Solved

Check Windows 2008 R2 DNS Cache for Blacklisted domains

Posted on 2013-11-20
11
1,274 Views
Last Modified: 2013-12-23
If there a way in windows 2008 r2 to export all cache domain enteries to a text file then check all enteries against of know blacklisted domains?

We locked down our enviroment after various mass email virus problems and want to know if users / workstation are queries know blacklisted servers.

hope this makes sence...
0
Comment
Question by:compdigit44
  • 5
  • 5
11 Comments
 
LVL 24

Assisted Solution

by:Sandeshdubey
Sandeshdubey earned 167 total points
ID: 39665110
You can use ipconfig /displaydns >C:\myDNScache.txt to list the content of dns cache, to flush the same you can run ipconfig /flushdns or dnscmd /clearcache .http://technet.microsoft.com/en-us/library/cc772069.aspx

I will recommend to install the latest windows hotfix and service pack on client computer with latest virus defination file updated on client computer and then do the full scan of client computer.Also contact you antivirus team or vendor if specific virus is detected and check for removal tool.
0
 
LVL 19

Author Comment

by:compdigit44
ID: 39665674
Thank but I was referrging the the cache DNS enteries that reside on the DNS server itself. I then want to take this list and run it against a list of know blacklisted DNS servers


Thanks again..
0
 
LVL 25

Expert Comment

by:DrDave242
ID: 39667880
There is no way to export the DNS server cache on a Windows server, as far as I know.
0
 
LVL 25

Expert Comment

by:DrDave242
ID: 39667927
I've thought about it a little more, and you could conceivably use debug logging for this, since it will log every query that comes into the server. (It can log a lot more than that, but you don't want the log to be any more onerous that it has to be.)

To turn on debug logging, open the DNS Manager console, right-click the appropriate DNS server, and select Properties. Under the Debug Logging tab, check Log packets for debugging. There are quite a few other checkboxes, and I recommend selecting the following ones:
DNS debug log settings - 2008 R2You can set the file path and maximum size to whatever you want, of course, but the settings above will limit what gets logged to only incoming request packets.

One thing you'll notice when you review the log file is that the entries don't list FQDNs in the form www.experts-exchange.com; instead, they'll look like (3)www(16)experts-exchange(3)com(0). Each number in parentheses represents the length of the label that follows it, and I assume the zero at the end represents the end of the FQDN.

Once you've let the log run for a while, you can either manually search through it for the domains you're looking for (what fun!) or write a Perl script or something similar to process the log file for you.

Keep in mind that debug logging is configured on a per-server basis, so if you have a lot of DNS servers in your environment, you'll have to enable it for each one (and look through each log file).
0
 
LVL 19

Author Comment

by:compdigit44
ID: 39678782
I am surprised there isn't a way to extract the cache DNS enteries on a DNS server and check this list again know blacklisted DNS servers???  Am I totally being blind and missing something simple here???? ;-)
0
 
LVL 25

Expert Comment

by:DrDave242
ID: 39679365
I've just discovered that Windows Server 2012 has a PowerShell cmdlet that'll display the contents of the cache (Show-DnsServerCache). 2008 R2 has no such cmdlet, but if you've got a 2012 server in your domain, you can target a 2008 R2 DNS server with the -computername switch, and it works just fine.

In other words, you'd run show-dnsservercache -computername <server_name>. If you don't have a 2012 server in your domain, though, I don't know of a way to do it.
0
 
LVL 19

Author Comment

by:compdigit44
ID: 39679528
Very interesting !!!! Is there a way I could run this list again know blacklist servers?
0
 
LVL 25

Accepted Solution

by:
DrDave242 earned 333 total points
ID: 39679579
There's only one way I can think of to do it, and it's not necessarily trivial:

1.

Pipe the PowerShell output to a text file. (This part's easy enough.)

2.

Create or obtain a list of blacklisted domains and save it as another text file. (No idea how hard this is.)

3.

Write a script that will scan the cache file for entries in the blacklist file. (Since this is just text-file parsing, it shouldn't be too hard for someone who knows Perl or another scripting language, but I no longer consider myself one of those people.)
0
 
LVL 19

Author Comment

by:compdigit44
ID: 39696641
Can anyone recommend a good place to get a list of known malware/blacklist domains?
0
 
LVL 19

Author Comment

by:compdigit44
ID: 39721880
I have a windows 2012 member server that is not a DNS server but the show-dnsservercache powershell module is not loaded.
0
 
LVL 25

Assisted Solution

by:DrDave242
DrDave242 earned 333 total points
ID: 39727173
Try running import-module dnsserver. It should load the appropriate module and allow you to use show-dnsservercache (and quite a few other DNS-related cmdlets).
0

Join & Write a Comment

Sometimes drives fill up and we don't know why.  If you don't understand the best way to use the tools available, you may end up being stumped as to why your drive says it's not full when you have no space left!  Here's how you can find out...
New Windows 7 Installations take days for Windows-Updates to show up and install. This can easily be fixed. I have finally decided to write an article because this seems to get asked several times a day lately. This Article and the Links apply to…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now