Skip to main content

Name Resolution

Overview#

The ElastiFlow™ Unified Flow Collector can be configured to resolve IP addresses to hostnames. The following settings allow this feature to be tuned to the needs of your environment.

EF_FLOW_DECODER_ENRICH_DNS_ENABLE#

This setting enables DNS reverse lookups of IP addresses found in the received flow records.

  • Valid Values
    • true, false
  • Default
    • false

EF_FLOW_DECODER_ENRICH_DNS_NAMESERVER_IP#

The default behavior of the collector is to use the operating system's configured name resolution to resolve IP addresses to hostnames. Optionally a nameserver can be specified in this setting, which will be used instead.

important

If configured, this setting MUST contain a valid IP address.

  • Default
    • empty

EF_FLOW_DECODER_ENRICH_DNS_NAMESERVER_TIMEOUT#

If EF_FLOW_DECODER_ENRICH_DNS_NAMESERVER_IP contains a valid IP address, this setting contains the timeout period, in milliseconds, for queries to the name server.

  • Default
    • 3000 (milliseconds)

EF_FLOW_DECODER_ENRICH_DNS_RESOLVE_PRIVATE#

If DNS resolution is enabled (EF_FLOW_DECODER_ENRICH_DNS_ENABLE is true) this option specifies whether private IP addresses will be resolved to hostnames.

  • Valid Values
    • true, false
  • Default
    • true

EF_FLOW_DECODER_ENRICH_DNS_RESOLVE_PUBLIC#

If DNS resolution is enabled (EF_FLOW_DECODER_ENRICH_DNS_ENABLE is true) this option specifies whether public IP addresses will be resolved to hostnames.

  • Valid Values
    • true, false
  • Default
    • true

EF_FLOW_DECODER_ENRICH_DNS_USERDEF_PATH#

This setting specifies the path to the file containing user-defined hostname mappings. The feature is enabled if a path is configured, otherwise it is disabled.

note

If the value of the path begins with a / this path will be interpreted as an absolute file system path. Otherwise it will be interpreted as relative to the value of EF_FLOW_DECODER_SETTINGS_PATH.

An example of the format of this file is:

'192.0.2.1': 'host1'
'192.0.2.2': 'host2'
  • Default
    • ''
  • Recommended
    • hostname/user_defined.yml

EF_FLOW_DECODER_ENRICH_DNS_USERDEF_REFRESH_RATE#

The file specified in EF_FLOW_DECODER_ENRICH_DNS_USERDEF_PATH can be loaded automatically to refresh values without restarting the collector. This value specifies the refresh interval, in minutes, that the file will be reloaded. The value of 0 disables refreshing of the values.

  • Default
    • 15

EF_FLOW_DECODER_ENRICH_DNS_INCLEXCL_PATH#

For more control of when enrichment is applied, IP addresses can be included or excluded from hostname enrichment by Autonomous System or CIDR. This setting specifies the path to this file.

note

If the value of the path begins with a / this path will be interpreted as an absolute file system path. Otherwise it will be interpreted as relative to the value of EF_FLOW_DECODER_SETTINGS_PATH.

For more details on the format of this file and the behavior of the include/exclude functionality refer to: Scoping Enrichment with Include/Exclude

  • Default
    • ''
  • Recommended
    • hostname/incl_excl.yml

EF_FLOW_DECODER_ENRICH_DNS_INCLEXCL_REFRESH_RATE#

The file specified in EF_FLOW_DECODER_ENRICH_DNS_INCLEXCL_PATH can be loaded automatically to refresh values without restarting the collector. This value specifies the refresh interval, in minutes, that the file will be reloaded. The value of 0 disables refreshing of the values.

  • Default
    • 15