Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Check Windows 2008 R2 DNS Cache for Blacklisted domains

Posted on 2013-11-20
11
Medium Priority
?
1,426 Views
Last Modified: 2013-12-23
If there a way in windows 2008 r2 to export all cache domain enteries to a text file then check all enteries against of know blacklisted domains?

We locked down our enviroment after various mass email virus problems and want to know if users / workstation are queries know blacklisted servers.

hope this makes sence...
0
Comment
Question by:compdigit44
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 5
11 Comments
 
LVL 24

Assisted Solution

by:Sandeshdubey
Sandeshdubey earned 668 total points
ID: 39665110
You can use ipconfig /displaydns >C:\myDNScache.txt to list the content of dns cache, to flush the same you can run ipconfig /flushdns or dnscmd /clearcache .http://technet.microsoft.com/en-us/library/cc772069.aspx

I will recommend to install the latest windows hotfix and service pack on client computer with latest virus defination file updated on client computer and then do the full scan of client computer.Also contact you antivirus team or vendor if specific virus is detected and check for removal tool.
0
 
LVL 20

Author Comment

by:compdigit44
ID: 39665674
Thank but I was referrging the the cache DNS enteries that reside on the DNS server itself. I then want to take this list and run it against a list of know blacklisted DNS servers


Thanks again..
0
 
LVL 27

Expert Comment

by:DrDave242
ID: 39667880
There is no way to export the DNS server cache on a Windows server, as far as I know.
0
Looking for the Wi-Fi vendor that's right for you?

We know how difficult it can be to evaluate Wi-Fi vendors, so we created this helpful Wi-Fi Buyer's Guide to help you find the Wi-Fi vendor that's right for your business! Download the guide and get started on our checklist today!

 
LVL 27

Expert Comment

by:DrDave242
ID: 39667927
I've thought about it a little more, and you could conceivably use debug logging for this, since it will log every query that comes into the server. (It can log a lot more than that, but you don't want the log to be any more onerous that it has to be.)

To turn on debug logging, open the DNS Manager console, right-click the appropriate DNS server, and select Properties. Under the Debug Logging tab, check Log packets for debugging. There are quite a few other checkboxes, and I recommend selecting the following ones:
DNS debug log settings - 2008 R2You can set the file path and maximum size to whatever you want, of course, but the settings above will limit what gets logged to only incoming request packets.

One thing you'll notice when you review the log file is that the entries don't list FQDNs in the form www.experts-exchange.com; instead, they'll look like (3)www(16)experts-exchange(3)com(0). Each number in parentheses represents the length of the label that follows it, and I assume the zero at the end represents the end of the FQDN.

Once you've let the log run for a while, you can either manually search through it for the domains you're looking for (what fun!) or write a Perl script or something similar to process the log file for you.

Keep in mind that debug logging is configured on a per-server basis, so if you have a lot of DNS servers in your environment, you'll have to enable it for each one (and look through each log file).
0
 
LVL 20

Author Comment

by:compdigit44
ID: 39678782
I am surprised there isn't a way to extract the cache DNS enteries on a DNS server and check this list again know blacklisted DNS servers???  Am I totally being blind and missing something simple here???? ;-)
0
 
LVL 27

Expert Comment

by:DrDave242
ID: 39679365
I've just discovered that Windows Server 2012 has a PowerShell cmdlet that'll display the contents of the cache (Show-DnsServerCache). 2008 R2 has no such cmdlet, but if you've got a 2012 server in your domain, you can target a 2008 R2 DNS server with the -computername switch, and it works just fine.

In other words, you'd run show-dnsservercache -computername <server_name>. If you don't have a 2012 server in your domain, though, I don't know of a way to do it.
0
 
LVL 20

Author Comment

by:compdigit44
ID: 39679528
Very interesting !!!! Is there a way I could run this list again know blacklist servers?
0
 
LVL 27

Accepted Solution

by:
DrDave242 earned 1332 total points
ID: 39679579
There's only one way I can think of to do it, and it's not necessarily trivial:

1.

Pipe the PowerShell output to a text file. (This part's easy enough.)

2.

Create or obtain a list of blacklisted domains and save it as another text file. (No idea how hard this is.)

3.

Write a script that will scan the cache file for entries in the blacklist file. (Since this is just text-file parsing, it shouldn't be too hard for someone who knows Perl or another scripting language, but I no longer consider myself one of those people.)
0
 
LVL 20

Author Comment

by:compdigit44
ID: 39696641
Can anyone recommend a good place to get a list of known malware/blacklist domains?
0
 
LVL 20

Author Comment

by:compdigit44
ID: 39721880
I have a windows 2012 member server that is not a DNS server but the show-dnsservercache powershell module is not loaded.
0
 
LVL 27

Assisted Solution

by:DrDave242
DrDave242 earned 1332 total points
ID: 39727173
Try running import-module dnsserver. It should load the appropriate module and allow you to use show-dnsservercache (and quite a few other DNS-related cmdlets).
0

Featured Post

New feature and membership benefit!

New feature! Upgrade and increase expert visibility of your issues with Priority Questions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to deal with a specific error when using the Enable-RemoteMailbox cmdlet to create a mailbox in the cloud-based service, for an existing user in an on-premises Active Directory.
Will you be ready when the clock on GDPR compliance runs out? Is GDPR even something you need to worry about? Find out more about the upcoming regulation changes and download our comprehensive GDPR checklist today !
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…

609 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question