DNS Detection and Response (DNS DR) in DDI Central

DNS Detection and Response (DNS DR) in DDI Central is a modern defensive layer that transforms your DNS infrastructure into an active security control point. Instead of just resolving queries, DDI Central leverages DNS traffic to detect, analyze, and respond to threats in real time—before they reach your endpoints or internal services.

DNS Detection and Response (DDR) mechanism in DDI Central

DDI Central’s DDR mechanism continuously monitors DNS queries and DHCP interactions within your network, automatically detecting suspicious activities based on predefined threat intelligence and policy rules.

How DDR works:

  • Detection: When DDI Central’s DNS Threat Intelligence module observes continuous queries from an IP address to domains listed in its active threat feed hub, it flags the activity as suspicious.
  • Automated quarantine: Once suspicious behavior is detected, DDR automatically initiates isolation without requiring manual intervention from the administrator, significantly reducing response times and minimizing potential damage.

Depending on the configured response, DDR automatically quarantines the compromised IP addresses or hosts using different enforcement methods:

  • ACL (DNS): Immediately blocks further DNS queries from the suspicious IP at the DNS server level.
  • Client Subnet (DNS): Isolates the entire subnet, preventing malicious activity from spreading across your network segments.
  • Host (DHCP): Automatically isolates the compromised host by assigning it to a restrictive DHCP scope, limiting network access.
  • Filter (DHCP): Blocks the compromised host entirely from acquiring new DHCP leases by MAC filtering.
  • Visibility and control: Administrators can quickly identify which DDR mechanism triggered the quarantine through the dedicated Quarantine dashboard. This dashboard clearly highlights the isolation method used, enabling precise diagnosis and remediation.

This intelligent and automated approach empowers network admins with rapid response capabilities, drastically reducing risk and improving overall network resilience.

Quarantine Modes

Also, admins have the flexibility to define how threat quarantine should be enforced. Navigate to Settings → System → App Settings.

DDI Central - DNS threat detection and response

Under App Settings, admins can choose to quarantine threats at the DNS level, DHCP level, or both, depending on your network defense strategy. This enables you to tailor containment policies based on how threats propagate—whether through name resolution, IP assignment, or both channels. Simply check the desired options under the "Quarantine Threats Via" setting to activate your preferred quarantine mode.

Filtering Quarantined Hosts

Admins can view all quarantined hosts on a dedicated page. To access it, navigate to Threat Intel → Quarantine from the left-hand menu. On the Quarantine page, you can quickly narrow down which hosts were isolated by the DNS Detection & Response (DDR) engine.

Quarantine page screenshot

  1. Choose the Service

    • Service: Select either DNS or DHCP to show only quarantined hosts from that service stream.
    • DNS filters display only DNS-related quarantines; DHCP filters display only DHCP-related quarantines.

  2. Pick a Filter Category

    Under Filter By, pick one:

    • IP — filter on a specific IP address
    • MAC Address — filter on a specific MAC
    • Quarantined Through — see how the host was blocked
    • Cluster — target a particular server cluster (Linux or Windows)

  3. Enter Your Filter Value

    Depending on which Filter By you chose, the next field lets you specify:

    • Cluster: pick “Linux” or “Windows”
    • Quarantined Through:
      • ACL (Linux) — a DNS ACL rule blocked the host’s queries
      • Client Subnet (Windows) — network-level isolation at the client-subnet
      • Host (Linux) — automatic host-reservation quarantine via DNS host entries
      • Filter (DHCP) — MAC-address-based DHCP filtering

  4. Apply or Clear

    • Click the adjacent Search button (or press Enter) to show only matching quarantined hosts.
    • Use Clear Filter to reset and view all quarantined entries again.

By mixing and matching these three controls—Service, Filter By, and the Filter value—you can pinpoint exactly which infected or misbehaving endpoints the DDR engine has isolated, and take remediation steps right from the UI.

Managing Quarantined Entries

  • Review
    • Once filtered, the table displays matching quarantined hosts along with details (service, quarantine method, timestamp, cluster).
  • Delete (Release from Quarantine)
    1. Select one or more rows by checking the leftmost checkbox.
    2. Click the Delete button at the top right.
    3. Confirm in the prompt to permanently release those hosts back onto the network from quarantine.
Note: Only administrators can delete (release) quarantined entries. Deletion does not delete the host—it simply lifts the isolation so normal DNS/DHCP operations resume.

Best Practices

  • Regular review: Check the Quarantine page daily to ensure legitimate devices aren’t unintentionally blocked.
  • Triage quickly: Use filters to rapidly isolate high-priority threats (e.g., ACL quarantines may indicate DNS flooding).
  • Document actions: Before deleting entries, record the reason and remediation steps for audit trails.
  • Integrate with SIEM: Forward quarantine logs to your security information and event management system for centralized threat tracking.

By leveraging the Quarantine page filters and management controls, you maintain tight security over your DNS and DHCP services—ensuring rapid detection, isolation, and remediation of network threats.