Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 407
  • Last Modified:

Find source of DNS reuquest

I am trying to trace back to the source of a DNS reuquest.  I can see the request to a BAD IP ADDRESS from our internal DNS server.  I would like to trace back to the system that made the original request.  How can this be done?
0
McFarlandClinic
Asked:
McFarlandClinic
1 Solution
 
moon_blue69Commented:
What is your operating System.

I would suggest using network monitor if its a windows system. It can be added via add or remove windows componets.

Or wireshark
0
 
McFarlandClinicAuthor Commented:
I have run wireshark, but I am a novice at using it.  I can see where my internal DNS tried to resolve the name, but I can't tell what internal system my DNS is doing the lookup for.
0
 
moon_blue69Commented:
What platform you are on?? Windows Server 2003??
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
moon_blue69Commented:
Have you got enough client access licesnses ? (CAL)?
0
 
moon_blue69Commented:
"Have you got enough client access licesnses ? (CAL)?"

sorry that was a wrong message posted
0
 
McFarlandClinicAuthor Commented:
Windows server 2003
0
 
Chris DentPowerShell DeveloperCommented:

> I have run wireshark, but I am a novice at using it.  I can see where my internal DNS tried to resolve the name, but I can't tell
> what internal system my DNS is doing the lookup for.

You'd need to capture the request from the client, not the request from the server to the rest of the world. The logging options in the DNS console should permit this although it won't be easy.

DNS packets do not contain a history of who asked what, therefore your only chance is to grab the request and its source IP.

Chris
0
 
DrDave242Commented:
You can also turn on debug logging on the DNS server:

Open the DNS console, right-click on your DNS server, and select Properties.  Click the Debug Logging tab and select the checkbox for Log packets for debugging.  Then you have a whole pile of options for which types of packets you want to log.  You can select and deselect those as appropriate.  (I'd leave both Outgoing and Incoming selected, as well as Request and Response.)

The log file is saved as system32\dns\dns.log by default, although you can change that in the Properties window also.  Open the log in Notepad or your favorite text editor, do a little searching, and you should have the source of the query in no time.

Don't forget to turn off debug logging when you're done.
0

Featured Post

Upgrade your Question Security!

Your question, your audience. Choose who sees your identity—and your question—with question security.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now