Windows DNS Server - how to find out who made a query?
Enable Debug Logging on the DNS server for this.
- Open DNS Manager from the Tools menu of Server Manager
- Right-click the DNS server in the left pane and click Properties
- Click the Debug Logging tab and check the Log packets for debugging checkbox
- To minimize the amount of data being logged, uncheck the following checkboxes:
- Packet direction - Outgoing
- Transport protocol - TCP
- Packet contents - Updates
- Packet type - Response
- In the Log file section, type a path and file name for the log. Alter the Maximum size (bytes) value if necessary.
- Click OK.
When the client queries the DNS server, you will see a line like the following in the log file (in this case the client performed a query for superuser.com):
16-07-2017 19:51:55 0DB4 PACKET 000000FA30FDFB60 UDP Rcv 10.10.10.100 000a Q [0001 D NOERROR] A (9)superuser(3)com(0)
The IP address after Rcv (10.10.10.100) is the IP address of the client that performed the query.
REMEMBER to disable Debug Logging on the DNS server when it is no longer needed, as it can affect the performance of the server.
DNS Logging and Diagnostics
We have been able to use this to log DNS activity on our DCs. We paired it with hourly log rotation based upon information found at http://support.moonpoint.com/blog/blosxom/2014/12/07#rotatednslog
We experienced issues with many of the DNS logs ending up as 0 byte files, and it didn't appear to be based upon activity because it could be in the middle of the night. I bumped up the DC from 4 to 6 GB RAM (kept 2 vCPU) and it hasn't been a problem for the 8 days since, so I think we're okay.
We store the logs on a dedicated volume in a NTFS compressed directory to save space. The size of each hourly log is ~ 300 MB before compression, and ~ 115 MB after NTFS compression.