We have a small network enclave that has a single machine that runs a proxy server and DNS server for that enclave. This system's IP is 192.168.1.2.
Recently we have suspected that someone's machine in that enclave might be infected. We did some research to see if their machine was going to a specific "malicious" site.
( I am blocking some information for security / privacy reasons)
First we found in the DNS logs:
bind.log.120319:19-Mar-2012 09:41:06.885 queries: info: client 192.168.1.2#41359: query: malicious-site.com IN A + (192.168.1.2)
So it looks like maybe squid made the DNS request for the user?
I checked the access log of squid and do not see any traffic to malicious-site.com.
Can someone explain to me how DNS queries work with squid? It looks like squid is making some queries for users and letting other users make their own queries.
Is there anyway I can track down which client made that DNS request?