Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

DNS Logging to track

Posted on 2014-12-15
5
Medium Priority
?
44 Views
Last Modified: 2015-03-04
I have a server 2003 running DNS in my AD. I received a report that one of my PC's is sending DNS requests to a "Sink holed" domain. I have turned on logging but not sure how to go about finding the culprit. Any help is greatly appreciated! Thanks
0
Comment
Question by:eli290
5 Comments
 
LVL 12

Expert Comment

by:DLeaver
ID: 40500169
One of your PC's?

Lock down your firewall so that only the DC/DNS server(s) are sending out DNS requests to the internet.  This will stop the outbound issue.  You can then examine traffic requests coming from the PC when they hit the firewall.

Check the host file on the PC in the first instance if it is only happening to one
0
 
LVL 7

Expert Comment

by:Deadman
ID: 40500174
for DNS logging of web site access you need a proxy server solution
0
 

Author Comment

by:eli290
ID: 40500209
I dont have access to my firewall since we are behind our county network. They alerted me about the DNS requests. They said to turn on DNS logging on my server to see where they originate. I turned on logging but not sure where I would even find the requests.
0
 

Author Comment

by:eli290
ID: 40500221
I just installed wireshark and running a capture to see if  I can grab the info from there. I am using a capture filter of Port 53
0
 
LVL 2

Accepted Solution

by:
UnHeardOf earned 2000 total points
ID: 40596415
it sounds like reverse lookup records for RFC1918 addresses are hitting the internet which are directed to black hole dns servers. RFC1918 lookups should never reach the internet. You would need to create the reverse lookup zones.

You could enable dns logging and set the options to log the following:

incoming requests
queries
udp
0

Featured Post

Get free NFR key for Veeam Availability Suite 9.5

Veeam is happy to provide a free NFR license (1 year, 2 sockets) to all certified IT Pros. The license allows for the non-production use of Veeam Availability Suite v9.5 in your home lab, without any feature limitations. It works for both VMware and Hyper-V environments

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
High user turnover can cause old/redundant user data to consume valuable space. UserResourceCleanup was developed to address this by automatically deleting user folders when the user account is deleted.
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

877 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question