display deception dns

Function

The display deception dns command displays the domain name scan status.

Format

display deception dns [ source ip-address ]

Parameters

Parameter	Description	Value
source ip-address	Specifies the source IP address initiating the domain name scan.	The value is in dotted decimal notation.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

By observing the domain name scan status, network administrators can set a more accurate domain name scan threshold using the deception dns-request rate command.

If the rate of a source address is low and does not reach the threshold but the number is large, a very patient hacker may be hidden behind this address.

Example

# Display domain name scan status.

<HUAWEI> display deception dns
 --------------------------------------------------------------------------------
 Current total number = 2                                                        
 --------------------------------------------------------------------------------
 source           number    rate(num/s)    error-aci      vpn-instance  
 --------------------------------------------------------------------------------
 192.168.1.1      4           231          0              public                    
 192.168.1.2      1           280          0              public                    
 --------------------------------------------------------------------------------  
 recent request dns domain :
 www.huawei.com
 192.168.1.3.aci

**Table 1** Description of the **display deception dns** command output
Item	Description
source	Source IP address initiating the domain name scan
number	Number of domain name scans
rate(num/s)	Rate of domain name scans, in scans per second
error-aci	Number of ACI suffix mismatches in DNS requests in ACI format
vpn-instance	VPN instance to which the source IP address belongs
recent request dns domain	Domain name in the latest request. A maximum of five domain names can be recorded