Trace client DNS queries- 2008R2

I have 2008R2 on my home network running as DC, DHCP, DNS, file/print etc.
I also use OpenDNS and have an old account from when it was freely available.
Statistics from my OpenDNS account suggest something on my network is accessing undesirable .cn and .ru domains, amongst others.
They are not in a category which OpenDNS is set to block but nonetheless, they are not "normal" in my opinion.

One or two of my "users" at home that have browsing behaviour leaving them susceptible to picking up viruses/malware have been removed from my domain and placed on a separate VLAN which is restricted via firewall from communicating with the domain and makes its queries direct to OpenDNS (208.67.222.222)

Members of the domain query the 2k8R2 server which is configured to use OpenDNS as forwarders. All of the machines including server are coming back clean on virus/malware scans. The number of DNS "hits" per day is between 1-4 to each domain so not significant numbers but I'd still like to pinpoint the source.

My question is whether any of the additional logging which I understand can be enabled for DNS on 2008R2 can determine where (source IP or hostname) queries for a particular domain (subsequently passed to forwarders) are originating from on my network?
LVL 1
Stuart OramIT Technical Lead (Project Sites)Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Zephyr ICTCloud ArchitectCommented:
You can enable this in the logging settings of your DNS server:

1. right-click your DNS server in the DNS admin window and select properties
2. click on the Debug Logging tab
3. Make sure Incoming, UDP, Queries/Transfers, and Request check boxes are checked.

Make sure you have enough room to accommodate the log file, it can grow large.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Stuart OramIT Technical Lead (Project Sites)Author Commented:
Thanks, I'll give this a try.
0
Stuart OramIT Technical Lead (Project Sites)Author Commented:
Thanks, I have left this running for a while and see it is producing the required information.
0
Zephyr ICTCloud ArchitectCommented:
No worries, good hunting!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
DNS

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.