Forum Discussion

Copper Contributor

Sep 05, 2019

Solved

Odd Windows 2012 R2 DNS requests

So I have regular Cisco OpenDNS Umbrella rejections for malware-related DNS requests logged. From what I can tell these rejections are coming from our internal AD DNS Server. It has Umbrella DNS defi...

DNS

DNS Analytics

HidMov
Sep 05, 2019
Hey gregarican

I suspect that the 2012 R2 DNS is receiving a query from a domain joined client, is unable to resolve so it passing on to the umbrella to resolve.

You can turn on logging on the 2012 box to capture DNS requests and where they have come from:

Open DNS, right click the server, and go to properties

In the Debug tab, select what you want to capture and fill out a name and location for the capture log.

You might need to restart DNS services to get the log to kick into action.

After some time has gone, Open the log (I tend to save it as a .txt) and search for the domain in question. This will give you the IP of the client making the request

In my example below, I tried to go to hmitps.co.uk

We can see in the log that the receive request was from 192.168.10.30 which resolves to the windows client I was using to test with. In your situation, I'd take a close look at that client and see if it is infected with malware etc.

Make sure you stop the debug once you've got the log you want - it can grew pretty big pretty quickly.

Hope this helps,

Mark

HidMov

Iron Contributor

Sep 05, 2019

Hey gregarican

I suspect that the 2012 R2 DNS is receiving a query from a domain joined client, is unable to resolve so it passing on to the umbrella to resolve.

You can turn on logging on the 2012 box to capture DNS requests and where they have come from:

Open DNS, right click the server, and go to properties

In the Debug tab, select what you want to capture and fill out a name and location for the capture log.

You might need to restart DNS services to get the log to kick into action.

After some time has gone, Open the log (I tend to save it as a .txt) and search for the domain in question. This will give you the IP of the client making the request

In my example below, I tried to go to hmitps.co.uk

We can see in the log that the receive request was from 192.168.10.30 which resolves to the windows client I was using to test with. In your situation, I'd take a close look at that client and see if it is infected with malware etc.

Make sure you stop the debug once you've got the log you want - it can grew pretty big pretty quickly.

Hope this helps,

Mark

gregarican
Copper Contributor
Sep 06, 2019
HidMov Thanks for the suggestion. I had forgotten about this, and will give it a shot. Previously I was looking at the Windows 2012 R2 analytic logs, gathered via the recommended method outlined here --> https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn800669(v%3Dws.11). When I looked at the details I didn't see the initial DNS client request for these particular QNAME's. Just saw the recursive requests out to Cisco OpenDNS Umbrella. Since I can assumedly trace things based on the XID for each DNS transaction, there wasn't a complete picture of which internal client initiated the calls. Hopefully the debug logs will divulge that!