Windows DNS Server - how to find out who made a query?

networking dns windows-server-2012
48,433

Solution 1

Enable Debug Logging on the DNS server for this.

  1. Open DNS Manager from the Tools menu of Server Manager
  2. Right-click the DNS server in the left pane and click Properties
  3. Click the Debug Logging tab and check the Log packets for debugging checkbox
  4. To minimize the amount of data being logged, uncheck the following checkboxes:
    • Packet direction - Outgoing
    • Transport protocol - TCP
    • Packet contents - Updates
    • Packet type - Response
  5. In the Log file section, type a path and file name for the log. Alter the Maximum size (bytes) value if necessary.
  6. Click OK.

enter image description here

When the client queries the DNS server, you will see a line like the following in the log file (in this case the client performed a query for superuser.com):

16-07-2017 19:51:55 0DB4 PACKET  000000FA30FDFB60 UDP Rcv 10.10.10.100    000a   Q [0001   D   NOERROR] A      (9)superuser(3)com(0)

The IP address after Rcv (10.10.10.100) is the IP address of the client that performed the query.

REMEMBER to disable Debug Logging on the DNS server when it is no longer needed, as it can affect the performance of the server.

DNS Logging and Diagnostics

Solution 2

We have been able to use this to log DNS activity on our DCs. We paired it with hourly log rotation based upon information found at http://support.moonpoint.com/blog/blosxom/2014/12/07#rotatednslog

We experienced issues with many of the DNS logs ending up as 0 byte files, and it didn't appear to be based upon activity because it could be in the middle of the night. I bumped up the DC from 4 to 6 GB RAM (kept 2 vCPU) and it hasn't been a problem for the 8 days since, so I think we're okay.

We store the logs on a dedicated volume in a NTFS compressed directory to save space. The size of each hourly log is ~ 300 MB before compression, and ~ 115 MB after NTFS compression.

Share:
48,433

Related videos on Youtube

SeanClt
Author by

SeanClt

I am a HPE Software Consultant Specialed and certified in 10 HP Enterprise Softare

Updated on September 18, 2022

Comments

  • SeanClt
    SeanClt over 1 year

    We have a host in our environment which is trying to get DNS lookup for a known sinkhole address. The DNS server is running Windows Server 2012.

    We are unable to locate the host in our environment.

    I looked on Google and on Stack Exchange but I can't find information on which exact logs or audit that needs to be enabled so as to track the host (IP or MAC address) which is making this request?

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Windows Server 2012 - DNS and DHCP not working on client computers
Creating subdomains and A records to servers in Windows Server DNS
How to redirect custom urls to some local IPs with pfSense
Docker DNS settings
What does 'No such name' mean in DNS?
Get default gateway in java
nslookup query not working in Ubuntu
DNS configuration problem with BIND9
Configuring multiple DNS name servers on 18.04 server
Problem running CURL with the dns option