DNS Lookup Data Adapter

This adapter enables Graylog to perform real-time DNS lookups, translating domain names into IP addresses and vice versa.

Prerequisites

Before proceeding, ensure that the following prerequisites are met:

  • The Graylog server must have outbound network connectivity to reach the DNS servers or resolvers you intend to use. Verify that there are no firewall rules or network restrictions blocking DNS traffic from the Graylog server to the specified DNS servers.

  • Ensure that the DNS servers you plan to use are operational and responsive. Test connectivity from the Graylog server to these DNS servers to confirm that DNS queries can be successfully sent and responses received.

Configure the Data Adapter

You can create a data adapter during the lookup table creation workflow, or they can be created separately on the Data Adapters tab. The following configuration options are available for this data adapter:

Title

A short and unique title for this data adapter.

Description

Data adapter description.

Name

The name used to refer to this data adapter. This should be something unique and recognizable within your Graylog environment.

Custom Error TTL

Specifies the time to live (TTL) for custom error messages if any occur during the API interaction. Enter a value in seconds, such as 3600 for 1 hour, depending on your logging and troubleshooting needs.

DNS Lookup Type

Select the type of DNS lookup to perform, including:

  • Resolve hostname to IPv4 address (A)

  • Resolve hostname to IPv6 address (AAAA)

  • Resolve hostname to IPv4 and IPv6 address (A and AAAA)

  • Reverse lookup (PTR)

  • Text lookup (TXT)

DNS Server IP Address (Optional)

Specify the IP address or addresses of the DNS servers that Graylog uses to perform DNS lookups. You can provide a single IP address or a comma-separated list of multiple DNS server IP addresses. If no value is specified, Graylog uses the values specified in local network adapter settings.

DNS Request Timeout

Sets the maximum time (in milliseconds) that Graylog waits for a DNS query to be resolved before timing out. It is important to set this appropriately to balance between waiting for responses and not causing delays in processing other logs.

Cache TTL Override (Optional)

Sets the duration in seconds for how long DNS responses should be cached locally in Graylog. Setting a time to live (TTL) override can help control the caching behavior specific to your environment's needs.

Example DNS Lookup Pipeline Rule

This pipeline rule resolves an IP[v4] to its DNS record (reverse DNS lookup). Replace dns_lookups with the name of your DNS lookup data adapter.

Copy 
rule "PARSE IP to DNS"
when
    has_field("source_ip")
    && regex(
        pattern: "^\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}$",
        value: to_string($message.source_ip)
        ).matches == true
then
    let rs = lookup_value("dns_lookups", to_string($message.source_ip));
    set_field("source_ip_dns", to_string(rs));
end

Further Reading

Explore the following additional resources and recommended readings to expand your knowledge on related topics: