DNS logging of only external lookups

Domain Controllers are 2012.

We have been requested by our security team to log external DNS lookups (ie - exclude lookups for our internal domain) so that lookups to known bad domains and/or IP addresses can be investigated.

Has anyone successfully done this? I can't find a way to do it properly in 2012.

What I have looked at:

- DNS debugging on DNS forwaders
This excludes internal domain lookups, but unfortunately all requests come from the DCs, so we can't pinpoint the machine that does the original request

- DNS debugging on DCs.
If we turn on DNS debugging, there is no way to exclude internal lookups. The traffic generated by turning this on in our environment was approximately 500mb every 10 mins. Not really practical.

- Wireshark (tshark) on the DCs
This looked like a potential option until I found out that display filters can't be used when logging to file. Only capture filters can be used, and these can only filter at a low level and would still capture all DNS packets, making it no better than DNS debugging

Ideally I would like:
- to capture ONLY lookups that are NOT to our internal domain(s).
- Logging to file and the ability to do circular logging over multiple files etc
- Start automatically each boot

Has anyone out there successfully done this? If so, what tool(s) did you use?

June 22nd, 2015 10:03pm

Hi,

According to your description, my understanding is that you want to implement function: DNS logging of only external lookups.

As Windows DNS server, it provides DNS debug log which records all name query behaviors, and Event log which records warning/error events. With Windows Server itself, I am afraid that function cant be realized. 3rd party tools might be needed. Such as analyzing tool which can analyze DNS debug log and find useful information you need.

Best Regards,
Eve Wang

Free Windows Admin Tool Kit Click here and download it now
June 24th, 2015 2:33am

Thanks Eve,

I already know that this can't be done alone with Windows. I'm hoping somebody out there has had to do the same thing and has found a way to do it somehow, with 3rd party tools or some kind of other magic.

I'm open to options.

June 24th, 2015 9:40pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics