Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Check Windows 2008 R2 DNS Cache for Blacklisted domains

Posted on 2013-11-20
11
Medium Priority
?
1,458 Views
Last Modified: 2013-12-23
If there a way in windows 2008 r2 to export all cache domain enteries to a text file then check all enteries against of know blacklisted domains?

We locked down our enviroment after various mass email virus problems and want to know if users / workstation are queries know blacklisted servers.

hope this makes sence...
0
Comment
Question by:compdigit44
  • 5
  • 5
11 Comments
 
LVL 24

Assisted Solution

by:Sandeshdubey
Sandeshdubey earned 668 total points
ID: 39665110
You can use ipconfig /displaydns >C:\myDNScache.txt to list the content of dns cache, to flush the same you can run ipconfig /flushdns or dnscmd /clearcache .http://technet.microsoft.com/en-us/library/cc772069.aspx

I will recommend to install the latest windows hotfix and service pack on client computer with latest virus defination file updated on client computer and then do the full scan of client computer.Also contact you antivirus team or vendor if specific virus is detected and check for removal tool.
0
 
LVL 20

Author Comment

by:compdigit44
ID: 39665674
Thank but I was referrging the the cache DNS enteries that reside on the DNS server itself. I then want to take this list and run it against a list of know blacklisted DNS servers


Thanks again..
0
 
LVL 27

Expert Comment

by:DrDave242
ID: 39667880
There is no way to export the DNS server cache on a Windows server, as far as I know.
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 
LVL 27

Expert Comment

by:DrDave242
ID: 39667927
I've thought about it a little more, and you could conceivably use debug logging for this, since it will log every query that comes into the server. (It can log a lot more than that, but you don't want the log to be any more onerous that it has to be.)

To turn on debug logging, open the DNS Manager console, right-click the appropriate DNS server, and select Properties. Under the Debug Logging tab, check Log packets for debugging. There are quite a few other checkboxes, and I recommend selecting the following ones:
DNS debug log settings - 2008 R2You can set the file path and maximum size to whatever you want, of course, but the settings above will limit what gets logged to only incoming request packets.

One thing you'll notice when you review the log file is that the entries don't list FQDNs in the form www.experts-exchange.com; instead, they'll look like (3)www(16)experts-exchange(3)com(0). Each number in parentheses represents the length of the label that follows it, and I assume the zero at the end represents the end of the FQDN.

Once you've let the log run for a while, you can either manually search through it for the domains you're looking for (what fun!) or write a Perl script or something similar to process the log file for you.

Keep in mind that debug logging is configured on a per-server basis, so if you have a lot of DNS servers in your environment, you'll have to enable it for each one (and look through each log file).
0
 
LVL 20

Author Comment

by:compdigit44
ID: 39678782
I am surprised there isn't a way to extract the cache DNS enteries on a DNS server and check this list again know blacklisted DNS servers???  Am I totally being blind and missing something simple here???? ;-)
0
 
LVL 27

Expert Comment

by:DrDave242
ID: 39679365
I've just discovered that Windows Server 2012 has a PowerShell cmdlet that'll display the contents of the cache (Show-DnsServerCache). 2008 R2 has no such cmdlet, but if you've got a 2012 server in your domain, you can target a 2008 R2 DNS server with the -computername switch, and it works just fine.

In other words, you'd run show-dnsservercache -computername <server_name>. If you don't have a 2012 server in your domain, though, I don't know of a way to do it.
0
 
LVL 20

Author Comment

by:compdigit44
ID: 39679528
Very interesting !!!! Is there a way I could run this list again know blacklist servers?
0
 
LVL 27

Accepted Solution

by:
DrDave242 earned 1332 total points
ID: 39679579
There's only one way I can think of to do it, and it's not necessarily trivial:

1.

Pipe the PowerShell output to a text file. (This part's easy enough.)

2.

Create or obtain a list of blacklisted domains and save it as another text file. (No idea how hard this is.)

3.

Write a script that will scan the cache file for entries in the blacklist file. (Since this is just text-file parsing, it shouldn't be too hard for someone who knows Perl or another scripting language, but I no longer consider myself one of those people.)
0
 
LVL 20

Author Comment

by:compdigit44
ID: 39696641
Can anyone recommend a good place to get a list of known malware/blacklist domains?
0
 
LVL 20

Author Comment

by:compdigit44
ID: 39721880
I have a windows 2012 member server that is not a DNS server but the show-dnsservercache powershell module is not loaded.
0
 
LVL 27

Assisted Solution

by:DrDave242
DrDave242 earned 1332 total points
ID: 39727173
Try running import-module dnsserver. It should load the appropriate module and allow you to use show-dnsservercache (and quite a few other DNS-related cmdlets).
0

Featured Post

2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article, WatchGuard's Director of Security Strategy and Research Teri Radichel, takes a look at insider threats, the risk they can pose to your organization, and the best ways to defend against them.
Each password manager has its own problems in dealing with certain websites and their login methods. In Part 1, I review the Top 5 Password Managers that I've found to be the best. In Part 2 we'll look at which ones co-exist together and why it'…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
Suggested Courses

581 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question