SOLVED

Odd Windows 2012 R2 DNS requests

%3CLINGO-SUB%20id%3D%22lingo-sub-839226%22%20slang%3D%22en-US%22%3EOdd%20Windows%202012%20R2%20DNS%20requests%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-839226%22%20slang%3D%22en-US%22%3E%3CP%3ESo%20I%20have%20regular%20Cisco%20OpenDNS%20Umbrella%20rejections%20for%20malware-related%20DNS%20requests%20logged.%20From%20what%20I%20can%20tell%20these%20rejections%20are%20coming%20from%20our%20internal%20AD%20DNS%20Server.%20It%20has%20Umbrella%20DNS%20defined%20for%20DNS%20resolution%20of%20Internet-based%20domain%20names.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhen%20I%20look%20at%20the%20DNS%20audit%20logs%2C%20I%20don't%20see%20the%20initial%20Event%20ID%20256%20-%26nbsp%3BLOOK_UP%20QUERY_RECEIVED%20for%20these%20rejections.%20If%20I%20did%20I%20would%20then%20see%20the%20internal%20source%20(i.e.%20-%20Source%3Dx.x.x.x)%20and%20could%20investigate%20further.%20The%20first%20activity%20I%20see%20is%20always%20Event%20ID%20260%20-%26nbsp%3BRECURSE_QUERY%20RECURSE_QUERY_OUT%2C%20which%20is%20the%20local%20AD%20DNS%20Server%20querying%20out%20to%20Umbrella%20to%20resolve%20the%20malicious%20QNAME's.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDoes%20this%20mean%20that%20the%20local%20AD%20DNS%20Server%20is%20the%20initial%20requestor%3F%20I've%20looked%20at%20the%20box%20in%20detail%20and%20don't%20see%20any%20strange%20processes%20running%20or%20anything%20else%20out%20of%20the%20ordinary%20when%20looking%20at%20the%20results%20of%20a%20netstat%20-abn%20command%20line%20result.%20So%20that's%20why%20I'm%20asking%20this%20here%20%3A)%3C%2Fimg%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-839226%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EDNS%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EDNS%20Analytics%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-839756%22%20slang%3D%22en-US%22%3ERe%3A%20Odd%20Windows%202012%20R2%20DNS%20requests%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-839756%22%20slang%3D%22en-US%22%3E%3CP%3EHey%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F353857%22%20target%3D%22_blank%22%3E%40gregarican%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20suspect%20that%20the%202012%20R2%20DNS%20is%20receiving%20a%20query%20from%20a%20domain%20joined%20client%2C%20is%20unable%20to%20resolve%20so%20it%20passing%20on%20to%20the%20umbrella%20to%20resolve.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EYou%20can%20turn%20on%20logging%20on%20the%202012%20box%20to%20capture%20DNS%20requests%20and%20where%20they%20have%20come%20from%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOpen%20DNS%2C%20right%20click%20the%20server%2C%20and%20go%20to%20properties%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIn%20the%20Debug%20tab%2C%20select%20what%20you%20want%20to%20capture%20and%20fill%20out%20a%20name%20and%20location%20for%20the%20capture%20log.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F130373iD632C94110CB99FB%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20alt%3D%22clipboard_image_0.png%22%20title%3D%22clipboard_image_0.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EYou%20might%20need%20to%20restart%20DNS%20services%20to%20get%20the%20log%20to%20kick%20into%20action.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAfter%20some%20time%20has%20gone%2C%20Open%20the%20log%20(I%20tend%20to%20save%20it%20as%20a%20.txt)%20and%20search%20for%20the%20domain%20in%20question.%20This%20will%20give%20you%20the%20IP%20of%20the%20client%20making%20the%20request%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIn%20my%20example%20below%2C%20I%20tried%20to%20go%20to%20hmitps.co.uk%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F130374i69ED380C09DF1D11%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20alt%3D%22clipboard_image_1.png%22%20title%3D%22clipboard_image_1.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20can%20see%20in%20the%20log%20that%20the%20receive%20request%20was%20from%20192.168.10.30%20which%20resolves%20to%20the%20windows%20client%20I%20was%20using%20to%20test%20with.%20In%20your%20situation%2C%20I'd%20take%20a%20close%20look%20at%20that%20client%20and%20see%20if%20it%20is%20infected%20with%20malware%20etc.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMake%20sure%20you%20stop%20the%20debug%20once%20you've%20got%20the%20log%20you%20want%20-%20it%20can%20grew%20pretty%20big%20pretty%20quickly.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHope%20this%20helps%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMark%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-840660%22%20slang%3D%22en-US%22%3ERe%3A%20Odd%20Windows%202012%20R2%20DNS%20requests%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-840660%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F383653%22%20target%3D%22_blank%22%3E%40HidMov%3C%2FA%3E%26nbsp%3BThanks%20for%20the%20suggestion.%20I%20had%20forgotten%20about%20this%2C%20and%20will%20give%20it%20a%20shot.%20Previously%20I%20was%20looking%20at%20the%20Windows%202012%20R2%20analytic%20logs%2C%20gathered%20via%20the%20recommended%20method%20outlined%20here%20--%26gt%3B%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fprevious-versions%2Fwindows%2Fit-pro%2Fwindows-server-2012-r2-and-2012%2Fdn800669(v%253Dws.11)%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fprevious-versions%2Fwindows%2Fit-pro%2Fwindows-server-2012-r2-and-2012%2Fdn800669(v%253Dws.11)%3C%2FA%3E.%20When%20I%20looked%20at%20the%20details%20I%20didn't%20see%20the%20initial%20DNS%20client%20request%20for%20these%20particular%20QNAME's.%20Just%20saw%20the%20recursive%20requests%20out%20to%20Cisco%20OpenDNS%20Umbrella.%20Since%20I%20can%20assumedly%20trace%20things%20based%20on%20the%20XID%20for%20each%20DNS%20transaction%2C%20there%20wasn't%20a%20complete%20picture%20of%20which%20internal%20client%20initiated%20the%20calls.%20Hopefully%20the%20debug%20logs%20will%20divulge%20that!%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
New Contributor

So I have regular Cisco OpenDNS Umbrella rejections for malware-related DNS requests logged. From what I can tell these rejections are coming from our internal AD DNS Server. It has Umbrella DNS defined for DNS resolution of Internet-based domain names.

 

When I look at the DNS audit logs, I don't see the initial Event ID 256 - LOOK_UP QUERY_RECEIVED for these rejections. If I did I would then see the internal source (i.e. - Source=x.x.x.x) and could investigate further. The first activity I see is always Event ID 260 - RECURSE_QUERY RECURSE_QUERY_OUT, which is the local AD DNS Server querying out to Umbrella to resolve the malicious QNAME's.

 

Does this mean that the local AD DNS Server is the initial requestor? I've looked at the box in detail and don't see any strange processes running or anything else out of the ordinary when looking at the results of a netstat -abn command line result. So that's why I'm asking this here :) 

 

2 Replies
Highlighted
Best Response confirmed by gregarican (New Contributor)
Solution

Hey @gregarican 

 

I suspect that the 2012 R2 DNS is receiving a query from a domain joined client, is unable to resolve so it passing on to the umbrella to resolve.

 

You can turn on logging on the 2012 box to capture DNS requests and where they have come from:

 

Open DNS, right click the server, and go to properties

 

In the Debug tab, select what you want to capture and fill out a name and location for the capture log.

 

clipboard_image_0.png

 

You might need to restart DNS services to get the log to kick into action.

 

After some time has gone, Open the log (I tend to save it as a .txt) and search for the domain in question. This will give you the IP of the client making the request

 

In my example below, I tried to go to hmitps.co.uk

 

clipboard_image_1.png

 

We can see in the log that the receive request was from 192.168.10.30 which resolves to the windows client I was using to test with. In your situation, I'd take a close look at that client and see if it is infected with malware etc.

 

Make sure you stop the debug once you've got the log you want - it can grew pretty big pretty quickly.

 

Hope this helps,

 

Mark

Highlighted

@HidMov Thanks for the suggestion. I had forgotten about this, and will give it a shot. Previously I was looking at the Windows 2012 R2 analytic logs, gathered via the recommended method outlined here --> https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn.... When I looked at the details I didn't see the initial DNS client request for these particular QNAME's. Just saw the recursive requests out to Cisco OpenDNS Umbrella. Since I can assumedly trace things based on the XID for each DNS transaction, there wasn't a complete picture of which internal client initiated the calls. Hopefully the debug logs will divulge that!