Solved

DNS Logging to track

Posted on 2014-12-15
5
39 Views
Last Modified: 2015-03-04
I have a server 2003 running DNS in my AD. I received a report that one of my PC's is sending DNS requests to a "Sink holed" domain. I have turned on logging but not sure how to go about finding the culprit. Any help is greatly appreciated! Thanks
0
Comment
Question by:eli290
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
5 Comments
 
LVL 12

Expert Comment

by:DLeaver
ID: 40500169
One of your PC's?

Lock down your firewall so that only the DC/DNS server(s) are sending out DNS requests to the internet.  This will stop the outbound issue.  You can then examine traffic requests coming from the PC when they hit the firewall.

Check the host file on the PC in the first instance if it is only happening to one
0
 
LVL 7

Expert Comment

by:Deadman
ID: 40500174
for DNS logging of web site access you need a proxy server solution
0
 

Author Comment

by:eli290
ID: 40500209
I dont have access to my firewall since we are behind our county network. They alerted me about the DNS requests. They said to turn on DNS logging on my server to see where they originate. I turned on logging but not sure where I would even find the requests.
0
 

Author Comment

by:eli290
ID: 40500221
I just installed wireshark and running a capture to see if  I can grab the info from there. I am using a capture filter of Port 53
0
 
LVL 2

Accepted Solution

by:
UnHeardOf earned 500 total points
ID: 40596415
it sounds like reverse lookup records for RFC1918 addresses are hitting the internet which are directed to black hole dns servers. RFC1918 lookups should never reach the internet. You would need to create the reverse lookup zones.

You could enable dns logging and set the options to log the following:

incoming requests
queries
udp
0

Featured Post

Veeam gives away 10 full conference passes

Veeam is a VMworld 2017 US & Europe Platinum Sponsor. Enter the raffle to get the full conference pass. Pass includes the admission to all general and breakout sessions, VMware Hands-On Labs, Solutions Exchange, exclusive giveaways and the great VMworld Customer Appreciation Part

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A hard and fast method for reducing Active Directory Administrators members.
Uncontrolled local administrators groups within any organization pose a huge security risk. Because these groups are locally managed it becomes difficult to audit and maintain them.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…
Suggested Courses

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question