Windows DNS Server - how to find out who made a query?

5

2

We have a host in our environment which is trying to get DNS lookup for a known sinkhole address. The DNS server is running Windows Server 2012.

We are unable to locate the host in our environment.

I looked on Google and on Stack Exchange but I can't find information on which exact logs or audit that needs to be enabled so as to track the host (IP or MAC address) which is making this request?

SeanClt

Posted 2017-07-13T13:18:08.440

Reputation: 1 960

Answers

6

Enable Debug Logging on the DNS server for this.

  1. Open DNS Manager from the Tools menu of Server Manager
  2. Right-click the DNS server in the left pane and click Properties
  3. Click the Debug Logging tab and check the Log packets for debugging checkbox
  4. To minimize the amount of data being logged, uncheck the following checkboxes:
    • Packet direction - Outgoing
    • Transport protocol - TCP
    • Packet contents - Updates
    • Packet type - Response
  5. In the Log file section, type a path and file name for the log. Alter the Maximum size (bytes) value if necessary.
  6. Click OK.

enter image description here

When the client queries the DNS server, you will see a line like the following in the log file (in this case the client performed a query for superuser.com):

16-07-2017 19:51:55 0DB4 PACKET  000000FA30FDFB60 UDP Rcv 10.10.10.100    000a   Q [0001   D   NOERROR] A      (9)superuser(3)com(0)

The IP address after Rcv (10.10.10.100) is the IP address of the client that performed the query.

REMEMBER to disable Debug Logging on the DNS server when it is no longer needed, as it can affect the performance of the server.

DNS Logging and Diagnostics

FastEthernet

Posted 2017-07-13T13:18:08.440

Reputation: 3 385

Asked: 2017-07-13T13:18:08.440

Viewed: 16 955 times

Active: 2018-08-23T10:58:45.963