<div>
I would now assume - as the client machine is replaced, that there is a source which is connected to the user / user profile / roaming profile...<br />
I assume it is the same user, right?<br />
<br />
As Windows 10 also creates a new profile, the question is, what is left over from the old one. <br />
<br />
So the search starts at the point, where the two machines have something in common.<br />
If you use roaming profiles, you may investigate the content of the roaming profile and possibly user files as well as shares, which are taken over. If there are no roaming profiles, you may limit it to the user folders, shares etc. <br />
<br />
Maybe the user has stored a program in a server location (share) and runs it regularly....<br />
Or he likes to browse to some of the &quot;questionable domains&quot; and do it again now (--&gt; browser cache). <br />
<br />
But the real source, you can only find in the environment of the machine / user.
</div>


<div>
I am the admin and the user in this instance!<br />
No roaming profiles - the old machine was not domain joined.<br />
There are some common applications between the two machines - all are &quot;mainstream&quot; applications however that I also use on other client machines that aren't showing queries to these domains.<br />
Seems I will have to try and do some more digging.<br />
There was a small amount of data transferred from the old machine however I have run this against several anti-virus/anti-malware/an<wbr />ti-rootkit<wbr /> applications and nothing has shown up as an issue.<br />
I'm talking less than 10 hits per day to each domain (with machine online 24x7) but as there are a number of domains, the overall number of hits I'm concerned about is higher.
</div>


<div>
I should also add that there are no obvious signs on the client machine of any untoward activity or processes running, but something is clearly amiss somewhere.
</div>


<div>
OK, then you have full access to the client machine to dig around....<br />
<br />
Several step I would do now...<br />
with ipconfig /displaydns you may just check, if the domain is in the DNS cache on the local machine. If yes, then there is a service or application, which may request this IP.You can also check, how log it takes until it comes back (due to a new request). <br />
You may check, if you make a ipconfig /flushdns to clear the local dns cache, it comes more often. <br />
<br />
You may check the sequence, if it comes only in defined timeframes or the whole time the computer is active. <br />
<br />
netstat doesn't deliver the port 53 request. &nbsp;<br />
<br />
I have in my mind:<br />
- Third party add ins...<br />
- Third party tools... (maybe a shareware, what makes advertising without a key). <br />
- SmartScreen filter of IE (maybe due to advertising on web sites or similar) <br />
- IE (or other) Cache &nbsp;<br />
<br />
The domains you see, are they suspicious or just you can not identify what it should be...<br />
Can you tell me the requested domains?
</div>


<div>
Here's just a small example of some of the domains. This is from OpenDNS dashboard report of a whole public IP's stats which has several different clients masquerading behind it however my internal DNS server which forwards queries for zones it cannot resolve to OpenDNS reported (with logging enabled) most of these domains coming from this one particular client.<br />
<a href="https://filedb.experts-exchange.com/incoming/2015/12_w50/1052143/opendns-suspectdomains.png" target="_blank" class="file-inline" title="opendns-suspectdomains.png (16 KB)"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 512 512"><path d="M67.508 468.467c-58.005-58.013-58.016-151.92 0-209.943l225.011-225.04c44.643-44.645 117.279-44.645 161.92 0 44.743 44.749 44.753 117.186 0 161.944l-189.465 189.49c-31.41 31.413-82.518 31.412-113.926.001-31.479-31.482-31.49-82.453 0-113.944L311.51 110.491c4.687-4.687 12.286-4.687 16.972 0l16.967 16.971c4.685 4.686 4.685 12.283 0 16.969L184.983 304.917c-12.724 12.724-12.73 33.328 0 46.058 12.696 12.697 33.356 12.699 46.054-.001l189.465-189.489c25.987-25.989 25.994-68.06.001-94.056-25.931-25.934-68.119-25.932-94.049 0l-225.01 225.039c-39.249 39.252-39.258 102.795-.001 142.057 39.285 39.29 102.885 39.287 142.162-.028A739446.174 739446.174 0 0 1 439.497 238.49c4.686-4.687 12.282-4.684 16.969.004l16.967 16.971c4.685 4.686 4.689 12.279.004 16.965a755654.128 755654.128 0 0 0-195.881 195.996c-58.034 58.092-152.004 58.093-210.048.041z"/></svg>opendns-suspectdomains.png</a>
</div>


opendns-suspectdomains.png

<div>
I generally use Google Chrome exclusively for browsing though the machine does have Edge, IE and Firefox. Chrome add-ins are Hootsuite, AdBlock (getadblock.com), MightyText, Google Cast, OneNote.
</div>


<div>
Mmh, a lot of chineese stuff...<br />
But you may try the following...<br />
<br />
Clear the browser cache.... (to make sure, nothing is taken from the cache)<br />
ipconfig /flushdns (to make sure, that DNS requests hit your DNS)<br />
start the browser<br />
start google...<br />
search for a big shopping mall, type slowly and observe the google page...<br />
ipconfig /displaydns<br />
<br />
So one part is due to google forecast search during typing...<br />
As more slow you type, as more requests are produced as google makes proposals as well is loading a result, and these result may contain pictures....<br />
So for one search, you may have 50 or 100 names in the cache...<br />
So not so unusual.....<br />
<br />
Maybe you may just leave your fingers from the browser for one day (clear the cache before and flushdns...), and see if you still get requests. Maybe it is just the startpage of your browser...<br />
If you still see the requests, you <br />
<br />
What I want to say is that due to the background search, you may hit a lot of content which has nothing to do with the site, you searched for..., and dependent from the keyword, you may also hit a lot of foreign sites... At least this is one possibility.
</div>


<div>
Just stumbled across an article online that seems to suggest further investigation of Chrome's background DNS traffic is warranted. I'll see if I can kill off all background Chrome processes and refrain from using it for 24 hours and see what happens. I'll update in a few days when I've had the chance to do so.
</div>


<div>
No problem, IE has a similar function / standard add on what is called &quot;Suggested Sites&quot; which can be disabled. So not sure for Chrome, but would expect something similar.
</div>


<div>
I've un-checked all options under Chrome's privacy settings. I've seen a reduction in these DNS queries appearing from the machine of interest but now seen an increase in similar/same queries coming from another completely unrelated machine on a different subnet on my LAN which also uses Chrome but I have also unchecked the same options on that machine.<br />
I'm aware other browsers have similar features but given that we mainly use Chrome and don't use the other browsers, would they still be expected to be running queries in the background? The original machine of interest is Windows 10, the other one that I've now started seeing queries from is Windows 7. They are on the same AD domain but on different sites with a site-to-site VPN link. Both subnets are allowed to communicate with each other via firewall.
</div>


<div>
Hi Stuart,<br />
<br />
my intention was not to push you to move to a different browser, it just wanted to say, that several browsers have a similar behavior. And not everything is directly connected with the browser as possibly two parts have to work together, the browser as well as the website. <br />
<br />
One example is just the discussion about geo location and to make it available via HTML specifications. That means that a &quot;good&quot; boy use it to offer a meaningful service, a &quot;bad&quot; boy use it for something else you don't want, like tracking. &nbsp;But as it is a regular implementation, it is not classified as malware or adware as it following the specification. <br />
<br />
Another example the thousands of &quot;free&quot; games, even web based, don't think they are free, the communicate partly heavily and no scanner would complain about them,. <br />
<br />
And that tracking is on of the powerful marketing instruments is nothing new and even the business model of google. So don't wonder if they put some functionality inside the browser what makes their life easier. <br />
<br />
The page preview and proposal function is nice as you can see, for what other people have searched. If you are aware that every single letter what you type is send to them. IE makes the same with bing. <br />
<br />
The sources on your side are the suggested sites function (this is the IE name) as well as the browser cache, as parts of the cache are refreshed from time to time. Also you may have cookies in your mind, as they are connected to web sites, and when such a site with the same cookie provider is opened again, they read the cookie and may show you up some connected advertising. So a lot of information exchange can happen in the background. &nbsp;I just took the time some time ago to look into some of the thousands of tracking cookies on my machine, some of them up to 7 KB !! So guess what they are doing. A regular cookie might be around some bytes. <br />
<br />
So, this you can not really avoid, but you can switch off some functionality and see, if it influence the DNS behavior. If you want to make sure, it comes from the browser, you can only delete all cached items and leave your fingers from the browser, what includes also web based dialog as used in WIn10 (like settings). The best way is just to let the machine running without touching it. <br />
<br />
If the machine is quiet then you found at least the source. If not, then a programmer can put the same functionality also into local installed program. Sometims just for a license check, othertimes also connected with tracking and advertising (if the customer will not pay money, they have to pay with data). Some shareware tools are constructed this way. <br />
<br />
To really find out what is the source, you can only sniff the traffic on the machine (i.e. winPcap&quot;), this way you can see where it comes from, but some analysis effort. The time of the DNS queries might help to narrow don the logs.
</div>


<div>
Thanks. The main reason I opened this question was concern around malware/rookie type activity given the large number of .cn .ru etc domains. If you don mind I'll leave this question open a little longer just until I'm 100% confident all of this DNS activity is &quot;legitimate&quot;, then I'll close out.
</div>


<div>
<div class="content wysiwyg-content">
I have seen entries in my DNS logs suggesting that I have a small but significant number of hits to some questionable domains on a daily basis from one particular client machine. This was seen on a previous Windows Vista machine which has now been retired and been replaced by a Windows 10 build which is now exhibiting the same symptoms. I'd like to get to the bottom of this by identifying/logging from the client machine which process(es) is making said DNS queries.<br />
Given the nature of DNS transactions, it's unlikely I'm going to pick much up with built-in Resource Monitor and the likes.<br />
Can anyone make any suggestions?
</div>
</div>


I have seen entries in my DNS logs suggesting that I have a small but significant number of hits to some questionable domains on a daily basis from one particular client machine. This was seen on a previous Windows Vista machine which has now been retired and been replaced by a Windows 10 build which is now exhibiting the same symptoms. I'd like to get to the bottom of this by identifying/logging from the client machine which process(es) is making said DNS queries.
Given the nature of DNS transactions, it's unlikely I'm going to pick much up with built-in Resource Monitor and the likes.
Can anyone make any suggestions?

Identify (log) DNS queries on client machine by process

Windows 10 is a personal computer operating system featuring the "universal application architecture" (UAP); apps can be designed to run across multiple devices with nearly identical code, including PCs, tablets, smartphones, embedded systems, Xbox One, Surface Hub and HoloLens. Windows 10 also includes a virtual desktop system, a window and desktop management feature called Task View, the Microsoft Edge web browser, support for fingerprint and face recognition login, voice-based search (Cortana), new security features for enterprise environments, and DirectX 12 and WDDM 2.0 to improve the operating system's graphics capabilities for games.

Windows 10

The Domain Name System (DNS) is a hierarchical, globally distributed system responsible for associating the name of a computer, service or other resource into an IP address for connecting to the Internet or a private network. Most prominently, it translates domain names to the numerical IP addresses needed for the purpose of computer services and devices worldwide.