DNS Analytics
1 TopicOdd Windows 2012 R2 DNS requests
So I have regular Cisco OpenDNS Umbrella rejections for malware-related DNS requests logged. From what I can tell these rejections are coming from our internal AD DNS Server. It has Umbrella DNS defined for DNS resolution of Internet-based domain names. When I look at the DNS audit logs, I don't see the initial Event ID 256 - LOOK_UP QUERY_RECEIVED for these rejections. If I did I would then see the internal source (i.e. - Source=x.x.x.x) and could investigate further. The first activity I see is always Event ID 260 - RECURSE_QUERY RECURSE_QUERY_OUT, which is the local AD DNS Server querying out to Umbrella to resolve the malicious QNAME's. Does this mean that the local AD DNS Server is the initial requestor? I've looked at the box in detail and don't see any strange processes running or anything else out of the ordinary when looking at the results of a netstat -abn command line result. So that's why I'm asking this here 🙂Solved3.7KViews0likes2Comments
