Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Friday, June 5, 2015 8:56 PM
Is it possible to find via logging either the hostnames or client ip addresses of the machines that are using our internal W2k12R2 DNS Servers?
Steve J.
All replies (9)
Thursday, June 25, 2015 8:44 PM âś…Answered
Hi Steve
Check the logging and diagnostics feature on Windows Server 2012 R2. (available via an update)
https://technet.microsoft.com/library/dn800669.aspx
This provides analytical logging which give you all the details you need. The analytical logging can be turned on/off in the event viewer without any need to restart the server and works without decreasing performance.
Monday, June 8, 2015 6:36 AM
Hi Steve,
We could enable debug logging to achieve the goal.
Here are the steps:
- Open DNS console in Administrative Tools.
- Right click on the server and click Properties.
- The settings are on the Debug Logging tab.
Here is the guide for enabling debug logging:
Select and enable debug logging options on the DNS server:
https://technet.microsoft.com/en-us/library/cc759581(v=ws.10).aspx
Here is the guide for reading the log file:
The Fun in DNS Debug Logging - Read the DNS Debug Log:
Best Regards,
Leo
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected].
Wednesday, June 17, 2015 12:38 PM
Thank you very much Leo.
Steve J.
Monday, June 22, 2015 8:18 PM
Any ideas for why logging would not log. I have tried having the log file at the root of c as well as a subfolder on c, but no data is being written to the .txt file.
Steve J.
Monday, June 22, 2015 8:24 PM
Also a heads up to those looking to do this. You must stop the service to view the data. Upon stopping, the data dumps to the log file and can be viewed.
https://technet.microsoft.com/en-us/library/cc776445%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396
Steve J.
Wednesday, June 24, 2015 7:39 PM
So I have combed through the diagnostic logs and I am unable to find the name or ip address of the clients that are trying to get to a specific site.
I have everything checked (except filter by IP address). Any other ideas?
Steve J.
Thursday, June 25, 2015 1:28 AM
Hi Steve,
By default, the IP address column is between send/receive indicator and Xid(hex).
Here is an example on my DNS server:
Best Regards,
Leo
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected].
Thursday, June 25, 2015 1:23 PM
So the destination domain name is viewable in standard text or do I need to translate from hex? I'm trying to find which of my machines (by host name or client ip) is trying to get to a known malware site (something that ends in .biz for example). I know the destination site (the malware site), but the mystery is what internal device is trying to get there.
Steve J.
Friday, June 26, 2015 6:01 PM
Kumar,
Thank you very much for this! It worked like a charm and I was able to find the bad actor. I really appreciate it.
SJ
Steve J.