In this article

Use this article to identify the source device generating excessive DNS queries and stop unintended traffic. This process supports security monitoring, reporting accuracy, and billing validation.

Infected, frozen, or misconfigured devices can generate unusually high DNS volume or repeatedly query malicious domains.

Resolution overview

No matter which method identifies the source device, the resolution process stays the same:

1. Identify the source IP address generating excessive DNS queries
2. Match the IP address to a device using DHCP logs
   • Hostname
   • MAC address
3. Take action on the device

If the device is known:

• Identify the application generating excessive queries
• Remove the application if it is not required
• Update application settings to reduce DNS volume if it is required

If the device is not known:

• Block the device’s MAC address or LAN IP address from sending DNS queries
• Re-enable access after the device owner confirms the source and applies remediation

After identifying and remediating the source device, DNS query volume should return to expected levels and threat-related queries should stop.

Method 1: Roaming Client reporting

Roaming Client deployments provide the fastest way to identify the source device.

1. From the DNSFilter dashboard, navigate to Reporting and select Insights
2. Scroll to All threats by domain
3. Select the top domain generating excessive requests
4. Select the drop-down caret to view the associated Roaming Client
5. Remediate the device by blocking, removing, or updating the responsible application

Method 2: Windows DNS logging

Active Directory environments can use DNS Query Sniffer to view source IP addresses and query activity.

DNS Query Sniffer displays DNS query and response information in a spreadsheet-style format and supports exporting results.

Method 3: Linux DNS logging

Linux systems can capture DNS traffic using standard monitoring tools.

dnstop

Use dnstop to identify high-volume endpoints when using BIND as a DNS forwarder.

tcpdump

Use tcpdump to view DNS traffic on a Linux server or workstation.

Example command to monitor outbound DNS queries on eth0:

tcpdump -i eth0 'dst port 53'

Reference PacketLife documentation for additional flags and filtering options.

Method 4: Firewall, router, or DHCP-based logging

Environments using a firewall, router, or DHCP assignment of DNSFilter resolvers must rely on vendor-provided logging tools.

Confirm the device supports DNS query visibility and reference manufacturer documentation for configuration and export steps.