Scanning and Reporting by DNS name (PC/SCA)

We provide the ability to scan and report on DNS tracked assets for policy compliance. In this help, we'll describe the end-to-end workflow from setting up your asset groups to launching scans to policy evaluation and reporting.

Scan by Hostname must be enabled

The Scan by Hostname feature must be enabled for your subscription. Contact your Technical Account Manager or Support if you don’t already have it.  

This feature when enabled allows you to add DNS hostnames to your asset groups. Then you'll be able to add those asset groups to your compliance policies.

DNS Tracking must be enabled

This feature must be enabled for your subscription. Contact your Technical Account Manager or Support if you don’t already have it.

Once enabled for the subscription, the Manager primary contact must also enable the feature by going to Scans > Setup > DNS Tracking and checking the "Enable DNS Tracking for hosts" option. Once enabled, you’ll see the FQDNs input field when launching/scheduling scans. You'll be able to enter one or more FQDNs when defining the target hosts.

Enable DNS Tracking Setup option

Set up your asset groups

Create asset groups with the assets you want to evaluate for policy compliance. You can add a combination of IP addresses and DNS hostnames (assuming Scan by Hostname is enabled). Later you'll assign asset groups to your compliance policies. Note that only Manager users can create/update asset groups with DNS hostnames. Once saved, the asset groups can be assigned to sub-users.

Asset Group with DNS hostnames added

Set up compliance policies

Create compliance policies with the controls you want to evaluate on your assets. Add the asset groups that you created with DNS hostnames.

Policy with asset groups added

Add scanner appliances (for internal scans only)

You can use existing scanner appliances in your account. Check your scanner appliances to be sure the DNS servers defined for their configuration match the DNS servers to be used for hostname to IP resolution.  

Set up authentication

Authentication is required for collecting compliance data on your assets. Create authentication records and add the IP addresses for your target hosts. In order to collect compliance data on a DNS asset, your authentication record will need to have the IP address that will be resolved from the DNS hostname. To create authentication records, go to Scans > Authentication > New and choose the record type. In the record, you'll enter login credentials and the IP addresses for the assets you want to scan.

New menu on Authentication tab

Don't know the IP address for your DNS asset?

No problem. In this case, you can launch a scan on the FQDN and we’ll resolve the DNS hostname to an IP address. If the IP address is not already in your PC/SCA account, then we'll add it to your account automatically. The newly added IP will be tracked by DNS. Go to Assets > Host Assets, and use the filter "DNS Tracked Hosts" to find the IP address for the DNS asset. Then, add the IP address to your authentication record and scan the FQDN again with authentication to collect compliance data. See the next step for more on scanning.

Host Assets list with DNS filter used

Launch scans on your DNS assets

Go to Scans > New > Scan (or Schedule Scan).

Choose a scanner appliance option from the menu. For internal scanning, the scanner appliance you pick must be able to resolve the DNS hostnames to IP addresses.

Tell us the DNS assets you want to scan. You can enter a comma-separated list of FQDNs directly into the FQDN field. You can also select asset groups that have your DNS assets included.

What happens next. At scan time, the scanner appliance resolves each DNS hostname to an IP address. The resolved IP address may or may not already be in your PC/SCA account. If the resolved IP address is not already in your account, then it will be added automatically to the license container and the asset will appear on your Host Assets list with the DNS tracking method.

Launch Compliance Scan window with FQDNs listed

Policy evaluation occurs automatically

Policy evaluation takes place whenever new scan results are processed. We’ll look at the IP address and the DNS hostname for each scanned asset, and if the IP or the DNS name matches an asset group in your policy, then we’ll perform the policy evaluation. Also, if the asset has a tag and the asset tag is in the policy, the policy will be evaluated.

Only want to evaluate IPs?

If you only want to perform policy evaluation on the IP addresses in your asset groups and not on the DNS hostnames, then a Manager can go to Assets > Setup > Asset Group DNS Resolution, and check the option "Do not resolve DNS assets to hostnames in policy asset groups".

Asset Group DNS Resolution Setup option

Run policy compliance reports

Policy Reports can be launched on any of the assets in the asset groups assigned to your policy, including DNS assets and IP assets. Other compliance reports (scorecard reports, mandate based reports, interactive reports, etc) will only include IP assets (not DNS assets).

Go to Reports > New > Policy Report. Choose a policy report template, report format and then pick the policy you want to report on. Include all assets in the policy or select from the asset groups in the policy. Then click Run.

Settings for New Policy Report