How to trace DNS forwarding?

Hi Experts,
What I have:
2 x internal DNS server (Svr2008R2) - configured to forward queries 2 x external DNS server
2 x external DNS server (RHEL6.4 - bind) - configured to forward queries to Google DNS (,
Clients computers are configured to lookup names using 2 x internal DNS servers.

What I want to know is how to trace the DNS forwarding queries when a user do a DNS lookup on client computer. Technically, I know that query will be sent to internal DNS servers, then internal DNS server will forward the query to external DNS server, then external DNS servers will forward the query to Google DNS servers.  
But I need a way to trace DNS forwarding from client perspective.

Thanks in advance,
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

use the -debug option to nslookup
Not you will see a complete trace, though have not seen such a scheme.  Presumably you are working on the premise that by pushing everything to google's DNS, your systems will not face external DNS based attacks.

Decide which name servers you want querying the push them to the client.
When you have your own DNS servers performing and collecting the data, they will cache the results, when you forward, the same lookups will continue to be done.

i.e. you go to www,
the client sends a lookup for to your INternal DNS
Internal DNS forwars the request to your bind external DNS
your external Bind forwards to google DNS
google DNS collects and caches the data
google DNS responds back to bind external DNS
bind external DNS responds back to internal DNS
internal DNS responds back to the client that caches the result

now if another system on your network goes to the above flow takes place again.
If one of your managed DNS servers actually performed the query rather than forward, the second client system would have received the cached response.
U can install and run network monitor on client machine and internal dns servers to find out dns traffic
U can filter dns traffic
However this will not give you traffic that is flown between external dns (Bind) servers and dns servers out on the internet
Since the protocol doesn't include information about forwarding in any sense, you're out of luck. To trace it, you need to have network monitoring on EVERY single node the DNS request passes through. That means about 4 Wireshark installs (2 x Windows, 2 x RHEL). The matching, has to be done by you as well (on the second step (RHEL), you already don't know which is the original client requesting it, you have to use the Windows capture to trace it back.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
All DNS servers know where to send queries. They have some configuratio you know.
If windows server has DNS zone it answer's its records/nxdomains, if not it queries "external" dns servers
I dont know why you use google as a forwarder when BIND is completely capable of doing full resolution. Google is for desktop users who dont have DNS server.
netlynkerAuthor Commented:
Hi All,

Yes, using wireshark/tcpdump on DNS servers seem to be the only solution. Thank all for your help.

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.