Re: how to view DNS lookups

Tech-Archive recommends: Fix windows errors by optimizing your registry

From: "Herb Martin" <news@xxxxxxxxxxxxxx>
Date: Mon, 9 Jun 2008 23:04:09 -0500

"habitual_linestepr" <habitual_linestepr@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in
message news:41FB5268-A4CA-4260-8144-0E03E856A177@xxxxxxxxxxxxxxxx

I'm concened that there may be some questionable traffic leaving my
network
due to information provided by some of our IDSs. I've looked through our
maillogs, proxy logs, and firewall logs, but no luck. Is there a way to
search my DNS server to find out who it is that is resolution to a
particuar
site?

Not by default but i you enable "Debug Logging" on a Win2003
DNS server you can obtain the detail necessary to work this out.

You could for instance log all inbound-requests-UDP-resolution
and either also log the outbound requests your DNS server uses
to provide that, or compare it to the IDS logs which are flagging
the DNS requests out of your network.

Maybe a simple findstr/grep would be sufficient -- or you might
need some more sophisticated comparison and correlation of
the IDS and DNS logs.

We have both win2k and win2k dns servers.

IIRC the detail "Debug Log" was introduced in 2003, at least it
was added as a GUI option in the MMC then so you might have
to separately log the 2000 DNS servers.

You can put something like Wireshark on ANY server and
have it log, e.g., DNS requests inbound and dns requests outbound
(recursive or forwarded) and then figure out (at least roughly)
who* is doing it.

*Which machine.

I would like to look at the
win2k box, but the win2k3 boxes would be nice too... Thanks for any help
in
advance!

DNS Debug logging on the 2003 DNS MMC would be my
first thought -- or something like (the NEW, free) Microsoft
NetMon or the (also free, open source) WireShark.

You could also just install an IDS on the DNS Server(s)
such as the (free, open source) WinSnort.

Thinking about that, I would guess that you are running the
IDS in the "gateway/Firewall" positon and you just run a
monitor IDS on the same network with your DNS server(s).

If it is a switched environment or you have many subnets then
you might just do the IDS on the Server idea I suggested above.

.

Prev by Date: Re: DNS Cache corruption?
Next by Date: Re: Branch Office
Previous by thread: Re: DNS Scavenged all my Service records!
Next by thread: Re: DNS client not updating dynamic DNS record with Nortel NetID DHCP
Index(es):
- Date
- Thread

Relevant Pages

Re: 2 DNS, one machine
... What I'm trying to do is set up a small home network to teach myself ... >separate DNS server for every local subnet, ... >internet connection of course, then set up a NAT (network address ... >allows one DNS server to act like it is multiple servers. ...
(Fedora)
Re: Can Not Ping By Name
... >>> Make sure there's no firewall packaged with the VPN client. ... >>DNS server is the same physical server as the Exchange, ... > Network problem solving - general advice: ...
(microsoft.public.windowsxp.network_web)
Re: network has gone down again, and I cannot figure out why
... search dns: dns.asm.bellsouth.net ... try against the secondary DNS server address. ... up DHCP on this end and now I can email. ... DHCP just configures your side of the network with the data that the ...
(Fedora)
Re: Cant join domain server
... It's a new network setup, ... > 'Preferred DNS Server' of a DNS server supporting the Active Directory ... able to ping the server from the client. ...
(microsoft.public.windows.server.networking)
Re: Non-domain connection problem
... For some reason the DNS is persistent. ... connect new PC to the internet from the non-domain network: ... You said that you "hard coded the DNS server to a known DNS on the internet: ...
(microsoft.public.windows.server.sbs)