We are receiving alerts by our firewall that there is detected traffic to suspicious website. Thsi is Firewall Advanced Threat Protection (Sophos) and site does look suspicious.
Firewall thinks that its our Domain Controller that is "Infected"
I did some checks and I think our domain controller is trying to resole this IP, but I think this is a query from one of our desktops. As you know Windows desktops on the domain must have DC as first DNS, so our DC is a forwarder.
Where in Windows (2012R2) may I see what workstation requested what DNS address?