Windows Server 2003
1747988 Members
4812 Online
108756 Solutions
New Discussion юеВ

Audit DNS lookups on Windows 2003

 
SOLVED
Go to solution
Jonas Back_2
Super Advisor

Audit DNS lookups on Windows 2003


I want to audit who is doing DNS lookups on some/all records in a zone.

Scenario: We are moving to a new DNS suffix called new.com. Our old zone old.com shouldn't be in use and no lookups should be made towards that zone but we want to make sure no servers nor clients are doing lookups to old.com. Can this be done?

It's possible to turn on Audit on each and every record even but when I do nslookup from our clients, nothing is found in the Security log. However, if I open the A-record in DNS-admin/change it/whatever, it is logged in the Security logs.

Any other ideas about this except just deleting old.com and hoping for the best? ;)

5 REPLIES 5
Ron Kinner
Honored Contributor

Re: Audit DNS lookups on Windows 2003

If your old DNS is a Window box then just put Zone Alarm on it for a few days. (www.zonelabs.com) It will log any attempts to reach the old DNS server.

You could also use Snort which is a free intrusion detection program and tell it to look for DNS access attempts to the old server.
www.snort.org.

You could also run windump/tcpdump on the old DNS and let it monitor all incoming traffic.

Ron
Jonas Back_2
Super Advisor

Re: Audit DNS lookups on Windows 2003

Thanks for your suggestions but I think the solution you provide only applies if you want to remove the whole server since it will monitor ALL traffic to that server.

But in the end I have ONE server that serves both old.com and new.com. We want old.com to be removed but don't know which servers that still queries that zone. I want to monitor which servers that asks the DNS-server for old.com but NOT new.com.

I guess I could setup snort/tcpdump and then output everything to a file and do some filtering but I was thinking if there's an easier way ;)
Jonas Back_2
Super Advisor

Re: Audit DNS lookups on Windows 2003

Thanks for your suggestions but I think the solution you provide only applies if you want to remove the whole server since it will monitor ALL traffic to that server.

But in the end I have ONE server that serves both old.com and new.com. We want old.com to be removed but don't know which servers that still queries that zone. I want to monitor which servers that asks the DNS-server for old.com but NOT new.com.

I guess I could setup snort/tcpdump and then output everything to a file and do some filtering but I was thinking if there's an easier way ;)
Jonas Back_2
Super Advisor

Re: Audit DNS lookups on Windows 2003

Thanks for your suggestions but I think the solution you provide only applies if you want to remove the whole server since it will monitor ALL traffic to that server.

But in the end I have ONE server that serves both old.com and new.com. We want old.com to be removed but don't know which servers that still queries that zone. I want to monitor which servers that asks the DNS-server for old.com but NOT new.com.

I guess I could setup snort/tcpdump and then output everything to a file and do some filtering but I was thinking if there's an easier way ;)
WebWalker
Advisor
Solution

Re: Audit DNS lookups on Windows 2003

Hi,

You can use the DNS Debug logging from the properties of your Windows 2003 DNS Server snap-in adn chose what kind of packets you want to log(update,query,notifications,tcp,udp, request, respons,etc)
Watch out for the log file size, it tends to grow really fast.

Hope this helps you...

Luca