Locating Query Source

Article author
Josh Lamb
  • Updated

Sometimes an infected, frozen, or otherwise problematic endpoint is sending massive amounts of DNS queries, or continually sending DNS queries to malicious destinations. Identifying this endpoint and taking action is important for security, quality control, and billing accuracy purposes.

By locating the source IP address of the endpoint, you can match this IP to the Hostname and MAC address in your DHCP server.

If the device is known to you, you can inspect the machine to find out which application is causing the issue.

If the device is not known to you, you can block the MAC address or LAN IP address from sending DNS queries until the user makes themselves known to you.

Windows DNS Logging

If you are using Active Directory, there are two ways that you can view the source IP address and query contents:

DNS Server Debug Logs

DNS Query Sniffer

DNS Query Sniffer is a tool that prints DNS query/response information in a spreadsheet-style view, and allows easy exporting of the data. You can download this here

0c47ed7-file-v3PcKcMeCV.png__1050_504__2021-05-06_17-19-11.png

9f7c485-file-UsXRyDYjxm.png__1071_555__2021-05-06_17-20-21.png

Linux DNS Logging

A linux machine can also be used to log query traffic on the network, and there are several software applications available that can do a dump of traffic:

dnstop

dnstop is great and quick tool for getting exactly the output you need to identify a problematic endpoint when using BIND as a DNS forwarder. We recommend this introduction article to dnstop.

tcpdump

The classic network sniffer. Using tcpdump will allow you to easily view all DNS queries and responses if you’re using a Linux server for DNS forwarding, or just want to monitor the DNS queries on the computer/server itself.

An example command for monitoring all outbound DNS queries is (assuming eth0 is your primary network adapter):

tcpdump -i eth0 'dst port 53'

There’s a table of flags and options on packetlife.net.

Other Methods

The classic network sniffer. Using tcpdump will allow you to easily view all DNS queries and responses if you’re using a Linux server for DNS forwarding, or just want to monitor the DNS queries on the computer/server itself.

If you’re using a router or firewall as a DNS forwarder, or not using DNS forwarding and assigning DNSFilter IPs directly via DHCP, you’ll need to use any tools or utilities provided by your router or firewall to view the DNS traffic. You’ll need to both determine if such tools are available (not normally on low-cost consumer routers), and how to use them by consulting with documentation or support resources from the manufacturer.

Was this article helpful?

2 out of 3 found this helpful

Have more questions? Submit a request

Comments

0 comments

Article is closed for comments.