rrdb-txn |
Reports the total number of RR DB database transactions. |
txn-commits |
RR-DB |
rrdb-txn-commits |
Reports the total number of RR DB database transactions committed. |
txn-aborts |
RR-DB |
rrdb-txn-aborts |
Reports the total number of RR DB database transactions aborted. |
reads |
RR-DB |
rrdb-reads |
Reports the total number of RR DB read operations. |
writes |
RR-DB |
rrdb-writes |
Reports the total number of RR DB write operations. |
deletes |
RR-DB |
rrdb-deletes |
Reports the total number of RR DB delete operations. |
check-pts |
RR-DB |
rrdb-check-pts |
Reports the total number of RR DB check point operations. |
log-purges |
RR-DB |
rrdb-log-purges |
Reports the total number of RR DB log purge operations. |
#-logs-purged |
RR-DB |
rrdb-log-purges-count |
Reports the total number of RR DB logs purged. |
cset-count |
Cset-Queue |
csetq-count |
Reports the total of number of change sets queued up to be written to the cset DB. |
cset-queue-max-size |
Cset-Queue |
N/A |
The maximum number of cset entries queued during this interval. |
commits |
Cset-Queue |
N/A |
Number of DB commits that happened in the last interval. |
commits-failed |
Cset-Queue |
N/A |
Number of DB commits that failed in the last interval. |
txns |
Cset-DB |
csetdb-txn |
Reports the total number of CSET DB database transactions. |
txn-commits |
Cset-DB |
csetdb-txn-commits |
Reports the total number of CSET DB database transactions committed. |
txn-aborts |
Cset-DB |
csetdb-txn-aborts |
Reports the total number of CSET DB database transactions aborted. |
reads |
Cset-DB |
csetdb-reads |
Reports the total number of CSET DB read operations. |
writes |
Cset-DB |
csetdb-writes |
Reports the total number of CSET DB write operations. |
deletes |
Cset-DB |
csetdb-deletes |
Reports the total number of CSET DB delete operations. |
csets-trimmed |
Cset-DB |
csetdb-csets-trimmed |
Reports the total number of change sets trimmed from the CSET DB by the history trimming process or by inline trimming. |
check-pts |
Cset-DB |
csetdb-check-pts |
Reports the total number of CSET DB check point operations. |
log-purges |
Cset-DB |
csetdb-log-purges |
Reports the total number of CSET DB log purge operations. |
#-logs-purged |
Cset-DB |
csetdb-log-purges-count |
Reports the total number of CSET DB logs purged. |
The statistics listed in this column are the server statistics displayed in the web UI and CLI. The REST API calls will have the statistic name camel-cased without dashes (that is, queries-total is queriesTotal in the REST API). Note that the activity summary and statistics are keyed off the same server data, but the activity-summary names are shortened to conserve space in the log message. For the complete list of Authoritative DNS server statistics, see the "DNS Statistics" section of the "Server Statistics" appendix in Cisco Prime Network Registrar 11.2 Administration Guide.
Errors Statistics
The errors activity-counter-log-settings logs error related counters.
The errors activity summary statistics are logged under the Errors sub category.
Sample log message:
10/22/2021 16:44:05 name/dns/1 Activity Stats 0 21492 [Errors] Sample since Fri Oct 22 16:43:05 2021: update-errors=number, update-prereq-fail=number, ixfr-in-errors=number, ixfr-out-errors=number, axfr-in-errors=number, axfr-out-errors=number, xfer-in-auth-errors=number, xfer-failed-attempts=number, sent-total-errors=number, sent-refusal-errors=number, sent-format-errors=number, exceeded-max-dns-packets=number
Activity Summary Name |
|
Description |
---|---|---|
update-errors |
update-errors |
Reports the total number of updates resulting in errors. This excludes negative responses to update prerequisite checks, and TSIG responses. Both update packets and updates generated by the CNR UIs may be included in this count. |
update-prereq-fail |
update-prereq-fail |
Reports the total number of updates resulting in prerequisite failures. |
ixfr-in-errors |
ixfr-in-errors |
Reports the total in-bound IXFR errors, excluding packet format errors. |
ixfr-out-errors |
ixfr-out-errors |
Reports the total IXFR error responses sent, excluding packet format errors. |
axfr-in-errors |
axfr-in-errors |
Reports the total in-bound AXFR errors, excluding packet format errors. |
axfr-out-errors |
axfr-out-errors |
Reports the total AXFR error responses sent, excluding packet format errors. |
sent-total-errors |
sent-total-errors |
Reports the total number of requests the server answered with errors (RCODE values other than 0,3,6,7, and 8). See RFC 1611. |
sent-format-errors |
sent-format-errors |
Reports the number of requests received that were unparseable. See RFC 1611. |
sent-refusal-errors |
sent-refusal-errors |
Reports the number of requests that resulted in REFUSED. See RFC1611. |
xfer-in-auth-errors |
xfer-in-auth-errors |
Reports the number of secondary IXFR/AXFR requests that were refused because of authorization errors. |
xfer-failed-attempts |
xfer-failed-attempts |
Reports the number of secondary IXFR/AXFR failures, excluding authorization refusals. |
exceeded-max-dns- packets |
exceeded-max-dns- packets |
Reports the number of times inbound packets exceeded the maximum DNS packets defined by max-dns-packets. |
The statistics listed in this column are the server statistics displayed in the web UI and CLI. The REST API calls will have the statistic name camel-cased without dashes (that is, queries-total is queriesTotal in the REST API). Note that the activity summary and statistics are keyed off the same server data, but the activity-summary names are shortened to conserve space in the log message. For the complete list of Authoritative DNS server statistics, see the "DNS Statistics" section of the "Server Statistics" appendix in Cisco Prime Network Registrar 11.2 Administration Guide.
HA Statistics
The ha activity-counter-log-settings logs HA related counters.
Sample log message:
name_dns_1_log:11/19/2021 11:43:23 name/dns/1 Activity Stats 0 20005 [HA-State] Sample since Fri Nov 19 11:41:35 2021: current=state, last-state-change=time, normal=number, comm-interrupted=number, negotiate=number, start-up=number, partner-down=number
name_dns_1_log:11/19/2021 12:09:23 name/dns/1 Activity Stats 0 21341 [HA-Requests-Sent] Sample since Fri Nov 19 12:08:23 2021: requests-sent=number, last-req-sent=Heartbeat @ Fri Nov 19 12:09:21 2021 (xid: 207), update=number, heart-beat=number, zone-sync=number, rr-sync=number, rr-recon=number, connect=number, negotiate=number, shutdown=number, truncated=number
name_dns_1_log:11/18/2021 13:07:26 name/dns/1 Activity Stats 0 21342 [HA-Requests-Rcvd] Sample since Thu Nov 18 13:04:12 2021: requests-recv=number, last-req-recv=Heartbeat @ Thu Nov 18 13:07:07 2021 (xid: 207), update=number, heart-beat=number, zone-sync=number, rr-sync=number, rr-recon=number, connect=number, negotiate=number, shutdown=number, truncated=number
11/29/2021 9:02:44 name/dns/1 Activity Stats 0 21343 [HA-Errors] Sample since Mon Nov 29 09:01:44 2021: update-reject=number, resp-mismatch=number, resp-inconsistent=number, resp-servfail=number, resp-unknown=number
11/29/2021 14:49:32 name/dns/1 Activity Stats 0 20006 [HA-Zone-Sync] Sample since Mon Nov 29 14:47:32 2021: sync=number, sync-completed=number, sync-failed=number, zone-mismatch=number, full-resync=number, conflict=number, merge=number, discard=number
Activity Summary Name |
Logging Sub Category |
|
Description |
---|---|---|---|
comm-interrupted |
HA-State |
ha-state-comm-interrupted |
Number of occurrences where the server enters the communication-interrupted state (HA_STATE_COMMINTR). |
partner-down |
HA-State |
ha-state-partner-down |
Number of occurrences where the server enters the partner-down state (HA_STATE_PARTNERDOWN). |
negotiate |
HA-State |
ha-state-negotiating |
Number of occurrences where the server enters the Negotiating state (HA_STATE_NEGOTIATING). |
current |
HA-State |
ha-state-current |
Current HA server state. |
last-state-change |
HA-State |
ha-state-last-change-time |
Last time when HA state changed. |
start-up |
HA-State |
ha-state-startup |
Number of occurrences where the server enters Startup State (HA_STARTUP). |
normal |
HA-State |
ha-state-normal |
Number of occurrences where the server enters Normal State (HA_NORMAL). |
connect |
HA-Requests- Sent |
ha-msg-connect-sent |
Number of connection establishment request messages sent (HA_DNS_ESTABLISH_CONNECTION). |
rr-recon |
HA-Requests- Sent |
ha-msg-reconcile-sent |
Number of zone reconciliation request messages sent (HA_DNS_RECONCILIATION). |
heart-beat |
HA-Requests- Sent |
ha-msg-heartbeat-sent |
Number of heartbeat request messages sent (HA_DNS_HEARTBEAT). |
zone-sync |
HA-Requests- Sent |
ha-msg-zonesync-sent |
Number of zone synchronization request messages sent (HA_DNS_ZONE_SYNC). |
rr-sync |
HA-Requests- Sent |
ha-msg-rrsync-sent |
Number of rr-sync request messages sent (HA_DNS_RR_SYNC). |
update |
HA-Requests- Sent |
ha-msg-rrupdate-sent |
Number of rr-update request messages sent (HA_DNS_RR_UPDATE). |
N/A |
N/A |
ha-msg-resp-sent |
Number of response messages sent. Response messages are used to acknowledge all types of request messages. |
shutdown |
HA-Requests- Sent |
ha-msg-shutdown-sent |
Number of shutdown request messages sent. |
requests-sent |
HA-Requests- Sent |
ha-msg-req-sent |
Number of HA request messages sent to the HA partner. |
last-req-sent |
HA-Requests- Sent |
ha-msg-req-sent-time |
Specifies the date and time the HA server last sent a request message to the HA partner. |
negotiate |
HA-Requests- Sent |
N/A |
Number of negotiate HA message sent. |
truncated |
HA-Requests- Sent |
N/A |
Number of HA messages sent that were truncated. |
connect |
HA-Requests- Rcvd |
ha-msg-connect-recv |
Number of connection establishment request messages received (HA_DNS_ESTABLISH_CONNECTION). |
rr-recon |
HA-Requests- Rcvd |
ha-msg-reconcile-recv |
Number of zone reconciliation request messages received (HA_DNS_RECONCILIATION). |
heart-beat |
HA-Requests- Rcvd |
ha-msg-heartbeat-recv |
Number of heartbeat request messages received (HA_DNS_HEARTBEAT). |
zone-sync |
HA-Requests- Rcvd |
ha-msg-zonesync-recv |
Number of zone synchronization request messages received (HA_DNS_ZONE_SYNC). |
rr-sync |
HA-Requests- Rcvd |
ha-msg-rrsync-recv |
Number of rr-sync messages request received (HA_DNS_RR_SYNC). |
update |
HA-Requests- Rcvd |
ha-msg-rrupdate-recv |
Number of rr-update request messages received (HA_DNS_RR_UPDATE). |
N/A |
N/A |
ha-msg-resp-recv |
Number of response messages received. Response messages are used to acknowledge all types of request messages. |
shutdown |
HA-Requests- Rcvd |
ha-msg-shutdown-recv |
Number of shutdown request messages received. |
requests-recv |
HA-Requests- Rcvd |
ha-msg-req-recv |
Number of HA request messages received from the HA partner. |
last-req-recv |
HA-Requests- Rcvd |
ha-msg-req-recv-time |
Specifies the date and time the HA server last received a request message from the HA partner. |
negotiate |
HA-Requests- Rcvd |
N/A |
Number of negotiate HA message received. |
truncated |
HA-Requests- Rcvd |
N/A |
Number of HA messages received that were truncated. |
update-reject |
HA-Errors |
ha-update-reject |
Number of DNS updates rejected by the server. |
resp-mismatch |
HA-Errors |
ha-zone-mismatch |
Number of zones reporting a mismatch error (HA_DNS_RESP_ERR_MISMATCH). |
resp-servfail |
HA-Errors |
ha-resp-servfail |
Number of responses reporting a server failure error (HA_DNS_RESP_ERR_SERVFAIL). |
resp-inconsistent |
HA-Errors |
ha-resp-inconsistent |
Number of responses reporting an inconsistent server state (HA_DNS_RESP_ERR_INCONSISTENT_ STATE). |
resp-unknown |
HA-Errors |
ha-resp-unknown |
Number of responses with an unknown message type (HA_DNS_RESP_ERR_UNKNOWN_ MSG_TYPE). |
full-resync |
HA-Zone-Sync |
ha-full-zone-resync |
Number of zones requiring full-zone resynchronization for nameset reconciliation. |
conflict |
HA-Zone-Sync |
ha-sync-conflict |
Number of zones with name conflicts during nameset reconciliation. |
discard |
HA-Zone-Sync |
ha-sync-discard-name |
Number of name conflicts where one nameset must be discarded to synchronize the zone. |
merge |
HA-Zone-Sync |
ha-sync-merge-name |
Number of name conflicts which the namesets can be merged to synchronize the zone. |
sync |
HA-Zone-Sync |
N/A |
Number of zones that were requested to be synced. |
sync-completed |
HA-Zone-Sync |
N/A |
Number of zones where sync was completed. |
sync-failed |
HA-Zone-Sync |
N/A |
Number of zones where sync failed. |
zone-mismatch |
HA-Zone-Sync |
N/A |
Number of zones that do not match on HA Main and HA Backup. |
The statistics listed in this column are the server statistics displayed in the web UI and CLI. The REST API calls will have the statistic name camel-cased without dashes (that is, queries-total is queriesTotal in the REST API). Note that the activity summary and statistics are keyed off the same server data, but the activity-summary names are shortened to conserve space in the log message. For the complete list of Authoritative DNS server statistics, see the "DNS Statistics" section of the "Server Statistics" appendix in Cisco Prime Network Registrar 11.2 Administration Guide.
Host Health Check Statistics
The host-health-check activity-counter-log-settings logs DNS Host Health Check counters.
The host health check activity summary statistics are logged under the HHC sub category.
Sample log message:
10/22/2021 16:44:05 name/dns/1 Activity Stats 0 21509 [HHC] Sample since Fri Oct 22 16:43:05 2021: hhc-domains=number, hhc-domains-failed=number, hhc-domains-passed=number, hhc-rrs=number, hhc-rrs-passed=number, hhc-rrs-failed=number, hhc-ping-domains=number, hhc-ping-domains-failed=number, hhc-ping-domains-passed=number, hhc-ping-rrs=number, hhc-ping-rrs-passed=number, hhc-ping-rrs-failed=number, hhc-gtp-echo-domains=number, hhc-gtp-echo-domains-failed=number, hhc-gtp-echo-domains-passed=number, hhc-gtp-echo-rrs=number, hhc-gtp-echo-rrs-passed=number, hhc-gtp-echo-rrs-failed=number
Activity Summary Name |
|
Description |
---|---|---|
hhc-domains |
hhc-domains |
Reports the total number of domains checked for Host Health Check. |
hhc-domains-failed |
hhc-domains-failed |
Reports the total number of domains check failed for Host Health Check. When all the RRs in the RR set are down, this stat is incremented. |
hhc-domains-passed |
hhc-domains-passed |
Reports the total number of domains check passed for Host Health Check. Any A/AAAA RR in the RR set is up, this stat is incremented. |
hhc-rrs |
hhc-rrs |
Reports the total number of RRs checked for Host Health Check. |
hhc-rrs-passed |
hhc-rrs-passed |
Reports the total number of RRs that have passed Host Health Check health check. |
hhc-rrs-failed |
hhc-rrs-failed |
Reports the total number of RRs that have failed Host Health Check health check. |
hhc-ping-domains |
hhc-ping-domains |
Reports the total number of domains checked for ping Host Health Check. |
hhc-ping-domains-failed |
hhc-ping-domains-failed |
Reports the total number of domains check failed for ping Host Health Check. When all the RRs in the RR set are down, this stat is incremented. |
hhc-ping-domains-passed |
hhc-ping-domains-passed |
Reports the total number of domains check passed for ping Host Health Check. When any RR in the RR set is up, this stat is incremented. |
hhc-ping-rrs |
hhc-ping-rrs |
Reports the total number of RRs checked for ping Host Health Check. |
hhc-ping-rrs-failed |
hhc-ping-rrs-failed |
Reports the total number of RRs that have failed ping Host Health Check health check. |
hhc-ping-rrs-passed |
hhc-ping-rrs-passed |
Reports the total number of RRs that have passed ping Host Health Check health check. |
hhc-gtp-echo-domains |
hhc-gtp-echo-domains |
Reports the total number of domains checked for gtp-echo Host Health Check. |
hhc-gtp-echo-domains- failed |
hhc-gtp-echo-domains-failed |
Reports the total number of domains check failed for gtp-echo Host Health Check. When all the RRs in the RR set are down, this stat is incremented. |
hhc-gtp-echo-domains- passed |
hhc-gtp-echo-domains-passed |
Reports the total number of domains check passed for gtp-echo Host Health Check. When any RR in the RR set is up, this stat is incremented. |
hhc-gtp-echo-rrs |
hhc-gtp-echo-rrs |
Reports the total number of RRs checked for gtp-echo Host Health Check. |
hhc-gtp-echo-rrs-failed |
hhc-gtp-echo-rrs-failed |
Reports the total number of RRs that have failed gtp-echo Host Health Check health check. |
hhc-gtp-echo-rrs-passed |
hhc-gtp-echo-rrs-passed |
Reports the total number of RRs that have passed gtp-echo Host Health Check health check. |
The statistics listed in this column are the server statistics displayed in the web UI and CLI. The REST API calls will have the statistic name camel-cased without dashes (that is, queries-total is queriesTotal in the REST API). Note that the activity summary and statistics are keyed off the same server data, but the activity-summary names are shortened to conserve space in the log message. For the complete list of Authoritative DNS server statistics, see the "DNS Statistics" section of the "Server Statistics" appendix in Cisco Prime Network Registrar 11.2 Administration Guide.
IPv6 Statistics
The ipv6 activity-counter-log-settings logs IPv6 related counters.
The IPv6 activity summary statistics are logged under the Perform sub category.
Sample log message:
11/26/2021 15:25:36 name/dns/1 Activity Stats 0 03523 [Perform] Sample since Fri Nov 26 15:24:36 2021: pkts-in=number, pkts-out=number, pkts-in-udp=number, pkts-out-udp=number, pkts-in-tcp=number, pkts-out-tcp=number, ipv4-pkts-in=number, ipv4-pkts-out=number, ipv6-pkts-in=number, ipv6-pkts-out=number, queries=number, updates=number, notifies-in=number, notifies-out=number, notify-errors=number, ixfrs-in=number, ixfrs-out=number, ixfrs-full-resp=number, axfrs-in=number, axfrs-out=number, xfrs-in-at-limit=number, xfrs-out-at-limit=number, responses-with-NOTIMP=number, total-zones=number, total-rrs=number
Activity Summary Name |
|
Description |
---|---|---|
ipv6-pkts-in |
ipv6-packets-in |
Total number of IPv6 packets received. |
ipv6-pkts-out |
ipv6-packets-out |
Total number of IPv6 packets sent. |
The statistics listed in this column are the server statistics displayed in the web UI and CLI. The REST API calls will have the statistic name camel-cased without dashes (that is, queries-total is queriesTotal in the REST API). Note that the activity summary and statistics are keyed off the same server data, but the activity-summary names are shortened to conserve space in the log message. For the complete list of Authoritative DNS server statistics, see the "DNS Statistics" section of the "Server Statistics" appendix in Cisco Prime Network Registrar 11.2 Administration Guide.
Maxcounters Statistics
The maxcounters activity-counter-log-settings logs maxcounters related counters.
The maxcounters activity summary statistics are logged under the Max-Counters sub category.
Sample log message:
10/22/2021 16:40:05 name/dns/1 Activity Stats 0 21353 [Max-Counters] Sample since Tue Oct 19 19:32:39 2021: concurrent-xfrs-in=number, concurrent-xfrs-out=number, ha-update-latency-max=number, ha-batch-count-limit=number, ha-rr-pending-list=number, ha-rr-active-list=number, ha-persisted-edit-list=number, packet-queue-size=number, dns-concurrent-packets=number, pn-conn-max-conns=number, tcp-pkts-dropped=number
Activity Summary Name |
|
Description |
---|---|---|
concurrent-xfrs-in |
concurrent-xfrs-in |
Reports the maximum number of concurrent threads processing inbound transfers during the last sampling period. |
concurrent-xfrs-out |
concurrent-xfrs-out |
Reports the maximum number of concurrent threads processing outbound transfers during the last sampling period. |
ha-batch-count-limit |
ha-batch-count-limit |
Reports the number of times the ha-dns-max-batch-count limit was reached during the last sampling period. |
ha-rr-pending-list |
ha-rr-pending-list |
Reports the maximum number of RRs in the pending List, waiting acknowledgement from the HA DNS backup server, during the last sampling period. |
ha-rr-active-list |
ha-rr-active-list |
Reports the maximum number of RRs in the active list, waiting to be sent to the HA DNS backup server, during the last sampling period. |
ha-persisted-edit-list |
ha-persisted-edit-list |
Reports the maximum number of names persisted in the edit list database during the last sampling period. |
ha-update-latency- max |
ha-update-latency-max |
Reports the maximum DNS update latency in seconds, during the last sampling period. Latency is measured as the time an update remains in the pending List. |
dns-concurrent- packets |
dns-concurrent-packets |
Reports the maximum number of concurrent packets processed by the DNS server during the sampling period. |
tcp-pkts-dropped |
N/A |
Reports the number of TCP connections dropped by the DNS server that exceeded tcp-max-active-connections. |
The statistics listed in this column are the server statistics displayed in the web UI and CLI. The REST API calls will have the statistic name camel-cased without dashes (that is, queries-total is queriesTotal in the REST API). Note that the activity summary and statistics are keyed off the same server data, but the activity-summary names are shortened to conserve space in the log message. For the complete list of Authoritative DNS server statistics, see the "DNS Statistics" section of the "Server Statistics" appendix in Cisco Prime Network Registrar 11.2 Administration Guide.
Performance Statistics
The performance activity-counter-log-settings logs performance related counters.
The performance activity summary statistics are logged under the Perform sub category.
Sample log message:
10/22/2021 16:40:05 name/dns/1 Activity Stats 0 03523 [Perform] Sample since Tue Oct 19 19:32:39 2021: pkts-in=number, pkts-out=number, pkts-in-udp=number,pkts-out-udp=number, pkts-in-tcp=number, pkts-out-tcp=number, ipv4-pkts-in=number, ipv4-pkts-out=number, ipv6-pkts-in=number, ipv6-pkts-out=number, tcp-pkts-dropped=number, queries=number, updates=number,notifies-in=number, notifies-out=number, notify-errors=number, ixfrs-in=number, ixfrs-out=number, ixfrs-full-resp=number, axfrs-in=number, axfrs-out=number, xfrs-in-at-limit=number, xfrs-out-at-limit=number, responses-with-NOTIMP=number, total-zones=number, total-rrs=number
Activity Summary Name |
|
Description |
---|---|---|
ipv4-pkts-in |
ipv4-packets-in |
Reports the total number of IPv4 packets received. |
ipv4-pkts-out |
ipv4-packets-out |
Reports the total number of IPv4 packets sent. |
N/A |
updated-rrs |
Reports the total number of RRs added and deleted, including updates from the CPNR UIs, whether or not there were database errors. |
updates |
update-packets |
Reports the number of successful DNS updates. |
queries |
queries-total |
Total number of queries received by the DNS Server. |
ixfrs-out |
ixfrs-out |
Reports the number of successful outbound incremental transfers. |
ixfrs-in |
ixfrs-in |
Reports the number of successful inbound incremental transfers, including incremental requests that resulted in full zone transfers. |
ixfrs-full-resp |
ixfrs-full-resp |
Reports the number of outbound full zone transfers in response to IXFR requests. These may have been due to IXFR errors, insufficient serial history, or too many changes in the zone. |
axfrs-in |
axfrs-in |
Reports the number of successful inbound AXFRs. |
axfrs-out |
axfrs-out |
Reports the number of successful outbound full zone transfers, including those counted in ixfrs-full-resp. |
xfrs-in-at-limit |
xfrs-in-at-limit |
Reports the number of times that inbound transfers reached the concurrent limit. |
xfrs-out-at-limit |
xfrs-out-at-limit |
Reports the number of times that outbound transfers reached the concurrent limit. |
notifies-out |
notifies-out |
Reports the number of outbound notifies. Each notify packet sent is counted separately. |
notifies-in |
notifies-in |
Reports the number of inbound notifies. Each notify packet received is counted separately. |
notify-errors |
N/A |
Errors detected while processing notify requests. |
total-zones |
N/A |
Total number of zones configured. |
total-rrs |
N/A |
Total number of RRs across all configured zones. |
responses-with- NOTIMP |
responses-with-NOTIMP |
Reports the numbers of requests with OP codes that are not implemented. |
pkts-in |
packets-in |
Reports the total number of packets received. |
pkts-out |
packets-out |
Reports the total number of packets sent. |
pkts-in-udp |
packets-in-udp |
Reports the total number of UDP packets received. |
pkts-out-udp |
packets-out-udp |
Reports the total number of UDP packets sent. |
pkts-in-tcp |
packets-in-tcp |
Reports the total number of TCP packets received. |
pkts-out-tcp |
packets-out-tcp |
Reports the total number of TCP packets sent. |
ipv6-pkts-in |
ipv6-packets-in |
Reports the total number of IPv6 packets received. |
ipv6-pkts-out |
ipv6-packets-out |
Reports the total number of IPv6 packets sent. |
tcp-pkts-dropped |
N/A |
Reports the number of TCP connections dropped by the DNS server that exceeded tcp-max-active-connections. |
The statistics listed in this column are the server statistics displayed in the web UI and CLI. The REST API calls will have the statistic name camel-cased without dashes (that is, queries-total is queriesTotal in the REST API). Note that the activity summary and statistics are keyed off the same server data, but the activity-summary names are shortened to conserve space in the log message. For the complete list of Authoritative DNS server statistics, see the "DNS Statistics" section of the "Server Statistics" appendix in Cisco Prime Network Registrar 11.2 Administration Guide.
Query Statistics
The query activity-counter-log-settings logs query related counters.
Sample log message:
10/22/2021 16:41:05 name/dns/1 Activity Stats 0 21168 [Query] Sample since Fri Oct 22 16:40:05 2021: total=number, dropped=number, acl-failures=number, udp=number, tcp=number, ipv4=number, ipv6=number, tls=number, tls-failures=number, dropped-recursive=number, dropped-unwanted-class=number, dropped-unwanted-type=number
10/22/2021 16:44:05 name/dns/1 Activity Stats 0 21333 [Query-Cache] Sample since Fri Oct 22 16:43:05 2021: size=number, #-records=number, #-rrs=number, nxdomain=number, hits=number, misses=number, full=number, collisions=number
10/22/2021 16:41:05 name/dns/1 Activity Stats 0 21331 [Query-Type] Sample since Fri Oct 22 16:40:05 2021: A=number, AAAA=number, ANY=number, CNAME=number, MX=number, NAPTR=number, NS=number,PTR=number, SOA=number, SRV=number, TXT=number, DNSKEY=number, DS=number, RRSIG=number, NSEC=number, CAA=number, URI=number, SVCB=number, HTTPS=number, other=number
10/22/2021 16:41:05 name/dns/1 Activity Stats 0 21332 [Query-Responses] Sample since Fri Oct 22 16:40:05 2021: total=number, no-error=number, referrals=number, no-data=number, nxdomain=number, refused=number, notauth=number, formerr=number, servfail=number, other=number
10/22/2021 16:41:05 name/dns/1 Activity Stats 0 21524 [DNSSEC] Sample since Fri Oct 22 16:40:05 2021: dnssec-zones=number, dnssec-sign-zone=number, dnssec-queries=number, dnssec-responses=number, dnssec-requests-dropped=number
03/08/2022 18:40:54 name/dns/1 Activity Stats 0 21613 [TLS] Total since Tue Mar 1 19:52:29 2022: tls-queries=number, tls-queries-failed=number
Activity Summary Name |
Logging Sub Category |
|
Description |
---|---|---|---|
hits |
Query-Cache |
mem-cache-hits |
Reports the number of mem-cache lookup hits. |
misses |
Query-Cache |
mem-cache-misses |
Reports the number of mem-cache lookup misses. |
dropped |
Query |
queries-dropped |
Reports the number of non-error dropped packets. Queries restricted by server, TSIG, or update policies are included, but DNS updates, xfer requests, and notifies are excluded. |
N/A |
N/A |
queries-with-edns |
Reports the number of OPT RR packets processed. |
total |
Query |
queries-total |
Total number of queries received by the DNS Server. |
udp |
Query |
queries-over-udp |
Total number of queries received over UDP by the DNS Server. |
tcp |
Query |
queries-over-tcp |
Total number of queries received over TCP by the DNS Server. |
ipv4 |
Query |
queries-over-ipv4 |
Total number of IPv4 queries received by the DNS Server. |
ipv6 |
Query |
queries-over-ipv6 |
Total number of IPv6 queries received by the DNS Server. |
tls |
Query |
queries-over-tls |
Total number of queries received over TLS by the DNS Server. |
tls-failures |
Query |
queries-over-tls-failed |
Total number of TLS queries failed during TLS handshake. |
dropped-recursive |
Query |
queries-dropped-recursive |
Number of recursive queries dropped. |
dropped-unwanted- class |
Query |
queries-dropped-unwanted- class |
Total number of queries dropped due to unwanted classes. Only queries of class IN are allowed. |
dropped-unwanted- type |
Query |
queries-dropped-unwanted- type |
Total number of queries dropped due to unwanted types. Unwanted RR types are specified in the query-types-unwanted DNS server attribute. |
acl-failures |
Query |
queries-failed-acl |
Reports the number of query ACL (restrict-query-acl) failures. |
total |
Query-Responses |
query-answers-total |
Reports the total number of query responses. |
no-error |
Query-Responses |
query-answers-with- NOERROR |
Reports the number of queries that were authoritatively answered. |
nxdomain |
Query-Responses |
query-answers-with- NXDOMAIN |
Reports the number of queries that failed with no such name responses. |
no-data |
Query-Responses |
query-answers-with- NODATA |
Reports the number of queries that failed with no data (empty answer) responses. |
notauth |
Query-Responses |
query-answers-with- NOTAUTH |
Reports the number of queries that failed with not authoritative responses. |
referrals |
Query-Responses |
query-answers-with- referral |
Reports the number of requests that were referred to other servers. |
refused |
Query-Responses |
query-answers-with- REFUSED |
Reports the number of queries refused. |
formerror |
Query-Responses |
query-answers-with- FORMERR |
Reports the number of query responses with rcode of FORMERR. |
servfail |
Query-Responses |
query-answers-with- SERVFAIL |
Reports the number of query responses with rcode of SERVFAIL. |
other |
Query-Responses |
query-answers-with- other-errors |
Reports the number of queries with other errors. |
dnssec-queries |
DNSSEC |
queries-dnssec |
Reports the total number of queries requesting that responses to include DNSSEC related RRs (EDNS option DO bit). |
A |
Query-Type |
queries-type-A |
Number of A queries received. |
AAAA |
Query-Type |
queries-type-AAAA |
Number of AAAA queries received. |
CNAME |
Query-Type |
queries-type-CNAME |
Number of CNAME queries received. |
PTR |
Query-Type |
queries-type-PTR |
Number of PTR queries received. |
NS |
Query-Type |
queries-type-NS |
Number of NS queries received. |
SOA |
Query-Type |
queries-type-SOA |
Number of SOA queries received. |
MX |
Query-Type |
queries-type-MX |
Number of MX queries received. |
NAPTR |
Query-Type |
queries-type-NAPTR |
Number of NAPTR queries received. |
other |
Query-Type |
queries-type-other |
All other queries received. |
ANY |
Query-Type |
queries-type-ANY |
Number of ANY queries received. |
SRV |
Query-Type |
queries-type-SRV |
Number of SRV queries received. |
TXT |
Query-Type |
queries-type-TXT |
Number of TXT queries received. |
DNSKEY |
Query-Type |
queries-type-DNSKEY |
Number of DNSKEY queries received. |
DS |
Query-Type |
queries-type-DS |
Number of DS queries received. |
RRSIG |
Query-Type |
queries-type-RRSIG |
Number of RRSIG queries received. |
NSEC |
Query-Type |
queries-type-NSEC |
Number of NSEC queries received. |
CAA |
Query-Type |
queries-type-CAA |
Number of CAA queries received. |
URI |
Query-Type |
queries-type-URI |
Number of URI queries received. |
SVCB |
Query-Type |
queries-type-SVCB |
Number of SVCB (TYPE 64) queries received. |
HTTPS |
Query-Type |
queries-type-HTTPS |
Number of HTTPS RR (TYPE 65) queries received. |
tls-queries |
TLS |
tls-queries |
Total number of queries received over TLS by the DNS Server. |
tls-queries-failed |
TLS |
tls-queries-failed |
Total number of TLS queries failed during TLS handshake. |
The statistics listed in this column are the server statistics displayed in the web UI and CLI. The REST API calls will have the statistic name camel-cased without dashes (that is, queries-total is queriesTotal in the REST API). Note that the activity summary and statistics are keyed off the same server data, but the activity-summary names are shortened to conserve space in the log message. For the complete list of Authoritative DNS server statistics, see the "DNS Statistics" section of the "Server Statistics" appendix in Cisco Prime Network Registrar 11.2 Administration Guide.
Security Statistics
The security activity-counter-log-settings logs security related counters.
Sample log message:
10/22/2021 16:44:05 name/dns/1 Activity Stats 0 21492 [Errors] Sample since Fri Oct 22 16:43:05 2021: update-errors=number, update-prereq-fail=number, ixfr-in-errors=number, ixfr-out-errors=number, axfr-in-errors=number, axfr-out-errors=number, xfer-in-auth-errors=number, xfer-failed-attempts=number, sent-total-errors=number, sent-refusal-errors=number, sent-format-errors=number, exceeded-max-dns-packets=number
10/22/2021 16:41:05 name/dns/1 Activity Stats 0 21332 [Query-Responses] Sample since Fri Oct 22 16:40:05 2021: total=number, no-error=number, referrals=number, no-data=number, nxdomain=number, refused=number, notauth=number, formerr=number, servfail=number, other=number
11/19/2021 16:59:41 name/dns/1 Activity Stats 0 21524 [DNSSEC] Sample since Fri Nov 19 16:58:41 2021: dnssec-zones=number, dnssec-sign-zone=number, dnssec-queries=number, dnssec-responses=number, dnssec-requests-dropped=number
11/26/2021 16:16:45 name/dns/1 Activity Stats 0 21491 [TSIG] Sample since Fri Nov 26 16:15:45 2021: tsig-packets=number, badtime=number, badkey=number, badsig=number, badtime-resp=number, badkey-resp=number, badsig-resp=number
12/08/2021 12:58:42 name/dns/1 Activity Stats 0 21389 [RPZ] Sample since Wed Dec 8 12:57:03 2021: rpz-queries=number, rpz-hits=number, rpz-misses=number
01/30/2023 22:25:47 dns_security Activity Stats 0 21634 [Security-Events-Categories] Sample since Mon Jan 30 22:24:47 2023: total=number, requests=number, alarm=number, amplification=number, dos=number, poisoning=number, snooping=number, tunneling=number
Activity Summary Name |
Logging Sub Category |
|
Description |
---|---|---|---|
xfer-in-auth-errors |
Errors |
unauth-xfer-reqs |
Reports the number of ACL authorization failures in zone transfers. |
N/A |
N/A |
unauth-update-reqs |
Reports the number of ACL authorization failures in DNS updates. Administrative RR updates (from CPNR UIs) are excluded. |
refused |
Query-Responses |
restrict-query-acl |
Reports the number of ACL authorization failures in DNS queries. |
N/A |
N/A |
blackhole-acl-dropped- requests |
Reports the number of DNS requests dropped by the server subject to blackhole-acl. |
tsig-packets |
TSIG |
rcvd-tsig-packets |
Reports the number of TSIG RR packets processed, if TSIG processing is enabled for the type of packet. |
badtime-resp |
TSIG |
detected-tsig-bad-time |
Reports the number of bad timestamps in incoming TSIG packets. |
badkey-resp |
TSIG |
detected-tsig-bad-key |
Reports the number of bad keynames (those with an invalid or unknown key) in incoming TSIG packets. |
badsig-resp |
TSIG |
detected-tsig-bad-sig |
Reports the number of bad signatures in incoming TSIG packets. |
badtime |
TSIG |
rcvd-tsig-bad-time |
Reports the number of BADTIME errors received after sending a TSIG packet. |
badkey |
TSIG |
rcvd-tsig-bad-key |
Reports the number of BADKEY errors received after sending a TSIG packet. |
badsig |
TSIG |
rcvd-tsig-bad-sig |
Reports the number of BADSIG errors received after sending a TSIG packet. |
dnssec-zones |
DNSSEC |
dnssec-zones |
Reports the number of zones with DNSSEC enabled. |
dnssec-sign-zone |
DNSSEC |
dnssec-sign-zone |
Reports the number of times the server signed a DNSSEC zone. |
dnssec-queries |
DNSSEC |
dnssec-queries |
Reports the total number of queries requesting that responses to include DNSSEC related RRs (EDNS option DO bit). |
dnssec-responses |
DNSSEC |
dnssec-responses |
Reports the total number of responses to DNNSEC enabled queries (EDNS option DO bit). |
dnssec-requests- dropped |
DNSSEC |
dnssec-requests-dropped |
Reports the total number of DNS requests that were dropped due to the server being in the process of signing a DNSSEC zone. |
rpz-queries |
RPZ |
queries-rpz |
Reports the number of queries for RPZ. |
rpz-hits |
RPZ |
query-answers-rpz-hits |
Reports the number of RPZ queries that matched RRs in RPZs. |
rpz-misses |
RPZ |
query-answers-rpz-misses |
Reports the number of RPZ queries that did not match RRs in RPZs. |
total |
Security-Events- Categories |
security-events |
Total number of security events detected and captured. |
alarm |
Security-Events- Categories |
security-events-alarm |
Total number of security events detected and captured within a configurable interval that are used to trigger DNS Security Event Resource Limit alarms. |
amplification |
Security-Events- Categories |
security-events- amplification-attack |
Total number of security events due to amplification attack detected and captured. |
dos |
Security-Events- Categories |
security-events-dos |
Total number of security events due to a potential DoS attack detected and captured. |
poisoning |
Security-Events- Categories |
security-events-poisoning |
Total number of security events due to DNS poisoning detected and captured. |
snooping |
Security-Events- Categories |
security-events-snooping |
Total number of security events due to caching or data snooping detected and captured. |
tunneling |
Security-Events- Categories |
security-events-dns-tunneling |
Total number of security events due to DNS tunneling detected and captured. |
The statistics listed in this column are the server statistics displayed in the web UI and CLI. The REST API calls will have the statistic name camel-cased without dashes (that is, queries-total is queriesTotal in the REST API). Note that the activity summary and statistics are keyed off the same server data, but the activity-summary names are shortened to conserve space in the log message. For the complete list of Authoritative DNS server statistics, see the "DNS Statistics" section of the "Server Statistics" appendix in Cisco Prime Network Registrar 11.2 Administration Guide.
System Statistics
The system activity-counter-log-settings logs system related counters.
The system activity summary statistics are logged under the System sub category.
Sample log message:
10/22/2021 16:41:05 name/dns/1 Activity Stats 0 21493 [System] Sample since Fri Oct 22 16:40:05 2021: pid=number, cpu=number, memory=number, virtual=number, conntrack-max=number, conntrack-count=number, conntrack-usage=number
Activity Summary Name |
Description |
---|---|
pid |
The PID of the ADNS process. |
cpu |
The amount of CPU used by the ADNS process. |
memory |
The amount of memory used by the ADNS process. |
virtual |
The amount of virtual memory used by the ADNS process. |
conntrack-max |
The maximum number of Linux firewall connections reached. |
conntrack-count |
The current number of Linux firewall connections. |
conntrack-usage |
The percentage of Linux firewall connections in use. |
Top Names Statistics
The top-names activity-counter-log-settings logs the top names queried and hit count.
The top names activity summary statistics are logged under the Top-Names sub category.
Sample log message:
10/22/2021 16:55:05 name/dns/1 Activity Stats 0 21508 [Top-Names] from 16:53:05 to 16:54:05; interval=number, total-counted=number
Activity Summary Name |
|
Description |
---|---|---|
interval |
N/A |
Length of data collection period. |
total-counted |
total-counted |
Reports the total number of queries counted in this collection period. |
The statistics listed in this column are the server statistics displayed in the web UI and CLI. The REST API calls will have the statistic name camel-cased without dashes (that is, queries-total is queriesTotal in the REST API). Note that the activity summary and statistics are keyed off the same server data, but the activity-summary names are shortened to conserve space in the log message. For the complete list of Authoritative DNS server statistics, see the "DNS Statistics" section of the "Server Statistics" appendix in Cisco Prime Network Registrar 11.2 Administration Guide.
Update Statistics
The update activity-counter-log-settings logs DNS Update related counters.
Sample log message:
10/29/2021 15:56:31 name/dns/1 Activity Stats 0 21550 [Update] Sample since Fri Oct 29 15:55:31 2021: total=number, failed-acl=number, prereq-only=number, dropped=number, simulated=number, udp=number, tcp=number, ipv4=number, ipv6=number, deletes=number, adds=number, refreshes=number, rrs=number, A=number, AAAA=number, DHCID=number, TXT=number, other=number
10/29/2021 15:56:31 name/dns/1 Activity Stats 0 21551 [Update-Responses] Sample since Fri Oct 29 15:55:31 2021: total=number, no-error=number, failures=number, refused=number, notauth=number, notzone=number, formerr=number, servfail=number, prereq-failures=number, yxdomain=number, yxrrset=number, nxdomain=number, nxrrset=number
Activity Summary Name |
Logging Sub Category |
|
Description |
---|---|---|---|
total |
Update |
update-total |
Total number of updates received by the DNS server. |
failed-acl |
Update |
update-failed-acl |
Total number of updates that refused due to failing ACL and/or Update Policy authorization. |
prereq-only |
Update |
update-prereq-only |
Total number of prereq-only updates received by the DNS server. |
dropped |
Update |
update-dropped |
Total number of updates that are dropped by the DNS server. |
simulated |
Update |
update-simulated |
Total number of updates that are simulated. Simulated RR updates return a NOERROR response, but don't cause any RR changes. |
udp |
Update |
update-over-udp |
Total number of updates received over UDP. |
tcp |
Update |
update-over-tcp |
Total number of updates received over TCP. |
ipv4 |
Update |
update-over-ipv4 |
Total number of updates received over IPv4. |
ipv6 |
Update |
update-over-ipv6 |
Total number of updates received over IPv6. |
deletes |
Update |
update-delete |
Total number of RRs deleted by DNS update. |
adds |
Update |
update-add |
Total number of RRs added by DNS update. |
refreshes |
Update |
update-refresh |
Total number of RRs refreshed by DNS update. |
rrs |
Update |
update-total-rrs |
The total number of RRs updated by DNS update requests. |
A |
Update |
update-type-A |
Total number of updates for A records. |
AAAA |
Update |
update-type-AAAA |
Total number of updates for AAAA records. |
DHCID |
Update |
update-type-DHCID |
Total number of updates for DHCID records. |
TXT |
Update |
update-type-TXT |
Total number of updates for TXT records. |
other |
Update |
update-type-other |
Total number of updates for all other record types that are not specifically counted. |
total |
Update-Responses |
update-resp-total |
Total number of update responses returned by the DNS server. |
no-error |
Update-Responses |
update-resp-NOERROR |
Total number of update responses with rcode of NOERROR. |
failures |
Update-Responses |
update-resp-failures |
Total number of updates that failed. |
refused |
Update-Responses |
update-resp-REFUSED |
Total number of update responses with rcode of REFUSED. |
notauth |
Update-Responses |
update-resp-NOTAUTH |
Total number of update responses with rcode of NOTAUTH. |
notzone |
Update-Responses |
update-resp-NOTZONE |
Total number of update responses with rcode of NOTZONE. |
formerr |
Update-Responses |
update-resp-FORMERR |
Total number of update responses with rcode of FORMERR. |
servfail |
Update-Responses |
update-resp-SERVFAIL |
Total number of update responses with rcode of SERVFAIL. |
prereq-failures |
Update-Responses |
update-resp-prereq-failures |
Total number of update responses with prereq failures (YXDOMAIN, YXRRSET, NXDOMAIN, NXRRSET). |
yxdomain |
Update-Responses |
update-resp-YXDOMAIN |
Total number of update responses with rcode of YXDOMAIN. |
yxrrset |
Update-Responses |
update-resp-YXRRSET |
Total number of update responses with rcode of YXRRSET. |
nxdomain |
Update-Responses |
update-resp-NXDOMAIN |
Total number of update responses with rcode of NXDOMAIN. |
nxrrset |
Update-Responses |
update-resp-NXRRSET |
Total number of update responses with rcode of NXRRSET. |
The statistics listed in this column are the server statistics displayed in the web UI and CLI. The REST API calls will have the statistic name camel-cased without dashes (that is, queries-total is queriesTotal in the REST API). Note that the activity summary and statistics are keyed off the same server data, but the activity-summary names are shortened to conserve space in the log message. For the complete list of Authoritative DNS server statistics, see the "DNS Statistics" section of the "Server Statistics" appendix in Cisco Prime Network Registrar 11.2 Administration Guide.
Specifying Top Names Settings
The top-names attribute specifies if top names data should be collected. When enabled, a snapshot of the cache hits for the top names that are queried is collected for each interval set by the top-names-max-age value. The list of top names that is reported with activity summary statistics is the most current snapshot.
You can specify the maximum age (based on last access time) of a queried name allowed in the list of top names by using the top-names-max-age attribute. It has a default value of 60 seconds.
You can specify the maximum number of entries in the list of top names queried by using the top-names-max-count attribute. This limit is applied to the lists of top names that are logged as part of the activity summary or returned as part of the top names statistics.
Local Web UI
To enable Top Names, on the Edit Local DNS Server tab, under the Top Names Settings section, find the top-names attribute, enable it by selecting the enabled option, and then click Save to save the changes.
Top Names Statistics
The Top Names tab displays the relevant information with respect to top N domains and other important statistics attributes.
Local Basic or Advanced Web UI
Procedure
Step 1 |
From the Operate menu, choose Manage Servers under the Servers submenu to open the Manage Servers page. |
Step 2 |
Click DNS in the Manage Servers pane to open the Edit Local DNS Server page. |
Step 3 |
Click the Top Names tab available in the Local DNS Server page. |
CLI Commands
Use dns getStats top-names to view the Top Names statistics.
Security Events Settings
Starting Cisco Prime Network Registrar 11.1, you can specify whether or not to log security events for the DNS server using the security-event-logging attribute on the Manage Servers page. You can also control which security event triggers to log under the Security Events section. When the DNS server detects a security event and the related security event log setting is enabled, a log message will be written to the dns_security_log file.
Attribute |
Description |
---|---|
Security Event Logging (security-event-logging) |
Enables DNS security event logging based on settings configured in security-event-log-settings. Note that security-event-logging and security-event-log-settings configuration changes take effect immediately without requiring a DNS server reload. Security event log messages are written to the dns_security_log file. |
Security Event Log Settings (security-event-log-settings) |
Specifies the DNS security events that should be logged. When the DNS server detects a security event and the related security event log setting is enabled, a log message will be written to the dns_security_log file. In order for this setting to take effect, the security-event-logging must be enabled. Note that security-event-logging and security-event-log-settings configuration changes take effect immediately without requiring a DNS server reload.
The default settings are configuration, packet-inspection, and rate-limit. |
Security Event Alarm Settings (security-event-alarm-settings) |
Specifies the DNS security event triggers that will be counted towards resource limit alarming. This allows the user to still be able to get statistics and log messages for all security events, but limits the events that will trigger alarms. Note that security-event-alarm-settings configuration changes take effect immediately without requiring a DNS server reload.
|
Maximum Query Name Size (security-event-max-qname-size) |
Specifies the maximum size of a query name (QNAME) allowed. If a longer hostname is detected, the server will trigger a packet inspection DNS security event for the DNS tunneling category and the query will be refused. A setting of 0 (default) disables query name length checking. |
Block List ACL (acl-blocklist) |
Blocks requests from clients listed in this access control list. This list can contain hosts, network addresses and/or other ACLs. Request from clients matching this ACL will be dropped. |
TSIG Processing (tsig-processing) |
Enables you to turn on and off TSIG processing for DNS transactions. Default is enabled on ddns and query requests. |
gss-tsig-processing |
Indicates the gss-tsig security mode for DNS transactions. If both gss-tsig-processing and tsig-processing are enabled, gss-tsig security mode will be disabled. Default is none (disabled). |
gss-tsig-config |
Identifies the gss-tsig configuration object to be used by DNS server. |
Local Advanced Web UI
Procedure
Step 1 |
From the Operate menu, choose Manage Servers under the Servers submenu to open the Manage Servers page. |
Step 2 |
Click DNS in the Manage Servers pane to open the Edit Local DNS Server page. |
Step 3 |
Under the Security Events section, select enabled from the security-event-logging drop-down list to enable DNS security event logging. |
Step 4 |
For the security-event-log-settings attribute, check the desired check boxes. |
Step 5 |
Click Save to save the changes. |
CLI Commands
Procedure
Command or Action | Purpose |
---|---|
Use dns set security-event-log-settings=value to specify the DNS security events that should be logged. |
Security Events Statistics
On the Manage DNS Authoritative Server page, click the Statistics tab to view the Server Statistics page. The Security Events statistics appear under the Security Statistics section of both the Total Statistics and Sample Statistics categories.
Attribute |
Description |
---|---|
security-events |
Total number of security events detected and captured. |
security-events-alarm |
Total number of security events detected and captured within a configurable interval that are used to trigger DNS Security Event Resource Limit alarms. |
security-events-amplification-attack |
Total number of security events due to amplification attack detected and captured. |
security-events-dns-tunneling |
Total number of security events due to DNS tunneling detected and captured. |
security-events-dos |
Total number of security events due to a potential DoS attack detected and captured. |
security-events-poisoning |
Total number of security events due to DNS poisoning detected and captured. |
security-events-snooping |
Total number of security events due to caching or data snooping detected and captured. |
Security Logs
The Authoritative DNS security events are saved in the dns_security_log file. The Security Logs tab displays the the contents of this log file.
Local Web UI
Procedure
Step 1 |
From the Operate menu, choose Manage Servers under the Servers submenu to open the Manage Servers page. |
Step 2 |
Click DNS in the Manage Servers pane to open the Edit Local DNS Server page. |
Step 3 |
Click the Security Logs tab. |
Security Events Resource Monitoring
On the Edit Local CCM Server page, you can configure the warning and critical levels for Authoritative DNS security events.
Local and Regional Advanced Web UI
Procedure
Step 1 |
From the Operate menu, choose Manage Servers under the Servers submenu to open the Manage Servers page. Click CCM in the Manage Servers pane to open the Edit Local CCM Server page. |
Step 2 |
Under the DNS Security Events section, enter the required values in the following fields:
|
Step 3 |
Click Save. |
CLI Commands
Use resource set dns-security-events-critical-level=value to set the critical level for the number of DNS security events in the Authoritative DNS server.
Use resource set dns-security-events-warning-level=value to set the warning level for the number of DNS security events in the Authoritative DNS server.
Specifying TLS Settings
Cisco Prime Network Registrar supports TLS in the Authoritative DNS server in addition to the Caching DNS server. The DNS server listens on configurable port 853 for TLS. On port 853, only TCP TLS connections are accepted and other connections are dropped. The DNS server has configurable parameters to enable or disable TLS, and to add TLS private and public key files.
For more information on DNS over TLS, see the Specifying TLS Settings section in the "Managing Caching DNS Server" chapter.
Note |
|
Attribute |
Description |
---|---|
TLS (tls) |
Before enabling TLS, certificate object of type cdns must be created using public and private key files and tls-certificate attribute be set. Enabling or disabling TLS service requires a Cisco Prime Network Registrar service restart for the change to take effect. |
TLS Certificate (tls-certificate) |
Specifies the name of the managed certificate to be used for DNS over TLS (DoT) or DNS over HTTPS (DoH). |
TLS Port (tls-port) |
The port number on which to provide TCP TLS service. The DNS server will not serve non-TLS queries on this port. |
Local Advanced Web UI
Before you begin
Before enabling TLS, you must create certificate object of type adns using the public and private key. Under the TLS Settings section on the Manage DNS Caching Server page, set tls-certificate attribute to the created certificate object.
Procedure
Step 1 |
From the Operate menu, choose Manage Servers under the Servers submenu to open the Manage Servers page. |
Step 2 |
Click DNS in the Manage Servers pane to open the Edit Local DNS Server page. |
Step 3 |
Under the TLS Settings section, enable the TLS attribute by selecting the enabled option. |
Step 4 |
Click Save to save the changes. |
Note |
You must restart the Cisco Prime Network Registrar service whenever TLS settings are modified. |
CLI Commands
Use dns set attribute=value to set the TLS attributes in the Authoritative DNS server.
Note |
You must restart the Cisco Prime Network Registrar service whenever TLS settings are modified. |
TLS Statistics
On the Manage DNS Authoritative Server page, click the Statistics tab to view the Server Statistics page. The TLS statistics appear under the Security Statistics section of both the Total Statistics and Sample Statistics categories.
Attribute |
Description |
---|---|
tls-queries |
Total number of queries received over TLS by the DNS Server. |
tls-queries-failed |
Total number of TLS queries failed during TLS handshake. |
Enabling Round-Robin
A query might return multiple A or AAAA records for a name lookup. To compensate for most DNS clients starting with, and limiting their use to, the first record in the list, round-robin is enabled to share the load. This ensures that successive clients resolving the same name will connect to different addresses on a revolving basis. The DNS server then rearranges the order of the records each time it is queried. It is a method of load sharing, rather than load balancing, which is based on the actual load on the server.
Local Web UI
On the Manage DNS Authoritative Server page, under the Miscellaneous Options and Settings section, find the Enable round-robin (round-robin) attribute. It is set to enabled by default in Basic mode.
CLI Commands
Use dns get round-robin to see if round-robin is enabled (it is by default). If not, use dns enable round-robin .
Enabling Weighted Round-Robin
When a nameset is configured with multiple RRs of the same type, a weighted round-robin algorithm can be used to determine the frequency with which an RR is the first RR in the query response. To control the response behavior, administrators must be able to set weighted values on these RRs. In addition, the order in which multiple records are returned may be used by client applications and need to be controlled by administrators.
The order and weight attributes are available in Advanced mode.
Order
The order attribute specifies the sort order for the RR, compared to other RRs of the same type in the nameset. RRs with same type will be listed in ascending order, this will also be the order that RRs are returned when queried.
Weight
RR weight can be used in situations where you want certain servers providing the same service to be returned more frequently and therefore get more of the load. The weight attribute specifies the relative importance of this RR, compared to other RRs of the same type in the nameset. RRs with higher weight will be used more often in query responses for the name and type. For example, if weight for the RR is set to 5 and weight for another RR is set to 1, then RR will be used 5 times before the other RR is used once. RRs with a weight of 0 (zero) are always listed last and not included in the round robin operation.
Note |
The default weight on RRs is 1. When round robin is enabled (either DNS server or zone level), the RRs are returned in the first position once for each query (that is, traditional round robin). If all the weights on the RR set are 0, then the response is returned to the client based on order. Effectively disabling round-robin on the RR set level. |
The order and weight attributes can only be set on primary zones. These are transferred to HA backup and to the secondary servers, these attributes are not transferred when one of the servers in HA or secondary server is prior to 9.0 cluster. If you wish not to transfer order and weight, then disable the Transfer RR Meta Data (xfer-rr-meta-data) attribute present in the Manage DNS Authoritative Server page (you must do this in secondary DNS server). In secondary zone, order and weight are available, and the "resource records" are non-editable.
Local Web UI
Procedure
Step 1 |
From the Design menu, choose Forward Zones or Reverse Zones under the Auth DNS submenu to open the List/Add Zones page. |
Step 2 |
In the Forward Zone or Reverse Zone pane, click the zone name to open the Edit Zone page. |
Step 3 |
Click the Resource Records tab. |
Step 4 |
Add the RR name, TTL (if not using the default TTL), type, and data as appropriate. |
Step 5 |
Once the RRs are created, order and weight can be set by editing the RRs (click the pencil icon next to the desired RR). You can find the order and weight attributes under the RR Settings section. |
CLI Commands
Use zone name addRR rr-name rr-type rr-ttl rr-data [weight=rr-weight] [order=rr-order] to set weight and order.
Use zone name modifyRR rr-name type [data] attribute=value [attribute=value ...] to modify the resource records.
Enabling Incremental Zone Transfers (IXFR)
Incremental Zone Transfer (IXFR, described in RFC 1995) allows only changed data to transfer between servers, which is especially useful in dynamic environments. IXFR works together with NOTIFY (see Enabling NOTIFY) to ensure more efficient zone updates. IXFR is enabled by default.
Primary zone servers always provide IXFR. You should explicitly enable IXFR on the server (you cannot set it for the primary zone) only if the server has secondary zones. The DNS server setting applies to the secondary zone if there is no specific secondary zone setting.
Local Web UI
On the Manage DNS Authoritative Server page, under the Zone Default Settings section, you can find the Request incremental transfers (IXFR) attribute. It is set it to enabled by default. For a secondary zone, you can also fine-tune the incremental zone transfers by setting the ixfr-expire-interval attribute.
This value is the longest interval the server uses to maintain a secondary zone solely from IXFRs before forcing a full zone transfer (AXFR). The preset value is 0, as we always use IXFR and it is enabled, we don't periodically change to AXFR. Then, click Save .
CLI Commands
Use dns enable ixfr-enable . By default, the ixfr-enable attribute is enabled.
Restricting Zone Queries
You can restrict clients to query only certain zones based on an Access Control List (ACL). An ACL can contain source IP addresses, network addresses, TSIG keys (see the "Transaction Security" section in Cisco Prime Network Registrar 11.2 DHCP User Guide), or other ACLs. The restrict-query-acl attribute on the Manage DNS Authoritative Server page serves as a default value for zones that do not have the restrict-query-acl explicitly set.
Enabling NOTIFY
The NOTIFY protocol, described in RFC 1996, lets the Cisco Prime Network Registrar DNS primary server inform its secondaries that zone changes occurred. The NOTIFY packets also include the current SOA record for the zone giving the secondaries a hint as to whether or not changes have occurred. In this case, the serial number would be different. Use NOTIFY in environments where the namespace is relatively dynamic.
Since a zone primary server cannot know specifically which secondary server transfers from it, Cisco Prime Network Registrar notifies all nameservers listed in the zone NS records. The only exception is the server named in the SOA field of the primary server. You can add additional servers to be notified by adding the IPv4 and IPv6 addresses to the notify-list on the zone configuration.
Note |
In order for notifies to be sent to hidden name servers (that is, those that are not listed as NS RRs in the zone), their IP addresses need to be listed in the notify-list and notify setting needs to be set to notify-list or notify-all. |
You can use IXFR and NOTIFY together, but this is not necessary. You can disable NOTIFY for a quickly changing zone for which immediate updates on all secondaries does not warrant the constant NOTIFY traffic. Such a zone might benefit from having a short refresh time and a disabled NOTIFY.
Note |
On the secondary zones, notifies are enabled by default. If there are no second tier secondary servers to be notified, you should disable this setting. Doing so will eliminate unnecessary notify requests and may increase server performance. |
Local Advanced Web UI
Procedure
Step 1 |
On the Manage DNS Authoritative Server page, under the Zone Transfer Settings section, find the notify attribute and select the value from the drop-down list. |
Step 2 |
Set any of the other NOTIFY attributes (notify-min-inverval, notify-rcv-interval, notify-send-stagger, notify-source-port, and notify-wait). |
Step 3 |
Click Save . |
Step 4 |
To add nameservers in addition to those specified in NS records, from the Design menu, choose Forward Zones or Reverse Zones or Secondary Zones under the Auth DNS submenu. |
Step 5 |
Click the zone name in the Forward Zones or Reverse Zones or Secondary Zones pane to open the Edit Zones page. |
Step 6 |
Add a comma-separated list of IP addresses of the servers using the notify-list attribute on the Edit Zone page. |
Step 7 |
Select the value from the notify drop-down list. |
Step 8 |
Click Save . |
CLI Commands
Use dns set notify=value. You can also enable NOTIFY at the zone level, where you can use zone name set notify-list to specify an additional comma-separated list of servers to notify beyond those specified in NS records.
Blocking Recursive Queries from Authoritative Server
Blocking recursive queries allows the server to not spend resources trying to process these queries. The Drop Recursive Queries (drop-recursive-queries) attribute controls whether the DNS server accepts or drops the queries which have RD flag on. When this attribute is enabled, recursive queries will be dropped by the server. The default value of drop-recursive-queries is disabled, which means that no recursive queries will be dropped.
To enable drop-recursive-queries, do the following:
Local Advanced Web UI
Procedure
Step 1 |
From the Operate menu, choose Manage Servers under the Servers submenu to open the Manage Servers page. |
Step 2 |
Click DNS in the Manage Servers pane to open the Edit Local DNS Server page. |
Step 3 |
Under the Query Settings section, enable the drop-recursive-queries attribute by selecting the enabled option. |
Step 4 |
Click Save to save the changes. |
Note |
The setting can be changed dynamically without a DNS server reload. |
CLI Command
Drop Recursive Queries Statistics
On the Manage DNS Authoritative Server page, click the Statistics tab to view the queries-dropped-recursive statistic attribute under the Query Statistics section. This indicates the number of queries dropped due to recursion. The queries-dropped counter will be incremented when recursive queries are dropped.