DNS audit tool needed
Is there a tool/program that would allow me to see all the DNS queries being made on a PC real time? I would like to be able to load a web page or run a program and see all the FQDN's referenced and looked up via DNS.
We use a L7 firewall and find it troublesome to give someone access to a single web site since no web site loads from a single IP address anymore. When using browser DEV tools/view, you can see IP ADDRESS, but this is usually ineffective when a CDN is used and moves dynamically to various IPs/server farms. I would like to see the FQDN names used by web sites and servers by tracking all the DNS queries made on my machine realtime so I can then use those to build firewall rules.
I'm amazed at how many SaaS services still list IP ranges for firewall access and none can give you FQDNs!?!?!
We use a L7 firewall and find it troublesome to give someone access to a single web site since no web site loads from a single IP address anymore. When using browser DEV tools/view, you can see IP ADDRESS, but this is usually ineffective when a CDN is used and moves dynamically to various IPs/server farms. I would like to see the FQDN names used by web sites and servers by tracking all the DNS queries made on my machine realtime so I can then use those to build firewall rules.
I'm amazed at how many SaaS services still list IP ranges for firewall access and none can give you FQDNs!?!?!
gheist
You see DNS queries in DNS server logs?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
If you just want to see what your individual computer is doing I would just run a packet capture with something like Wireshark and filter on port 53 only.
If you want to see "everything" for your company, then I would go down the path gheist is suggesting and see what logging your internal DNS server has and enable it. I know BIND based DNS servers can log DNS lookup requests.
If you want to see "everything" for your company, then I would go down the path gheist is suggesting and see what logging your internal DNS server has and enable it. I know BIND based DNS servers can log DNS lookup requests.
you can also fake DNS and have the target machine sent it to the fakeDNS to grab the DNS query call though it may not be totally simulating the DNS response. Indeed the DNS server logging will be good.
You have a few options.
If you have a firewall between the DNS server and the queries dump DNS traffic from that IP. Most appliances you should be able to do a tcpdump (Sophos UTM, F5, PA, etc).
tcpdump -veni eth0 host <hostip> port 53 -w /var/tmp/dns.pcap
Open the TCP dump with Wireshark.
Otherwise you know if the DNS server is windows turn on DNS debug logging. There are PowerShell scripts out there for parsing the debug log files.
Intercept the DNS traffic with Wireshark in real time with an easy filter (replace 1.1.1.1 with the IP of the machine): dns && ip.addr==1.1.1.1
If you have a firewall between the DNS server and the queries dump DNS traffic from that IP. Most appliances you should be able to do a tcpdump (Sophos UTM, F5, PA, etc).
tcpdump -veni eth0 host <hostip> port 53 -w /var/tmp/dns.pcap
Open the TCP dump with Wireshark.
Otherwise you know if the DNS server is windows turn on DNS debug logging. There are PowerShell scripts out there for parsing the debug log files.
Intercept the DNS traffic with Wireshark in real time with an easy filter (replace 1.1.1.1 with the IP of the machine): dns && ip.addr==1.1.1.1
Good to note also there is "exception" for name resolution depending on client OS. For example, such name resolution mechanisms may be used like
- For Windows clients will check a local Hosts file, then DNS, then do NetBIOS name resolution.
- For OSX clients will also use multicast DNS (UDP port 5353) to resolve .local addresses.
- For Linux / Unix systems will use /etc/nsswitch.conf to determine the hostname resolution order. Alternate mechanisms include LDAP and NIS.
Also most assumption of DNS goes through the known port 53. Wireshark can analyse using its DNS dissector (https://wiki.wireshark.org/DNS) to filter off the DNS traffic. You can check Wireshark sample of DNS traffic not using port 53 - see dns_port.pcap
(DNS running on a different port than 53) @ https://wiki.wireshark.org/SampleCaptures#Captures_used_in_Wireshark_testing
- For Windows clients will check a local Hosts file, then DNS, then do NetBIOS name resolution.
- For OSX clients will also use multicast DNS (UDP port 5353) to resolve .local addresses.
- For Linux / Unix systems will use /etc/nsswitch.conf to determine the hostname resolution order. Alternate mechanisms include LDAP and NIS.
Also most assumption of DNS goes through the known port 53. Wireshark can analyse using its DNS dissector (https://wiki.wireshark.org/DNS) to filter off the DNS traffic. You can check Wireshark sample of DNS traffic not using port 53 - see dns_port.pcap
(DNS running on a different port than 53) @ https://wiki.wireshark.org/SampleCaptures#Captures_used_in_Wireshark_testing
Probably you participate (unvillingly, by means of ignorance) in DNS amplification attacks.
This article explains how to contain them:
https://www.us-cert.gov/ncas/alerts/TA13-088A
This article explains how to contain them:
https://www.us-cert.gov/ncas/alerts/TA13-088A
ASKER
DNSQuerySniffer is exactly what I was looking for, thanks! I needed something I can run locally on demand without having to dig through server logs.
thanks for sharing