Scanning and Reporting by DNS name (VM/VMDR)

We’ve supported scanning by DNS hostname for some time. Recently we’ve added support for reporting by DNS name using scan report templates. This capability is useful for customers that have DNS tracked hosts.

What you’ll need

The following 2 features must be enabled for your subscription. Contact your Technical Account Manager or Support to get these features.

- Scan by Hostname

- Report by DNS Hostname

Check your account settings

Check Scan by Hostname feature is enabled

When enabled you’ll see DNS section in your asset groups. Here's where you'll add the DNS names of the assets you want to scan and report on.

DNS section in Edit Asset Group window

 

Check Report by DNS Hostname feature is enabled

When enabled you’ll see the “Resolve DNS association … “ option in your scan report templates. You’ll notice it is not enabled by default.

Resolve DNS association of asset group option in Scan Report Template

 

What are the steps?

These same steps are used to perform scans by DNS hostname. For the reporting step there’s an option to resolve IP addresses (as returned in scan results) to DNS names (as defined in asset groups).

1) Set up your asset groups

- Add DNS hostnames you want to scan/report on in your asset groups (see sample above).

- Keep in mind you can add IP addresses and hostnames to the same asset group.

- Managers have permissions to add/edit DNS hostnames in asset groups.

2) Add Scanner Appliances (internal scans only)

- You can use existing scanner appliances in your account.

- Check your scanner appliances to be sure the DNS servers defined for their configuration match the DNS servers to be used for hostname to IP resolution.

3) Scan Asset Groups

- Use familiar scan workflows (Scans > New > Scan  and Schedule Scan)

- Choose a scanner appliance option from the menu (Internal and External scanning is supported). For internal scanning the scanner appliances you pick must be able to resolve the DNS hostnames in the asset group(s) to IP addresses in your account.

How it works - When you scan a host by DNS hostname, the scanner appliance resolves the hostname to an IP address in your account and you’ll see scan results by IP address. If a DNS name cannot be resolved to an IP address in your account, then scan results are not returned for the host.

4) Run Scan Reports

Create a scan template. Go to Templates > New > Scan Template.

 New Scan Template menu option under Templates

 

On the Findings tab choose Host Based Findings

Host Based Findings option selected in Scan Report Template

 

Select target asset groups, the same asset groups used for scan by DNS name. We’ll always report on scanned assets by IP address. Want to report on scanned assets by DNS name? Use the checkboxes shown.

Scan Report Template with Resolve DNS association of an asset group and Include only the latest scanned DNS asset options selected

 

Choose "Resolve DNS association" to report by DNS name

Good to know - These checkboxes appear only when the Report by DNS Hostname feature is enabled for your subscription.

Resolve DNS association of an asset group

(This is used to report on assets you've scanned by DNS hostname following the steps above)

When checked, assets with DNS names in scan results are compared against the DNS entries in asset groups. When a DNS name match is found assets are included in the scan report. By default we’ll include all DNS hostnames, i,e. all assets resolved from each DNS name.

Include only the latest scanned DNS asset

(This option is available only when Resolve DNS association is checked)

When checked, only the last scanned asset is included in the report. This is useful in cases where you might have multiple asset entries in your account for the same DNS name.

Why you might want to enable this option

- Lets say we have AG1 asset group which has abc123.dev.qualys.com hostname assigned to it.

- The customer environment is DHCP but the customer has not specified the IP ranges to be tracked by DNS in the subscription.

- If the asset with abc123.dev.qualys.com hostname is scanned daily and the DHCP lease is just for 1 day, then in 1 week time frame there will be 7 asset entries for the 1 machine

- Choosing this option will make sure that we include only 1 asset entry (which was scanned last) in the report.