[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2142
  • Last Modified:

How to trace DNS forwarding?

Hi Experts,
What I have:
2 x internal DNS server (Svr2008R2) - configured to forward queries 2 x external DNS server
2 x external DNS server (RHEL6.4 - bind) - configured to forward queries to Google DNS (,
Clients computers are configured to lookup names using 2 x internal DNS servers.

What I want to know is how to trace the DNS forwarding queries when a user do a DNS lookup on client computer. Technically, I know that query will be sent to internal DNS servers, then internal DNS server will forward the query to external DNS server, then external DNS servers will forward the query to Google DNS servers.  
But I need a way to trace DNS forwarding from client perspective.

Thanks in advance,
2 Solutions
use the -debug option to nslookup
Not you will see a complete trace, though have not seen such a scheme.  Presumably you are working on the premise that by pushing everything to google's DNS, your systems will not face external DNS based attacks.

Decide which name servers you want querying the push them to the client.
When you have your own DNS servers performing and collecting the data, they will cache the results, when you forward, the same lookups will continue to be done.

i.e. you go to www,experts-exchange.com
the client sends a lookup for www.experts-exchange.com to your INternal DNS
Internal DNS forwars the request to your bind external DNS
your external Bind forwards to google DNS
google DNS collects and caches the data
google DNS responds back to bind external DNS
bind external DNS responds back to internal DNS
internal DNS responds back to the client that caches the result

now if another system on your network goes to www.experts-exchange.com the above flow takes place again.
If one of your managed DNS servers actually performed the query rather than forward, the second client system would have received the cached response.
U can install and run network monitor on client machine and internal dns servers to find out dns traffic
U can filter dns traffic
However this will not give you traffic that is flown between external dns (Bind) servers and dns servers out on the internet
Since the protocol doesn't include information about forwarding in any sense, you're out of luck. To trace it, you need to have network monitoring on EVERY single node the DNS request passes through. That means about 4 Wireshark installs (2 x Windows, 2 x RHEL). The matching, has to be done by you as well (on the second step (RHEL), you already don't know which is the original client requesting it, you have to use the Windows capture to trace it back.
All DNS servers know where to send queries. They have some configuratio you know.
If windows server has DNS zone it answer's its records/nxdomains, if not it queries "external" dns servers
I dont know why you use google as a forwarder when BIND is completely capable of doing full resolution. Google is for desktop users who dont have DNS server.
netlynkerAuthor Commented:
Hi All,

Yes, using wireshark/tcpdump on DNS servers seem to be the only solution. Thank all for your help.


Featured Post

Veeam and MySQL: How to Perform Backup & Recovery

MySQL and the MariaDB variant are among the most used databases in Linux environments, and many critical applications support their data on them. Watch this recorded webinar to find out how Veeam Backup & Replication allows you to get consistent backups of MySQL databases.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now