DNS Threat Intelligence
Consolidated threat insights
Unified. Up-to-the-minute. Unmissable—see threats unfold in real time, from one single window.
- Real-Time threat visibility
Gain instant situational awareness with live dashboards that track and quantify threat activity across your DNS infrastructure—helping security teams take decisive action without delay. - Actionable trend analytics
Visualize threat trends over time to identify activity spikes, recurring attack windows, and high-velocity threats—enabling smarter incident response and strategic policy adjustments. - Categorized threat intelligence
Understand the nature of each threat with auto-classification into known categories such as phishing, malicious code injection, or detection anomalies—facilitating targeted remediation strategies.
- Host and source attribution
Trace each threat to its origin and impacted endpoint using built-in correlation of threat sources, affected devices, and hit counts—essential for faster incident triage, root-cause analysis, and containment planning. - Confidence-Based prioritization
Leverage confidence scores to differentiate critical threats from less urgent alerts, ensuring that your response efforts are focused where the risk is highest. - Executive-Level summaries at a glance
Monitor top threat actors, vulnerable hosts, and malicious domains through compact, visually intuitive summaries—providing leadership teams and auditors with transparent threat exposure insights.
Feed servers
Fortify your DNS with real-time defense—powered by live, vetted threat sources.
- Real-Time threat intelligence delivery
Administrators gain continuous protection with automatic, interval-based synchronization of malicious domain data. This ensures DNS defenses are always current—minimizing the risk of zero-day attacks without requiring manual list updates. - Comprehensive, multi-vendor coverage
By integrating feeds from a diverse set of threat intelligence providers—such as ManageEngine CloudDNS, Kaspersky, AlienVault, and others—DDI Central delivers broader detection, enriched analytics, and stronger threat correlation across environments. - Automated policy conversion and enforcement
Each incoming threat feed is automatically translated into enforceable DNS policies (RPZ/ACL rules/DHCP MAC Filters) and deployed across all configured DNS/DHCP servers. This eliminates manual intervention while ensuring consistent, enterprise-wide protection.
- Flexible, scalable threat defense posture
Admins can dynamically onboard, reconfigure, or retire feed servers as the threat landscape evolves, enabling security teams to scale and tailor defenses to meet organizational needs without disrupting operations. - Support for custom STIX/TAXII feeds
DDI Central enables you ingest any STIX/TAXII-compliant feed—be it internal, industry-specific, or partner-sourced—enabling tailored threat defense aligned with your unique security posture. - License-Aware and credential-controlled access
Every feed server can be configured with organization-specific access credentials, ensuring secure and authorized consumption of premium threat feeds. This keeps you compliant with licensing terms while ensuring feeds are authenticated and tamper-proof.
Feed hub
The watchtower of your DNS threat intelligence—No indicator escapes the view.
- Unified feed view for all flagged domains and IPs across vendors
Say goodbye to fragmented portals. Feed Hub offers a consolidated view of all Indicators of Comprimise (IOCs)—whether from AlienVault, Kaspersky, IBM X-Force, or your own STIX/TAXII feeds. - Drill down with precision
Easily locate the most critical entries by filtering on confidence score, attack type (e.g., malware, phishing), or feed provider—ensuring fast and focused incident response. - Automatic policy propagation to DNS resolvers
No manual syncing needed. Once a threat appears in Feed Hub, it’s already blocked at the resolver level—enabling real-time protection and reducing exposure windows.
- Exportable reports for audit, SOC sharing, or RCA
Generate and share tailored threat summaries in PDF format—ideal for audits, compliance, or team briefings. Show exactly what hit your network and when. - Trace the threat trail
Track each domain or IP by timestamp and feed origin to reconstruct incident timelines or validate cross-feed consistency—essential for forensic investigations. - Hyperlinked drill-ins for deeper context
Click through to view detailed reports for any IOC—IP or domain—and gather context on feed hit counts, related endpoints, and potential spread vectors.
Threat reports
From raw logs to real insights—Your built-in DNS threat analyst
- Visualize and decode the DNS-layer attack surface in real time
Admins can quickly interpret top threats, affected hosts, record types, and threat origin—turning raw indicators into actionable visibility. Pie charts, tables, and time-series graphs provide an instant snapshot of what’s happening, where, and how often. - Pinpoint incidents faster with layered filtering capabilities
Drill down by source IP, domain name, device identity, threat category, and confidence score. Combine filters to isolate patterns—like phishing threats targeting a specific device with a 100% confidence score—for surgical response and root cause tracing. - Track threat trajectories
Time-based confidence score graphs help admins trace how a domain’s reputation has changed over time—ideal for identifying late-emerging threats or falsely trusted domains that recently turned malicious.
- Correlate threats with internal exposure for faster containment
Understand which internal hosts (IPs or hostnames) interacted with flagged domains, and how often. This lets admins prioritize cleanups, isolate endpoints, or raise alerts for devices repeatedly hitting high-risk sources. - Export the evidence
Generate detailed threat summaries in PDF and CSV on-demand to support security audits, compliance needs, or incident review meetings. Each report includes metadata, severity breakdowns, source info, and distribution visuals for clarity. - Classify, quantify, and act based on threat criticality
Confidence scores are mapped across the network to help admins quickly distinguish between critical (90—100), high (75—89), and medium (50—74) threats—enabling smart triage, automated quarantine, and priority escalation.
DNS Detection and Response (DDR)
DNS-based quarantine
DNS doors slam shut for compromised devices.
- Block at first sight
DDI Central uses DNS ACLs on Linux and Client subnet-based isolation on Windows to immediately cut off compromised devices from making further DNS queries, stopping the spread of malware at the earliest stage. - Containment without delay
Admins don’t have to manually isolate infected endpoints—DDI Central’s automated DDR engine enforces quarantine rules the moment threat-domain lookups are observed, slashing response times.
- Know What was blocked, When, How, and Why
The Quarantine dashboard offers detailed attribution, including service (DNS), quarantine type (ACL or Client Subnet), cluster, and timestamp—empowering informed decisions and audit-friendly records. - Powerful filters for rapid triage and cleanup
Drill down by cluster, IP, or quarantine method to review and release entries as needed—all from a unified console. Streamline investigations and restore legitimate devices quickly.
DHCP-based quarantine
From MAC address to MAC arrest—Containment that sticks.
- MAC flagged. Network locked.
Leverages MAC filtering for Windows clusters to permanently block infected endpoints from receiving new IP leases—ensuring rogue devices can’t sneak back into the network through DHCP requests. - One scope to isolate them all.
In Linux clusters, compromised MACs are funneled into a restricted DHCP reservation pool, locking them inside a subnet built for quarantine—ensuring zero lateral movement.
- No Lease. No Lurking. No Leakage.
Prevents misbehaving devices from reacquiring IPs, whether by dynamic lease or manual reconnect—cutting off their ability to communicate across the network. - Catch, Contain, and cut off—Automatically.
DDR triggers this quarantine instantly upon threat detection, without admin intervention, enabling real-time containment of infected endpoints based on DHCP activity.
DDI Central + OpManager Plus
OpManager Plus checkpoint
Instant visibility into devices, services, and associated clusters.
- At-a-Glance. Always in Control.
Instantly access a live snapshot of all OpManager Plus—managed devices—their health, status distribution, and anomalies—so admins know the exact state of operations at any given moment. - Spot Trouble. Stop Downtime.
Critical and unmanaged devices surface immediately, enabling admins to prioritize threats and act decisively before they escalate into outages.
- Status Counts. Smarter Decisions.
Real-time tallies across servers, switches, and controllers translate raw numbers into actionable insights, guiding resource allocation where it matters most. - One Screen. Complete Awareness.
A consolidated, live checkpoint eliminates context switching—delivering the operational pulse in real time for sharper oversight and faster decisions.
Device catalog
Navigate Devices, Unlock Diagnostics. Every Device at a Glance, Every Detail Within Reach.
- Unified device visibility
Gain a single consolidated view of all managed devices across the network, eliminating silos and ensuring no asset goes unnoticed. - Comprehensive context in real time
Access key attributes—status, IP, device type, vendor, and interfaces—at a glance to accelerate diagnostics and operational decisions.
- Lifecycle and health tracking
Monitor device states over time, from discovery to current status, enabling proactive management and faster issue resolution. - Integrated intelligence across systems
Leverage OpManager Plus and DDI Central integration to correlate device health with DNS, DHCP, and IP insights for end-to-end operational awareness.
Device diagnostics
Layer-2 switch-port traceability. Deep device diagnostics. Nothing left unseen.
- Unified device snapshot
Instantly view device status, type, vendor, and discovery history. Saves admins from toggling across tools. Quickly decide if a device needs attention, lifecycle review, or can be left running. - Availability and packet loss metrics
Track today’s availability and packet loss in real time. Delivers operational clarity in a single glance. Spot outages or instability early and take corrective measures before they escalate. - Latency in the spotlight
Monitor network responsiveness with built-in latency indicators. Helps ensure seamless service performance. Diagnose slowdowns instantly and validate SLA compliance.
- Resource utilization pulse
Keep tabs on CPU, memory, and disk usage trends. Prevents blind spots in workload management. Enables admins to rebalance workloads, scale resources, or investigate unusual spikes. - Network path visibility
Know exactly which switch and port your device connects to. Eliminates guesswork in dependency mapping. Accelerates root-cause analysis and simplifies port utilization planning. - Correlated operational context
Correlate availability, performance, and resource usage in one console. Provides contextual visibility without data fragmentation. Helps admins prioritize fixes based on both device health and network impact.
Uptime trends
From Hours to Months—The one-stop view for device uptime intelligence.
- Availability over time at a glance
Track real-time availability across multiple timeframes (hours, days, weeks, and months) with intuitive visualizations—helping admins instantly distinguish true outages, scheduled maintenance, and dependency-driven downtime. - Patterns beyond percentages
Correlation between IP lifecycle data (IP, DNS, DHCP) and live device monitoring means admins can pinpoint the root cause of service disruptions instead of wasting time chasing symptoms. This enables proactive problem-solving before users or services feel the impact.
- Unified lens, Smarter Ops.
With DDI Central + OpManager integration, admins get a single console for availability, health, and diagnostics, eliminating swivel-chair monitoring and enabling faster, data-backed responses. - One Network Source of Truth (NSoT)
By merging IPAM data with live availability metrics, admins always operate from a single, authoritative dataset—eliminating inconsistencies between network monitoring and address management tools.
IP anomalies
Simplifying IP anomaly management. Expose the unknown. Eliminate the unmanaged.
- Spot the Rogue. Secure the Network.
Quickly identify and flag rogue IPs that bypass authorized controls, enabling administrators to take decisive action to eliminate security risks before they escalate. - Unassigned, Uncovered, Under Control.
Detect IPs marked as “used” but not provisioned by DDI DHCP, helping admins close visibility gaps, prevent IP conflicts, and enforce governance across the network.
- Correlate Fast. Remediate Faster.
Leverage anomaly details enriched with DNS, subnet, and switch context to trace issues directly to their source, accelerating root-cause analysis and reducing resolution times. - Unified anomaly intelligence.
Gain a centralized view of all IP anomalies, empowering admins with actionable intelligence to streamline troubleshooting, strengthen compliance, and maintain operational resilience.
NTP server configuration
Time infrastructure setup
Control the clock. Command the network. Design time infrastructure on your terms—with enterprise-grade access controls.
- Centralized configuration. Streamlined onboarding.
Effortlessly configure NTP servers, peer settings, and access controls from a unified interface. This simplifies time service setup across distributed environments, reducing manual overhead and configuration drift. - Fine-Grained sync control for precision timing
Admins can define peer behavior using flags like iburst, burst, and prefer, enabling optimized synchronization logic. This ensures accurate and prioritized time distribution, especially in high-availability or latency-sensitive infrastructures.
- Built-in key support for authenticated peering
Support for authentication keys enhances integrity in NTP communications by validating peer legitimacy. Admins can prevent spoofing or rogue time injections, maintaining secure and trustworthy time synchronization. - Control who talks time
Enforce granular access restriction by defining specific clients and setting tailored NTP directives. This helps ensure only trusted devices can query or sync with your time servers—minimizing unauthorized access and bandwidth abuse.
Restriction-ready NTP
Purpose-Built guardrails for timekeeping—Precision that holds under pressure.
- Client by client precision boundaries
Apply restriction flags with granular precision for each client or subnet—limiting privileges, reducing exposure, and enforcing disciplined access. Tailor NTP interaction policies to align with your security posture, from enterprise-wide to endpoint-specific. - Harden time with layered restrictions
Apply multiple restriction layers to govern how clients interact with NTP services. This enforces operational boundaries, blocks unnecessary functions, and reduces configuration drift across the network.
- Throttle with foresight
Set rate limits to control the volume and frequency of NTP requests. Prevent overloads, ensure fairness in resource usage, and keep network traffic optimized—especially in large, high-density deployments. Admins can create robust yet flexible templates to uphold time infrastructure integrity across distributed environments. - Repeatable, Restriction-Ready NTP profiles
Define a standardized NTP configuration policy and seamlessly reuse it across all newly onboarded NTP servers. This eliminates manual repetition, ensures consistent time synchronization policies across distributed environments, and minimizes deviation and drift risks.
NTP performance monitoring
Monitor the timekeepers that run your network. Analyze the pulse of every NTP server under the microscope.
- One dashboard. Magnified visibility.
Track every onboarded NTP server’s performance in real time—offset, jitter, stability, and frequency—all in one place. - Jitter and stability tracking
Monitor jitter and stability trends in real time, ensuring consistent and reliable time distribution across critical systems.
- Frequency analysis for accuracy
Analyze loop frequency fluctuations to identify systemic timing deviations and fine-tune synchronization accuracy. - Performance baselines and anomaly detection
Establish normal behavior patterns and quickly isolate abnormal time fluctuations before they impact uptime or services. - Custom time windows. Pinpoint insights.
Zoom into any time window for any NTP server for isolating issues with surgical precision and enabling proactive remediation.
DNS protection templates
- Codify protection into ready-to-deploy templates.
Admins can standardize DNS defense across servers by creating and deploying consistent, repeatable protection templates—tailored for normal operations or high-traffic attack scenarios. - Custom-Ready. Prebuilt shields.
Choose from industry-grade presets like "50K to 5M queries/minute", or build fully customized thresholds to address evolving threat scenarios. All templates are reusable—making rollouts quick and repeatable across servers or domains. - Rate-Limiting that thinks in real time
Limit by client, zone, or subnet—not just blindly block. Throttle abusive queries without hurting the good ones. With flexible query-per-second thresholds, DNS error limits, and slip ratios, admins can balance protection and performance, isolating threats without disrupting uptime.
- DNSSEC-Safe enforcement
Enable DNSSEC validation within your protection template—ensuring that query rate-limiting doesn’t interfere with DNS integrity or authenticity. Protect without compromising on security compliance. - Performance sustained under siege
Templates introduce nuanced caps (e.g., NXDOMAINs/sec, No-Data/sec, Errors/sec), preventing accidental service denial due to misconfigurations or client misbehavior. Keep performance up even during heavy query storms. - Test, tune, and trust before you enforce
Run protection templates in passive “log-only” monitoring mode to silently fine-tune behavior, impact, and log patterns, before full enforcement. Great for testing, baselining, or sandboxing environments.
Management UI Console failover: Hot-standby engine
- Failover without the flinch
The hot-standby engine ensures that the secondary server automatically takes over within minutes, keeping the UI accessible and your operations uninterrupted—no manual intervention needed. - Same Console. New Commander.
No IP confusion—admins always know who’s in charge. The console visually distinguishes the active primary vs. standby server, displaying the current server IP, HA status, and last sync time—so there's no ambiguity when accessing or troubleshooting. - Smart promotion control
Admins stay in charge of who takes over. They can manually promote the secondary server when needed—perfect for proactive cutovers or planned failovers during upgrades or testing.
- Credential-Gated failover
Secure by design that the hand-off handshake is validated with client credentials and replication passwords, adding an additional layer of control and trust. - Live sync. Mirrored-setup with no configuration drift
What’s set on primary reflects on standby. With real-time database replication between the primary and secondary servers, admins can trust that configuration changes, logs, and service data stay intact and consistent—even in switchover moments. - Maintenance mode that respects your upgrades.
Enable planned downtime without disrupting service—pause failover during upgrades or patch rollouts, knowing the sync will resume smoothly post-maintenance.
Remote database configuration
- Decouple to scale
Run the database on a remote server—freeing your console host from storage or processing strain. Admins can now separate the application server and the database layer, enabling better resource management, reduced CPU contention, and greater scalability in larger environments. - Anywhere access, Enterprise flexibility
Deploy the DB wherever your enterprise dictates—cloud, VM, or a hardened database node. This allows organizations to align the database with their infrastructure strategy—whether on-prem, hybrid, or cloud-based—while keeping the application console lightweight and resilient.
- Custom roles, controlled access
Define granular DB access with role-based privileges for security and control. Admins can create tailored PostgreSQL roles with schema- and table-level privileges, ensuring that the DDI application interacts securely and minimally, without overexposure of the database environment. - Seamless migration, Bi-directional sync
Migrate data to or from the remote DB using standard pg_dump/pg_restore routines. Built-in support for data migration empowers admins to move between default and external database configurations with confidence—supporting backup, disaster recovery, and environment cloning scenarios.