Solved

Check Windows 2008 R2 DNS Cache for Blacklisted domains

Posted on 2013-11-20
11
1,341 Views
Last Modified: 2013-12-23
If there a way in windows 2008 r2 to export all cache domain enteries to a text file then check all enteries against of know blacklisted domains?

We locked down our enviroment after various mass email virus problems and want to know if users / workstation are queries know blacklisted servers.

hope this makes sence...
0
Comment
Question by:compdigit44
  • 5
  • 5
11 Comments
 
LVL 24

Assisted Solution

by:Sandeshdubey
Sandeshdubey earned 167 total points
ID: 39665110
You can use ipconfig /displaydns >C:\myDNScache.txt to list the content of dns cache, to flush the same you can run ipconfig /flushdns or dnscmd /clearcache .http://technet.microsoft.com/en-us/library/cc772069.aspx

I will recommend to install the latest windows hotfix and service pack on client computer with latest virus defination file updated on client computer and then do the full scan of client computer.Also contact you antivirus team or vendor if specific virus is detected and check for removal tool.
0
 
LVL 20

Author Comment

by:compdigit44
ID: 39665674
Thank but I was referrging the the cache DNS enteries that reside on the DNS server itself. I then want to take this list and run it against a list of know blacklisted DNS servers


Thanks again..
0
 
LVL 26

Expert Comment

by:DrDave242
ID: 39667880
There is no way to export the DNS server cache on a Windows server, as far as I know.
0
Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

 
LVL 26

Expert Comment

by:DrDave242
ID: 39667927
I've thought about it a little more, and you could conceivably use debug logging for this, since it will log every query that comes into the server. (It can log a lot more than that, but you don't want the log to be any more onerous that it has to be.)

To turn on debug logging, open the DNS Manager console, right-click the appropriate DNS server, and select Properties. Under the Debug Logging tab, check Log packets for debugging. There are quite a few other checkboxes, and I recommend selecting the following ones:
DNS debug log settings - 2008 R2You can set the file path and maximum size to whatever you want, of course, but the settings above will limit what gets logged to only incoming request packets.

One thing you'll notice when you review the log file is that the entries don't list FQDNs in the form www.experts-exchange.com; instead, they'll look like (3)www(16)experts-exchange(3)com(0). Each number in parentheses represents the length of the label that follows it, and I assume the zero at the end represents the end of the FQDN.

Once you've let the log run for a while, you can either manually search through it for the domains you're looking for (what fun!) or write a Perl script or something similar to process the log file for you.

Keep in mind that debug logging is configured on a per-server basis, so if you have a lot of DNS servers in your environment, you'll have to enable it for each one (and look through each log file).
0
 
LVL 20

Author Comment

by:compdigit44
ID: 39678782
I am surprised there isn't a way to extract the cache DNS enteries on a DNS server and check this list again know blacklisted DNS servers???  Am I totally being blind and missing something simple here???? ;-)
0
 
LVL 26

Expert Comment

by:DrDave242
ID: 39679365
I've just discovered that Windows Server 2012 has a PowerShell cmdlet that'll display the contents of the cache (Show-DnsServerCache). 2008 R2 has no such cmdlet, but if you've got a 2012 server in your domain, you can target a 2008 R2 DNS server with the -computername switch, and it works just fine.

In other words, you'd run show-dnsservercache -computername <server_name>. If you don't have a 2012 server in your domain, though, I don't know of a way to do it.
0
 
LVL 20

Author Comment

by:compdigit44
ID: 39679528
Very interesting !!!! Is there a way I could run this list again know blacklist servers?
0
 
LVL 26

Accepted Solution

by:
DrDave242 earned 333 total points
ID: 39679579
There's only one way I can think of to do it, and it's not necessarily trivial:

1.

Pipe the PowerShell output to a text file. (This part's easy enough.)

2.

Create or obtain a list of blacklisted domains and save it as another text file. (No idea how hard this is.)

3.

Write a script that will scan the cache file for entries in the blacklist file. (Since this is just text-file parsing, it shouldn't be too hard for someone who knows Perl or another scripting language, but I no longer consider myself one of those people.)
0
 
LVL 20

Author Comment

by:compdigit44
ID: 39696641
Can anyone recommend a good place to get a list of known malware/blacklist domains?
0
 
LVL 20

Author Comment

by:compdigit44
ID: 39721880
I have a windows 2012 member server that is not a DNS server but the show-dnsservercache powershell module is not loaded.
0
 
LVL 26

Assisted Solution

by:DrDave242
DrDave242 earned 333 total points
ID: 39727173
Try running import-module dnsserver. It should load the appropriate module and allow you to use show-dnsservercache (and quite a few other DNS-related cmdlets).
0

Featured Post

Free Webinar: AWS Backup & DR

Join our upcoming webinar with experts from AWS, CloudBerry Lab, and the Town of Edgartown IT to discuss best practices for simplifying online backup management and cutting costs.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Last week, our Skyport webinar on “How to secure your Active Directory” (https://www.experts-exchange.com/videos/5810/Webinar-Is-Your-Active-Directory-as-Secure-as-You-Think.html?cid=Gene_Skyport) provided 218 attendees with a step-by-step guide for…
In-place Upgrading Dirsync to Azure AD Connect
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question