Security Center - DNS Queries

DNS servers are used by IoT devices to route outbound communication to the appropriate destination endpoint. DNS servers fall into two categories:

  • Public DNS servers: These are typically provided by infrastructure service providers and meant to direct traffic on the open Internet.
  • Private DNS servers: These usually reside behind a firewall, and are typically used to route traffic to internal sites and services within a closed network.

The DNS Queries widget monitors cellular traffic, and enables you to do the following:

  • Analyze how much of your IoT device traffic flows through open versus closed systems.
  • Understand how your IoT deployment has been configured, and spot anomalies.
  • Identify potential device hijacking scenarios, where IoT devices become repurposed, to direct traffic towards public DNS servers. The intent is to bring down these DNS servers which are a critical component of internet-based communications.


When you monitor the number of queries sent to DNS servers, you can establish a baseline and detect anomalies. You can also conduct a deep forensic analysis by clicking on a date to drill down into the specifics of all DNS queries for that day.

This view provides visibility into:

  • Different DNS servers that were hit on that day.
  • The protocol used to connect to the DNS server(s).
  • Whether servers were public or private.
  • When those queries were sent, over the course of the day.
  • Number of devices that sent queries to each DNS server.


To filter the list, click a specific DNS server. The list includes all queries sent from one or more IoT devices in the IoT deployment, to that DNS server.

This includes information such as:

  • Device ID.
  • Direction of data flow.
  • Amount of data sent or received.
  • Connection port and protocol used.
  • Frequency of communication.


In addition to the ICCID and the IMSI, this view includes data volumes sent and received, and the port/protocol used by the transacting device.



If you click on the ICCID or the IMSI, the interface provides a SIM-centric view. This helps you analyze which other DNS servers (either public or private) were contacted by the device.



Tracking the number of DNS queries sent by IoT networks provides you with a baseline of expected DNS traffic, so you can spot anomalies.

To take closed-loop remediation action, you can click Block SIM to block the device in-line. A pop-up window appears. Read how blocking SIM works, and then click YES, BLOCK.



Note: Blocking operations are reversible. You can unblock a blocked device.
Have more questions? Submit a request

0 Comments

Please sign in to leave a comment.