Avatar of Member_2_1261037
Flag for United States of America asked on

DNS audit tool needed

Is there a tool/program that would allow me to see all the DNS queries being made on a PC real time?  I would like to be able to load a web page or run a program and see all the FQDN's referenced and looked up via DNS.

We use a L7 firewall and find it troublesome to give someone access to a single web site since no web site loads from a single IP address anymore.  When using browser DEV tools/view, you can see IP ADDRESS, but this is usually ineffective when a CDN is used and moves dynamically to various IPs/server farms.  I would like to see the FQDN names used by web sites and servers by tracking all the DNS queries made on my machine realtime so I can then use those to build firewall rules.

I'm amazed at how many SaaS services still list IP ranges for firewall access and none can give you FQDNs!?!?!
DNSHardware Firewalls

Avatar of undefined
Last Comment

8/22/2022 - Mon

You see DNS queries in DNS server logs?

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question

If you just want to see what your individual computer is doing I would just run  a packet capture with something like Wireshark and filter on port 53 only.

If you want to see "everything" for your company, then I would go down the path gheist is suggesting and see what logging your internal DNS server has and enable it.  I know BIND based DNS servers can log DNS lookup requests.

you can also fake DNS and have the target machine sent it to the fakeDNS to grab the DNS query call though it may not be totally simulating the DNS response. Indeed the DNS server logging will be good.
Experts Exchange has (a) saved my job multiple times, (b) saved me hours, days, and even weeks of work, and often (c) makes me look like a superhero! This place is MAGIC!
Walt Forbes
Aard Vark

You have a few options.

If you have a firewall between the DNS server and the queries dump DNS traffic from that IP. Most appliances you should be able to do a tcpdump (Sophos UTM, F5, PA, etc).

tcpdump -veni eth0 host <hostip> port 53 -w /var/tmp/dns.pcap

Open the TCP dump with Wireshark.

Otherwise you know if the DNS server is windows turn on DNS debug logging. There are PowerShell scripts out there for parsing the debug log files.

Intercept the DNS traffic with Wireshark in real time with an easy filter (replace with the IP of the machine): dns && ip.addr==

Good to note also there is "exception" for name resolution depending on client OS. For example, such name resolution mechanisms may be used like
- For Windows clients will check a local Hosts file, then DNS, then do NetBIOS name resolution.
- For OSX clients will also use multicast DNS (UDP port 5353) to resolve .local addresses.
- For Linux / Unix systems will use /etc/nsswitch.conf to determine the hostname resolution order. Alternate mechanisms include LDAP and NIS.

Also most assumption of DNS goes through the known port 53. Wireshark can analyse using its DNS dissector (https://wiki.wireshark.org/DNS) to filter off the DNS traffic. You can check Wireshark sample of DNS traffic not using port 53 - see dns_port.pcap
(DNS running on a different port than 53) @ https://wiki.wireshark.org/SampleCaptures#Captures_used_in_Wireshark_testing

Probably you participate (unvillingly, by means of ignorance) in DNS amplification attacks.
This article explains how to contain them:
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.

DNSQuerySniffer is exactly what I was looking for, thanks!  I needed something I can run locally on demand without having to dig through server logs.

thanks for sharing