Solved

Check Windows 2008 R2 DNS Cache for Blacklisted domains

Posted on 2013-11-20
11
1,323 Views
Last Modified: 2013-12-23
If there a way in windows 2008 r2 to export all cache domain enteries to a text file then check all enteries against of know blacklisted domains?

We locked down our enviroment after various mass email virus problems and want to know if users / workstation are queries know blacklisted servers.

hope this makes sence...
0
Comment
Question by:compdigit44
  • 5
  • 5
11 Comments
 
LVL 24

Assisted Solution

by:Sandeshdubey
Sandeshdubey earned 167 total points
ID: 39665110
You can use ipconfig /displaydns >C:\myDNScache.txt to list the content of dns cache, to flush the same you can run ipconfig /flushdns or dnscmd /clearcache .http://technet.microsoft.com/en-us/library/cc772069.aspx

I will recommend to install the latest windows hotfix and service pack on client computer with latest virus defination file updated on client computer and then do the full scan of client computer.Also contact you antivirus team or vendor if specific virus is detected and check for removal tool.
0
 
LVL 19

Author Comment

by:compdigit44
ID: 39665674
Thank but I was referrging the the cache DNS enteries that reside on the DNS server itself. I then want to take this list and run it against a list of know blacklisted DNS servers


Thanks again..
0
 
LVL 26

Expert Comment

by:DrDave242
ID: 39667880
There is no way to export the DNS server cache on a Windows server, as far as I know.
0
Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

 
LVL 26

Expert Comment

by:DrDave242
ID: 39667927
I've thought about it a little more, and you could conceivably use debug logging for this, since it will log every query that comes into the server. (It can log a lot more than that, but you don't want the log to be any more onerous that it has to be.)

To turn on debug logging, open the DNS Manager console, right-click the appropriate DNS server, and select Properties. Under the Debug Logging tab, check Log packets for debugging. There are quite a few other checkboxes, and I recommend selecting the following ones:
DNS debug log settings - 2008 R2You can set the file path and maximum size to whatever you want, of course, but the settings above will limit what gets logged to only incoming request packets.

One thing you'll notice when you review the log file is that the entries don't list FQDNs in the form www.experts-exchange.com; instead, they'll look like (3)www(16)experts-exchange(3)com(0). Each number in parentheses represents the length of the label that follows it, and I assume the zero at the end represents the end of the FQDN.

Once you've let the log run for a while, you can either manually search through it for the domains you're looking for (what fun!) or write a Perl script or something similar to process the log file for you.

Keep in mind that debug logging is configured on a per-server basis, so if you have a lot of DNS servers in your environment, you'll have to enable it for each one (and look through each log file).
0
 
LVL 19

Author Comment

by:compdigit44
ID: 39678782
I am surprised there isn't a way to extract the cache DNS enteries on a DNS server and check this list again know blacklisted DNS servers???  Am I totally being blind and missing something simple here???? ;-)
0
 
LVL 26

Expert Comment

by:DrDave242
ID: 39679365
I've just discovered that Windows Server 2012 has a PowerShell cmdlet that'll display the contents of the cache (Show-DnsServerCache). 2008 R2 has no such cmdlet, but if you've got a 2012 server in your domain, you can target a 2008 R2 DNS server with the -computername switch, and it works just fine.

In other words, you'd run show-dnsservercache -computername <server_name>. If you don't have a 2012 server in your domain, though, I don't know of a way to do it.
0
 
LVL 19

Author Comment

by:compdigit44
ID: 39679528
Very interesting !!!! Is there a way I could run this list again know blacklist servers?
0
 
LVL 26

Accepted Solution

by:
DrDave242 earned 333 total points
ID: 39679579
There's only one way I can think of to do it, and it's not necessarily trivial:

1.

Pipe the PowerShell output to a text file. (This part's easy enough.)

2.

Create or obtain a list of blacklisted domains and save it as another text file. (No idea how hard this is.)

3.

Write a script that will scan the cache file for entries in the blacklist file. (Since this is just text-file parsing, it shouldn't be too hard for someone who knows Perl or another scripting language, but I no longer consider myself one of those people.)
0
 
LVL 19

Author Comment

by:compdigit44
ID: 39696641
Can anyone recommend a good place to get a list of known malware/blacklist domains?
0
 
LVL 19

Author Comment

by:compdigit44
ID: 39721880
I have a windows 2012 member server that is not a DNS server but the show-dnsservercache powershell module is not loaded.
0
 
LVL 26

Assisted Solution

by:DrDave242
DrDave242 earned 333 total points
ID: 39727173
Try running import-module dnsserver. It should load the appropriate module and allow you to use show-dnsservercache (and quite a few other DNS-related cmdlets).
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A procedure for exporting installed hotfix details of remote computers using powershell
In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

856 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question