DNS logs are extremely useful for many purposes. Let's review the basic DNS resource records and their purposes.
Problem:
An organization is migrating their Windows 2008 production file server(s) (active/standby) to a DFS system. The file server had a Host A record created named 'fileserver' mapped to 10.10.39.1.
The problem is many employees are using the A record 'fileserver' in excel, business applications, file drive mappings, and such. Since the business was told to reference this name as needed, there's no telling where the A record could exist exactly - a very bad practice. DFS will be referenced by a global domain name.
Luckily, DNS logs can help an administrator to where 'fileserver' is being referenced on host machines.
The following example shows the logging options within Windows DNS manager that we're concerned with. Depending how big your organization is, this will capture a lot of information. The log file is overwritten when it reaches the maximum file size. Set this file size with caution.
From TechNet: <https://technet.microsoft.com/en-us/library/cc776361(v=ws.10).aspx>
Depending on your org size, you should at least capture 1 full business day of DNS logs before reviewing. Once ready, we can easily filter the log file in command prompt.
In this example, the DNS log file resides in a shared network drive. We will find any reference of 'filserver' and output to a text file in same directory.
Open command prompt with Admin privileges if needed.
1. First we will likely have to to store the shared directory in command prompt before we can find in the log. (This step may not be necessary for all)
C:\Users\> pushd \\shared\DnsLog
2. Find references of "fileserver"
Z:\> find "fileserver" /i z:\dnslog.txt > dns
Open the created text file in Excel -> Tab Delimited. Sort by IP addresses and clean up duplicates. IP addresses are great...but host/domain/FQDN's would be best to help identify systems.
Download and open dns-script script. Paste the IP Addresses from excel into the iplist.txt file.
Open fqdn.bat and add your DNS server IP in set server field and save.
Run fqdn.bat and it will create a .cvs output in same directory. Now you should see hostnames associated with your IP's!
DNS Hex Log reference:
0x0 |
0 |
No logging. (This is the default) |
0x1 |
1 |
Queries transactions |
0x10 |
16 |
Notifications transactions |
0x20 |
32 |
Updates transactions |
0xFE |
254 |
Non-queries transactions |
0x100 |
256 |
Question packets |
0x200 |
512 |
Answer packets |
0x1000 |
4096 |
Send packets |
0x2000 |
8192 |
Receive packets |
0x4000 |
16384 |
UDP packets |
0x8000 |
32768 |
TCP packets |
0xFFFF |
65535 |
All packets |
0x10000 |
65536 |
AD write transactions |
0x20000 |
131072 |
AD update transactions |
0x1000000 |
16777216 |
Full packets |
Comments