DNS audit tool needed

tcloud
tcloud used Ask the Experts™
on
Is there a tool/program that would allow me to see all the DNS queries being made on a PC real time?  I would like to be able to load a web page or run a program and see all the FQDN's referenced and looked up via DNS.

We use a L7 firewall and find it troublesome to give someone access to a single web site since no web site loads from a single IP address anymore.  When using browser DEV tools/view, you can see IP ADDRESS, but this is usually ineffective when a CDN is used and moves dynamically to various IPs/server farms.  I would like to see the FQDN names used by web sites and servers by tracking all the DNS queries made on my machine realtime so I can then use those to build firewall rules.

I'm amazed at how many SaaS services still list IP ranges for firewall access and none can give you FQDNs!?!?!
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Top Expert 2015

Commented:
You see DNS queries in DNS server logs?
Exec Consultant
Distinguished Expert 2018
Commented:
INetSim toolkit will be handy as it can trap the queries and othr protocol as well though its main use case is mainly for capturing and analysing runtime behaviour of malware . I do see it may help in your case. Here is an log sample
[2007-10-07 14:26:00] [samplesession] [dns 53/udp/tcp] [172.16.1.5] connect
[2007-10-07 14:26:00] [samplesession] [dns 53/udp/tcp] [172.16.1.5] recv: Query Type A, Class IN, Name mail.evil.org
[2007-10-07 14:26:00] [samplesession] [dns 53/udp/tcp] [172.16.1.5] send: mail.evil.org 3600 IN A 172.16.1.1
[2007-10-07 14:26:00] [samplesession] [dns 53/udp/tcp] [172.16.1.5] disconnect
Do also check your host file for any hardcoded records and clean them up.
http://www.inetsim.org/features.html

However, it does not have Windows package. But there are other (simpler) candidates of similar capability with clean GUI.
- DNSQuerySniffer (not bad) @ http://www.nirsoft.net/utils/dns_query_sniffer.html
- FakeNet @ http://sourceforge.net/projects/fakenet/
- ApateDNS (not bad) @ https://www.mandiant.com/resources/download/research-tool-mandiant-apatedns
Top Expert 2014

Commented:
If you just want to see what your individual computer is doing I would just run  a packet capture with something like Wireshark and filter on port 53 only.

If you want to see "everything" for your company, then I would go down the path gheist is suggesting and see what logging your internal DNS server has and enable it.  I know BIND based DNS servers can log DNS lookup requests.
CompTIA Cloud+

The CompTIA Cloud+ Basic training course will teach you about cloud concepts and models, data storage, networking, and network infrastructure.

btanExec Consultant
Distinguished Expert 2018

Commented:
you can also fake DNS and have the target machine sent it to the fakeDNS to grab the DNS query call though it may not be totally simulating the DNS response. Indeed the DNS server logging will be good.
You have a few options.

If you have a firewall between the DNS server and the queries dump DNS traffic from that IP. Most appliances you should be able to do a tcpdump (Sophos UTM, F5, PA, etc).

tcpdump -veni eth0 host <hostip> port 53 -w /var/tmp/dns.pcap

Open the TCP dump with Wireshark.

Otherwise you know if the DNS server is windows turn on DNS debug logging. There are PowerShell scripts out there for parsing the debug log files.

Intercept the DNS traffic with Wireshark in real time with an easy filter (replace 1.1.1.1 with the IP of the machine): dns && ip.addr==1.1.1.1
btanExec Consultant
Distinguished Expert 2018

Commented:
Good to note also there is "exception" for name resolution depending on client OS. For example, such name resolution mechanisms may be used like
- For Windows clients will check a local Hosts file, then DNS, then do NetBIOS name resolution.
- For OSX clients will also use multicast DNS (UDP port 5353) to resolve .local addresses.
- For Linux / Unix systems will use /etc/nsswitch.conf to determine the hostname resolution order. Alternate mechanisms include LDAP and NIS.

Also most assumption of DNS goes through the known port 53. Wireshark can analyse using its DNS dissector (https://wiki.wireshark.org/DNS) to filter off the DNS traffic. You can check Wireshark sample of DNS traffic not using port 53 - see dns_port.pcap
(DNS running on a different port than 53) @ https://wiki.wireshark.org/SampleCaptures#Captures_used_in_Wireshark_testing
Top Expert 2015

Commented:
Probably you participate (unvillingly, by means of ignorance) in DNS amplification attacks.
This article explains how to contain them:
https://www.us-cert.gov/ncas/alerts/TA13-088A

Author

Commented:
DNSQuerySniffer is exactly what I was looking for, thanks!  I needed something I can run locally on demand without having to dig through server logs.
btanExec Consultant
Distinguished Expert 2018

Commented:
thanks for sharing

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial