Domain Controllers are 2012.
We have been requested by our security team to log external DNS lookups (ie - exclude lookups for our internal domain) so that lookups to known bad domains and/or IP addresses can be investigated.
Has anyone successfully done this? I can't find a way to do it properly in 2012.
What I have looked at:
- DNS debugging on DNS forwaders
This excludes internal domain lookups, but unfortunately all requests come from the DCs, so we can't pinpoint the machine that does the original request
- DNS debugging on DCs.
If we turn on DNS debugging, there is no way to exclude internal lookups. The traffic generated by turning this on in our environment was approximately 500mb every 10 mins. Not really practical.
- Wireshark (tshark) on the DCs
This looked like a potential option until I found out that display filters can't be used when logging to file. Only capture filters can be used, and these can only filter at a low level and would still capture all DNS packets, making it no better than DNS debugging
Ideally I would like:
- to capture ONLY lookups that are NOT to our internal domain(s).
- Logging to file and the ability to do circular logging over multiple files etc
- Start automatically each boot
Has anyone out there successfully done this? If so, what tool(s) did you use?