DNS audit tool needed

Is there a tool/program that would allow me to see all the DNS queries being made on a PC real time?  I would like to be able to load a web page or run a program and see all the FQDN's referenced and looked up via DNS.

We use a L7 firewall and find it troublesome to give someone access to a single web site since no web site loads from a single IP address anymore.  When using browser DEV tools/view, you can see IP ADDRESS, but this is usually ineffective when a CDN is used and moves dynamically to various IPs/server farms.  I would like to see the FQDN names used by web sites and servers by tracking all the DNS queries made on my machine realtime so I can then use those to build firewall rules.

I'm amazed at how many SaaS services still list IP ranges for firewall access and none can give you FQDNs!?!?!
tcloudAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

gheistCommented:
You see DNS queries in DNS server logs?
0
btanExec ConsultantCommented:
INetSim toolkit will be handy as it can trap the queries and othr protocol as well though its main use case is mainly for capturing and analysing runtime behaviour of malware . I do see it may help in your case. Here is an log sample
[2007-10-07 14:26:00] [samplesession] [dns 53/udp/tcp] [172.16.1.5] connect
[2007-10-07 14:26:00] [samplesession] [dns 53/udp/tcp] [172.16.1.5] recv: Query Type A, Class IN, Name mail.evil.org
[2007-10-07 14:26:00] [samplesession] [dns 53/udp/tcp] [172.16.1.5] send: mail.evil.org 3600 IN A 172.16.1.1
[2007-10-07 14:26:00] [samplesession] [dns 53/udp/tcp] [172.16.1.5] disconnect
Do also check your host file for any hardcoded records and clean them up.
http://www.inetsim.org/features.html

However, it does not have Windows package. But there are other (simpler) candidates of similar capability with clean GUI.
- DNSQuerySniffer (not bad) @ http://www.nirsoft.net/utils/dns_query_sniffer.html
- FakeNet @ http://sourceforge.net/projects/fakenet/
- ApateDNS (not bad) @ https://www.mandiant.com/resources/download/research-tool-mandiant-apatedns
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
giltjrCommented:
If you just want to see what your individual computer is doing I would just run  a packet capture with something like Wireshark and filter on port 53 only.

If you want to see "everything" for your company, then I would go down the path gheist is suggesting and see what logging your internal DNS server has and enable it.  I know BIND based DNS servers can log DNS lookup requests.
0
Simple Misconfiguration =Network Vulnerability

In this technical webinar, AlgoSec will present several examples of common misconfigurations; including a basic device change, business application connectivity changes, and data center migrations. Learn best practices to protect your business from attack.

btanExec ConsultantCommented:
you can also fake DNS and have the target machine sent it to the fakeDNS to grab the DNS query call though it may not be totally simulating the DNS response. Indeed the DNS server logging will be good.
0
LearnctxEngineerCommented:
You have a few options.

If you have a firewall between the DNS server and the queries dump DNS traffic from that IP. Most appliances you should be able to do a tcpdump (Sophos UTM, F5, PA, etc).

tcpdump -veni eth0 host <hostip> port 53 -w /var/tmp/dns.pcap

Open the TCP dump with Wireshark.

Otherwise you know if the DNS server is windows turn on DNS debug logging. There are PowerShell scripts out there for parsing the debug log files.

Intercept the DNS traffic with Wireshark in real time with an easy filter (replace 1.1.1.1 with the IP of the machine): dns && ip.addr==1.1.1.1
0
btanExec ConsultantCommented:
Good to note also there is "exception" for name resolution depending on client OS. For example, such name resolution mechanisms may be used like
- For Windows clients will check a local Hosts file, then DNS, then do NetBIOS name resolution.
- For OSX clients will also use multicast DNS (UDP port 5353) to resolve .local addresses.
- For Linux / Unix systems will use /etc/nsswitch.conf to determine the hostname resolution order. Alternate mechanisms include LDAP and NIS.

Also most assumption of DNS goes through the known port 53. Wireshark can analyse using its DNS dissector (https://wiki.wireshark.org/DNS) to filter off the DNS traffic. You can check Wireshark sample of DNS traffic not using port 53 - see dns_port.pcap
(DNS running on a different port than 53) @ https://wiki.wireshark.org/SampleCaptures#Captures_used_in_Wireshark_testing
0
gheistCommented:
Probably you participate (unvillingly, by means of ignorance) in DNS amplification attacks.
This article explains how to contain them:
https://www.us-cert.gov/ncas/alerts/TA13-088A
0
tcloudAuthor Commented:
DNSQuerySniffer is exactly what I was looking for, thanks!  I needed something I can run locally on demand without having to dig through server logs.
0
btanExec ConsultantCommented:
thanks for sharing
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
DNS

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.