I have 2008R2 on my home network running as DC, DHCP, DNS, file/print etc.
I also use OpenDNS and have an old account from when it was freely available.
Statistics from my OpenDNS account suggest something on my network is accessing undesirable .cn and .ru domains, amongst others.
They are not in a category which OpenDNS is set to block but nonetheless, they are not "normal" in my opinion.
One or two of my "users" at home that have browsing behaviour leaving them susceptible to picking up viruses/malware have been removed from my domain and placed on a separate VLAN which is restricted via firewall from communicating with the domain and makes its queries direct to OpenDNS (188.8.131.52)
Members of the domain query the 2k8R2 server which is configured to use OpenDNS as forwarders. All of the machines including server are coming back clean on virus/malware scans. The number of DNS "hits" per day is between 1-4 to each domain so not significant numbers but I'd still like to pinpoint the source.
My question is whether any of the additional logging which I understand can be enabled for DNS on 2008R2 can determine where (source IP or hostname) queries for a particular domain (subsequently passed to forwarders) are originating from on my network?